Edit tour

Windows Analysis Report
ZwmyzMxFKL.exe

Overview

General Information

Sample name:	ZwmyzMxFKL.exe renamed because original name is a hash value
Original sample name:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Analysis ID:	1562418
MD5:	2fa4f19f9fb9e7a71d85aaf34d318178
SHA1:	2061483db691163ca0b1d04667d64e37af4c2fe0
SHA256:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769
Tags:	206-238-43-118exeuser-JAMESWT_MHT
Infos:

Detection

BlackMoon

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected BlackMoon Ransomware

Drops executables to the windows directory (C:\Windows) and starts them

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Abnormal high CPU Usage

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a global mouse hook

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

ZwmyzMxFKL.exe (PID: 2488 cmdline: "C:\Users\user\Desktop\ZwmyzMxFKL.exe" MD5: 2FA4F19F9FB9E7A71D85AAF34D318178)

ZwmyzMxFKL.exe (PID: 1668 cmdline: "C:\Users\user\Desktop\ZwmyzMxFKL.exe" /i "C:\Program Files (x86)\WindowsInstallerFQ\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\DnLIMGKCARTO" SECONDSEQUENCE="1" CLIENTPROCESSID="2488" AI_MORE_CMD_LINE=1 MD5: 2FA4F19F9FB9E7A71D85AAF34D318178)

msiexec.exe (PID: 5012 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6216 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7E6189B68D04BCCC687811EFCABCB7B7 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 4560 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 2D3D4FA1C75486B2FBEFE9E283CEBF24 MD5: 9D09DC1EDA745A5F87553048E57620CF)

MSIF1CE.tmp (PID: 6108 cmdline: "C:\Windows\Installer\MSIF1CE.tmp" MD5: BE4ED0D3AA0B2573927A046620106B13)

e8a0d5af432b7e64DBD.exe (PID: 5840 cmdline: "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU" -o"C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73" -pe6ab90d5741a3329XSJ -aos -y MD5: FAE7D0A530279838C8A5731B086A081B)

conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

e8a0d5af432b7e64DBD.exe (PID: 6088 cmdline: "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR" -o"C:\Program Files (x86)\DnLIMGKCARTO" -pd90abf5032721ffaBCX -aos -y MD5: FAE7D0A530279838C8A5731B086A081B)

conhost.exe (PID: 1280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

e8a0d5af432b7e64DBD.exe (PID: 6716 cmdline: "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX" -o"C:\Users\user\AppData\Roaming" -p5ccac7f27f4c789fFPK -aos -y MD5: FAE7D0A530279838C8A5731B086A081B)

conhost.exe (PID: 2348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Bor32-update-flase.exe (PID: 1052 cmdline: "C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe" MD5: 938C33C54819D6CE8D731B68D9C37E38)

Bor32-update-flase.exe (PID: 3816 cmdline: "C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe" MD5: 938C33C54819D6CE8D731B68D9C37E38)

Haloonoroff.exe (PID: 3476 cmdline: "C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe" MD5: 0D318144BD23BA1A72CC06FE19CB3F0C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
KrBanker, BlackMoon	ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.	No Attribution	http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/ https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/ https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/	https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\DnLIMGKCARTO\ramuser.dll	Gandcrab	Gandcrab Payload	kevoreilly	0xdbd00:$string1: GDCB-DECRYPT.txt
C:\Program Files (x86)\DnLIMGKCARTO\qex.dll	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\rtl120.bpl	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000009.00000003.2536019030.00000000034E6000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000000F.00000000.2588994186.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: e8a0d5af432b7e64DBD.exe PID: 5840	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Bor32-update-flase.exe PID: 3816	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.Bor32-update-flase.exe.308950e.8.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
18.2.Bor32-update-flase.exe.308950e.8.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x45ba:$s1: blackmoon 0x45fa:$s2: BlackMoon RunTime Error:
15.0.Bor32-update-flase.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
18.2.Bor32-update-flase.exe.308950e.8.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
18.2.Bor32-update-flase.exe.308950e.8.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x45ba:$s1: blackmoon 0x45fa:$s2: BlackMoon RunTime Error:

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T15:22:22.671051+0100	2052875	1	A Network Trojan was detected	192.168.2.6	49800	206.238.43.118	63569	TCP
2024-11-25T15:23:22.881761+0100	2052875	1	A Network Trojan was detected	192.168.2.6	49800	206.238.43.118	63569	TCP
2024-11-25T15:25:00.847100+0100	2052875	1	A Network Trojan was detected	192.168.2.6	49992	206.238.43.118	63569	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: ZwmyzMxFKL.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe

File opened: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.VC90.CRT\msvcr90.dll

Source: ZwmyzMxFKL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wininet.pdb source: ZwmyzMxFKL.exe, 00000000.00000003.2205932646.0000000005AAD000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287973947.0000000003454000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000052B9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\ddvsm\out\Intermediate\vscommon\perfwatson2.csproj_FB008427_ret\objr\amd64\PerfWatson2.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp100.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004C94000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb$$ source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdbRR#GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmauthd-log\win32\release\vmauthd.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb` source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb.. GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\gitproj\7z2201-src\CPP\7zip\UI\Console\Release\Console.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000000.2509814537.0000000000EB8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000002.2563722076.0000000000EB8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000002.2579228395.0000000000EB8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000000.2564720225.0000000000EB8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000D.00000002.2582161674.0000000000EB8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000D.00000000.2580311769.0000000000EB8000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb!! source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdbII#GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdbf source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\HTTPRequest.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb'' GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb% source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630195593.00000000006F8000.00000040.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.0000000004180000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdb source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdbLL%GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mfc90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004938000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\etcp5.0\Release\etcp.pdb source: Bor32-update-flase.exe, 00000012.00000002.2630195593.00000000006F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: libEGL.dll.pdbs source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004DBB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2635879280.000000006B941000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: E:\8168\vc98\dev\bin\vcspawn.pdbMZ source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb11 source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdbDD!GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar32\Release\RAR.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallerAnalytics.pdbz source: ZwmyzMxFKL.exe, 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004C94000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwCommonUI.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wininet.pdbUGP source: ZwmyzMxFKL.exe, 00000000.00000003.2205932646.0000000005AAD000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287973947.0000000003454000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdbL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdbAA#GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004DBB000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\8168\vc98\dev\bin\vcspawn.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdbZZ source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\419058\out\Release\360AppCore.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\fhbemb\src\bin\Release\fhjyy.pdb source: MSIF1CE.tmp, 00000008.00000002.2583131691.000000000033E000.00000002.00000001.01000000.0000000B.sdmp, MSIF1CE.tmp, 00000008.00000000.2507945484.000000000033E000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\kwlogsvr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdbp source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdbp source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004DBB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19188697\cayman_glib\glib\src\build\win32\vs14\Release\Win32\bin\gmodule-2.0.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\fhbemb\src\bin\Release_NL\fhbmini.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, Haloonoroff.exe, 00000013.00000000.2616993472.000000000083E000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\368203\out\Release\HipsLog.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: ZwmyzMxFKL.exe, ZwmyzMxFKL.exe, 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmp, ZwmyzMxFKL.exe, 00000000.00000000.2147860998.0000000000F09000.00000002.00000001.01000000.00000003.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2590257935.0000000000F09000.00000002.00000001.01000000.00000003.sdmp, ZwmyzMxFKL.exe, 00000004.00000000.2275584066.0000000000F09000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb.. source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004DBB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdbWW'GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004DBB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: libEGL.dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\WallPaper_feihuo\windows\FFWallpaper\bin\Release\bfcipc.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \WallPaper\windows\FFWallpaper\bin\Release\FFWallpaper.pdb source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb-- source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\basichttp\win32\release\basichttp.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallerAnalytics.pdb source: ZwmyzMxFKL.exe, 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb//' source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb__(GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: z:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: x:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: v:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: t:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: r:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: p:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: n:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: l:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: j:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: h:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: f:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: b:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: y:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: w:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: u:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: s:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: q:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: o:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: m:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: k:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: i:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: g:
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: e:
Source: C:\Windows\Installer\MSIF1CE.tmp	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File opened: a:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File opened: [:

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E10640 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_00E10640
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00DEB1B0 FindFirstFileW,GetLastError,FindClose,	0_2_00DEB1B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E1A4B0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00E1A4B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CF0880 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,	0_2_00CF0880
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E1A8B0 FindFirstFileW,FindClose,	0_2_00E1A8B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00DEA850 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00DEA850
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00DEABE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,	0_2_00DEABE0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00DF8F30 FindFirstFileW,FindClose,FindClose,	0_2_00DF8F30
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00DCFE80 FindFirstFileW,FindNextFileW,FindClose,	0_2_00DCFE80
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CA97870 FindFirstFileW,FindClose,GetLastError,FindClose,	0_2_6CA97870
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CA8D070 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,	0_2_6CA8D070
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CAB6B85 FindFirstFileExW,	0_2_6CAB6B85
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00DEB1B0 FindFirstFileW,GetLastError,FindClose,	4_2_00DEB1B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00DEABE0 FindFirstFileW,	4_2_00DEABE0
Source: C:\Windows\Installer\MSIF1CE.tmp	Code function: 8_2_003374DA FindFirstFileExW,	8_2_003374DA
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E38BA4 __EH_prolog3_GS,FindFirstFileA,FindFirstFileW,FindFirstFileW,	9_2_00E38BA4
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E9D528 FindFirstFileExA,	9_2_00E9D528
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E9D7E0 FindFirstFileExW,FindClose,FindNextFileW,	9_2_00E9D7E0
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E9D9C1 FindFirstFileExW,	9_2_00E9D9C1
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E9D996 FindFirstFileExA,	9_2_00E9D996

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00E19310 _wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00E19310

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.6:49800 -> 206.238.43.118:63569
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.6:49992 -> 206.238.43.118:63569

Source: global traffic

TCP traffic: 192.168.2.6:49800 -> 206.238.43.118:63569

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118

Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: "https://www.facebook.com/iobitsoft equals www.facebook.com (Facebook)
Source: ZwmyzMxFKL.exe, 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmp, ZwmyzMxFKL.exe, 00000000.00000000.2147860998.0000000000F09000.00000002.00000001.01000000.00000003.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2590257935.0000000000F09000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: FlashWindowExFlashWindowGetPackagePathKernel32.dllhttp://www.google.comTESTtin9999.tmphttp://www.yahoo.comhttp://www.example.com.partGET "filenameattachment=123POSTcharsetDLDISO-8859-1US-ASCIIutf-8utf-16FTP Server/AdvancedInstallerLocal Network ServerIf-Modified-Since: %s equals www.yahoo.com (Yahoo)
Source: ZwmyzMxFKL.exe	String found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)

Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004938000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ftp://http://HTTP/1.0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/active.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/moreuse.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/multi_app/app_db3promote.php?action=insert
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/other/db_driverinstall.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/other/db_extlink_download.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/other/db_temp_download.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/other/insert.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/usage.php
Source: ZwmyzMxFKL.exe, 00000004.00000003.2586501143.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2587981849.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicerU
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ZwmyzMxFKL.exe, 00000000.00000003.2175846719.000000000176D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175517693.000000000176C000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175487993.0000000001760000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2594343676.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2278584230.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2279165055.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287743677.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ZwmyzMxFKL.exe, 00000000.00000003.2513804375.000000000174E000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.2603677394.000000000174F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175846719.000000000176D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175517693.000000000176C000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175487993.0000000001760000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2599593475.0000000001743000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2586501143.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287759693.0000000003DE6000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2594343676.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2587981849.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2278584230.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2279165055.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287743677.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ZwmyzMxFKL.exe, 00000000.00000003.2175846719.000000000176D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175517693.000000000176C000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175487993.0000000001760000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2594343676.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2278584230.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2279165055.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287743677.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ZwmyzMxFKL.exe, ZwmyzMxFKL.exe, 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://collect.installeranalytics.com
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004C94000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004938000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175517693.000000000176C000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175487993.0000000001760000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2594343676.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2278584230.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2279165055.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287743677.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ZwmyzMxFKL.exe, 00000000.00000003.2513804375.000000000174E000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.2603677394.000000000174F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175846719.000000000176D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175517693.000000000176C000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175487993.0000000001760000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2599593475.0000000001743000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2586501143.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287759693.0000000003DE6000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2594343676.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2587981849.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2278584230.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2279165055.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287743677.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ZwmyzMxFKL.exe, 00000004.00000003.2586501143.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2587981849.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCo
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: ZwmyzMxFKL.exe, 00000000.00000003.2602423040.000000000171F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.2603568860.000000000171F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2601827374.000000000171F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2586501143.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2587981849.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: ZwmyzMxFKL.exe, 00000004.00000003.2586501143.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2587981849.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: ZwmyzMxFKL.exe, 00000000.00000003.2513804375.000000000174E000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.2603677394.000000000174F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175846719.000000000176D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2599593475.0000000001743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab6a
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2635759542.000000006B296000.00000008.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://curl.haxx.se/V
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2635759542.000000006B296000.00000008.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://curl.haxx.se/docs/copyright.htmlDVarFileInfo$
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2635580623.000000006B282000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://curl.haxx.se/docs/http-cookies.html
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ec.360bc.cnhttp://www.eyybc.com/forumdisplay.php?fid=17/memcp.php/ip.asp/time.asp/gonggao.txt
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://forums.iobit.com/forum/driver-booster/driver-booster-5
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://forums.iobit.com/showthread.php?t=16792
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://idb.iobit.com/check.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://install-log.kuwo.cn/music.yl
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://klog.kuwo.cn/music.yl
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://klog.kuwo.cn/music.ylhttp://install-log.kuwo.cn/music.ylhttp://log.kuwo.cn/music.ylrwSend
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://log.kuwo.cn/music.yl
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: ZwmyzMxFKL.exe, 00000000.00000002.2604819232.0000000006310000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175846719.000000000176D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175517693.000000000176C000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175487993.0000000001760000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2586501143.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2594343676.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2587981849.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2278584230.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2279165055.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287743677.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: ZwmyzMxFKL.exe, 00000000.00000003.2175846719.000000000176D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175517693.000000000176C000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175487993.0000000001760000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2594343676.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2278584230.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2279165055.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287743677.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: ZwmyzMxFKL.exe, 00000000.00000003.2513804375.000000000174E000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.2603677394.000000000174F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175846719.000000000176D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175517693.000000000176C000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2175487993.0000000001760000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2599593475.0000000001743000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2586501143.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287759693.0000000003DE6000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2594343676.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2587981849.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2278584230.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2279165055.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287743677.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004C94000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004938000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com0_
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stats.iobit.com/active_day.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stats.iobit.com/active_month.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stats.iobit.com/register.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stats.iotransfer.net/active.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw.symcd.com0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://t2.symcb.com0
Source: ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcd.com0&
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004C94000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004938000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004C94000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004938000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004C94000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004938000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://update.iobit.com/infofiles/db2/Freeware-db.upt
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://update.iobit.com/infofiles/db2/db2_free.upt
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://update.iobit.com/infofiles/db2/db2_oth.upt
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://update.iobit.com/infofiles/db2/db2_pro.upt
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://update.iobit.com/infofiles/db3/embhtml/update.upt
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://updatestats.cd4o.com/api.php?act=update
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.360.cn
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.bsplayer.com
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cd4o.com/drivers/
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cd4o.com/drivers/wlst/v.json
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ZwmyzMxFKL.exe	String found in binary or memory: http://www.google.com
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/language-subtag-registry
Source: Bor32-update-flase.exe, 00000012.00000002.2629993420.00000000006AD000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=activateweb
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=activateweb-%d
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=bannerbuy
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=compare
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=dbproduct
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=download
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=expired
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=faq
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=feature
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=feedback
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=filerupt
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=forum
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=gaexpired
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=help
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=helptranslate
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=htmlfailed
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=index
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=install
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=likefb
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=lostcode
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=multipcexpired
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=othupdate
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=proupdate
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=purchase
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=purchase-%d
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=regexpired
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=reggaexpired
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=regovermax
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=revokedkey
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=update
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=usermanual
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=vertoold
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/cloud/db/index.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/compare/db/index.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/driver-booster-pro.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/faq.php?product=db
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/feedback/db/feedback.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/goto.php?id=dbproregister
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/goto.php?id=dbsurvey
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/goto.php?id=likefb01_DB
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/goto.php?id=plusgp01_DB
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/goto.php?id=plusgp01_DBU
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/hotquestions-db.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/install/db/index.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/lostcode.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/productfeedback.php?product=driver-booster
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004C94000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004938000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kuwo.cn0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ludashi.com0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/rfc/bcp/bcp47.txt
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.super-ec.cn
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.com
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll1.2.3
Source: ZwmyzMxFKL.exe	String found in binary or memory: http://www.yahoo.com
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.zlib.net/D
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/BaiZhu/Request
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupList
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/Device/ClientHardwareConfig
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/LockWallpaper/Get
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/LockWallpaper/Gethttps://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaperht
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaper
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/adApi/plugRecommendNew
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/adApi/plugRecommendNew%s?channel=%shttps://bizhi.hfnuola.com/pc/desktop
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/agg/StartUp
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/agg/hour
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/desktopSubject
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/fhbzApi/checkFile
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/v/AfterLocalSet
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/v/AfterLocalSethttps://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupLi
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/v/FilterPayWallpaper
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/v/wallpaperInfoMulti
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/v/wallpaperInfoMulti%sFFSL.exe
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhiweb.hfnuola.com/clientNew/index.html
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhiweb.hfnuola.com/clientNew/index.htmlchrome-error://chromewebdata_err:firstNav_
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhiweb.hfnuola.com/web/advertising.html?type=
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhiweb.hfnuola.com/web/advertising.html?type=9IagJ4qlKos8A8lm
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhiweb.hfnuola.com/web/vip.htmlhttps://bizhiweb.hfnuola.com/web/payNew.html%s?channel=%s&p
Source: ZwmyzMxFKL.exe, ZwmyzMxFKL.exe, 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://collect.installeranalytics.com
Source: ZwmyzMxFKL.exe, 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0)
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hao.360.cnstrtolwcstombsmbstowcsiexplore.exe360chrome.exe360se.exeSafehmpgHelperkslaunchwsaf
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://idea.hfnuola.com
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://idea.hfnuola.com20012rgbautoStartauto_start_slienthideDesktopIconpauseVidoset_mute_on_fullsc
Source: ZwmyzMxFKL.exe	String found in binary or memory: https://installeranalytics.com
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://logs.hfnuola.com
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://s1.driverboosterscan.com/worker.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://s2.driverboosterscan.com/worker.php
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0B
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/iobitsoft
Source: ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.advancedinstaller.com
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630607163.0000000000B14000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/03
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gnu.org/licenses/
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.hfnuola.com
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.hfnuola.com/select
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.itrus.com.cn0
Source: ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/cps0/
Source: ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/repository0W

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00DCA2A0 SendMessageW,GetParent,GetParent,GetWindowRect,GetParent,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,MapWindowPoints,FillRect,DeleteDC,SendMessageW,SendMessageW,SendMessageW,

0_2_00DCA2A0

Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_8f67c917-5

Source: Yara match

File source: Process Memory Space: e8a0d5af432b7e64DBD.exe PID: 5840, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Yara detected BlackMoon Ransomware

Source: Yara match	File source: 18.2.Bor32-update-flase.exe.308950e.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Bor32-update-flase.exe.308950e.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bor32-update-flase.exe PID: 3816, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 18.2.Bor32-update-flase.exe.308950e.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 18.2.Bor32-update-flase.exe.308950e.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: C:\Program Files (x86)\DnLIMGKCARTO\ramuser.dll, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly

Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E2F0D0 NtdllDefWindowProc_W,	0_2_00E2F0D0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00DA7A10 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,	0_2_00DA7A10
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CF2390 KillTimer,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,	0_2_00CF2390
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D8C330 NtdllDefWindowProc_W,	0_2_00D8C330
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CE44A0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00CE44A0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CEE540 NtdllDefWindowProc_W,	0_2_00CEE540
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CEE6B0 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00CEE6B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CE4BC0 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString,	0_2_00CE4BC0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D410D0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00D410D0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CE7190 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,	0_2_00CE7190
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CE5220 NtdllDefWindowProc_W,	0_2_00CE5220
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D058F0 NtdllDefWindowProc_W,	0_2_00D058F0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CE78B0 NtdllDefWindowProc_W,	0_2_00CE78B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CF7AC0 NtdllDefWindowProc_W,	0_2_00CF7AC0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CE7E70 NtdllDefWindowProc_W,	0_2_00CE7E70
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00DA7A10 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,	4_2_00DA7A10
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00D410D0 NtdllDefWindowProc_W,	4_2_00D410D0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CE7190 NtdllDefWindowProc_W,	4_2_00CE7190
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CE5220 NtdllDefWindowProc_W,	4_2_00CE5220
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CF2390 NtdllDefWindowProc_W,DeleteCriticalSection,	4_2_00CF2390
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00D8C330 NtdllDefWindowProc_W,	4_2_00D8C330
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CE44A0 NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,NtdllDefWindowProc_W,	4_2_00CE44A0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CEE540 NtdllDefWindowProc_W,	4_2_00CEE540
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CEE6B0 NtdllDefWindowProc_W,	4_2_00CEE6B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00D058F0 NtdllDefWindowProc_W,	4_2_00D058F0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CE78B0 NtdllDefWindowProc_W,	4_2_00CE78B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CF7AC0 NtdllDefWindowProc_W,	4_2_00CF7AC0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CE7E70 NtdllDefWindowProc_W,	4_2_00CE7E70

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe

Code function: 9_2_00E3A063: __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z,__EH_prolog3,GetFileInformationByHandle,DeviceIoControl,

9_2_00E3A063

Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe

File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGXlong.sys

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\629ca1.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9ED3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F41.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F71.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB5C9.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB5F9.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBEC4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBF03.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC00E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIECCC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF1CE.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\libjyy.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI9ED3.tmp

Jump to behavior

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E04CA0	0_2_00E04CA0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CF8080	0_2_00CF8080
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CFC116	0_2_00CFC116
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CFC127	0_2_00CFC127
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CF4200	0_2_00CF4200
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CD45FE	0_2_00CD45FE
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D445B0	0_2_00D445B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CF0880	0_2_00CF0880
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E94860	0_2_00E94860
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CEEAF0	0_2_00CEEAF0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00DCAA20	0_2_00DCAA20
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E9CBBA	0_2_00E9CBBA
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00DFCFD0	0_2_00DFCFD0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CD3010	0_2_00CD3010
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E8D24E	0_2_00E8D24E
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CFF4E0	0_2_00CFF4E0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CFB461	0_2_00CFB461
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00EA1639	0_2_00EA1639
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E9F711	0_2_00E9F711
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CFDAC0	0_2_00CFDAC0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00EA7AA7	0_2_00EA7AA7
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CA7DB00	0_2_6CA7DB00
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CA8D070	0_2_6CA8D070
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CAA7C1A	0_2_6CAA7C1A
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CAB8DC0	0_2_6CAB8DC0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CAB9FE7	0_2_6CAB9FE7
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CAA788C	0_2_6CAA788C
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CAB3B89	0_2_6CAB3B89
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CF8080	4_2_00CF8080
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CD3010	4_2_00CD3010
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00D20160	4_2_00D20160
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CF4200	4_2_00CF4200
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CFF4E0	4_2_00CFF4E0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CFB461	4_2_00CFB461
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CD45FE	4_2_00CD45FE
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00D445B0	4_2_00D445B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00EA1639	4_2_00EA1639
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00E9F711	4_2_00E9F711
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CFDAC0	4_2_00CFDAC0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00CEEAF0	4_2_00CEEAF0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00DCAA20	4_2_00DCAA20
Source: C:\Windows\Installer\MSIF1CE.tmp	Code function: 8_2_0033D237	8_2_0033D237
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E523DA	9_2_00E523DA
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E5E319	9_2_00E5E319
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E545F7	9_2_00E545F7
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E6EB3E	9_2_00E6EB3E
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E3C09C	9_2_00E3C09C
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00EAC140	9_2_00EAC140
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E90104	9_2_00E90104
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E6C111	9_2_00E6C111
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E90361	9_2_00E90361
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E905BE	9_2_00E905BE
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E76565	9_2_00E76565
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00EAC680	9_2_00EAC680
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E44712	9_2_00E44712
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E7A8BE	9_2_00E7A8BE
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E9082A	9_2_00E9082A
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E4EAC4	9_2_00E4EAC4
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E58A0D	9_2_00E58A0D
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00EACB30	9_2_00EACB30
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00EAACC2	9_2_00EAACC2
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E68EC1	9_2_00E68EC1
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E4AE29	9_2_00E4AE29
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E8EF0B	9_2_00E8EF0B
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E8F13A	9_2_00E8F13A
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E31000	9_2_00E31000
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00EAD25F	9_2_00EAD25F
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E57395	9_2_00E57395
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E8F374	9_2_00E8F374
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E4F352	9_2_00E4F352
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E834AD	9_2_00E834AD
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E3D490	9_2_00E3D490
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E515F5	9_2_00E515F5
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E8F5A3	9_2_00E8F5A3
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E4D6F3	9_2_00E4D6F3
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E8F7D2	9_2_00E8F7D2
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E4F783	9_2_00E4F783
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00EB1890	9_2_00EB1890
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E659C7	9_2_00E659C7
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00EB196B	9_2_00EB196B
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E8FA0C	9_2_00E8FA0C
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E4FCAB	9_2_00E4FCAB
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E8FC3B	9_2_00E8FC3B
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E8FE98	9_2_00E8FE98

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe

Process token adjusted: Security

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00CD7D00 appears 684 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00E9E2CD appears 34 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00CF0880 appears 46 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00CD9800 appears 61 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00E82072 appears 33 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00CD70B0 appears 44 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00E84A5A appears 42 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00E85370 appears 39 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00CD7270 appears 40 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00CD92A0 appears 64 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00CD7160 appears 97 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00CDE300 appears 50 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00DE82C0 appears 58 times
Source: C:\Windows\Installer\MSIF1CE.tmp	Code function: String function: 003329E0 appears 33 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00E73225 appears 36 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00E80FCC appears 87 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00E9BEAC appears 35 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00E7325C appears 36 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00E731A7 appears 31 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00E731BA appears 36 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00E731F1 appears 337 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00E99CD9 appears 60 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00E72F70 appears 66 times

Source: ZwmyzMxFKL.exe

Static PE information: invalid certificate

Source: ZwmyzMxFKL.exe	Static PE information: Resource name: RT_VERSION type: PDP-11 overlaid pure executable not stripped
Source: safe505.dll.2.dr	Static PE information: Resource name: RCDATA_PE type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: safehmpg.dll.2.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: SpeedldSetting.dll.2.dr	Static PE information: Resource name: CITYCODE type: Zip archive data, at least v1.0 to extract, compression method=store
Source: uniconft64.dll.2.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: ZwmyzMxFKL.exe, 00000000.00000003.2205932646.0000000005AAD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000004.00000003.2287973947.0000000003454000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs ZwmyzMxFKL.exe

Source: ZwmyzMxFKL.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 18.2.Bor32-update-flase.exe.308950e.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 18.2.Bor32-update-flase.exe.308950e.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: C:\Program Files (x86)\DnLIMGKCARTO\ramuser.dll, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload

Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: D:\dbs\el\ddvsm\out\Intermediate\vscommon\perfwatson2.csproj_FB008427_ret\objr\amd64\PerfWatson2.pdb

Source: classification engine

Classification label: mal84.rans.evad.winEXE@23/427@0/1

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00DEE5B0 FormatMessageW,GetLastError,

0_2_00DEE5B0

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E4828A GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		9_2_00E4828A
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E3B687 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,FreeLibrary,		9_2_00E3B687

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe

Code function: 9_2_00E3B385 __ehhandler$?_Init@?$numpunct@D@std@@IAEXABV_Locinfo@2@@Z,__EH_prolog3,GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceW,

9_2_00E3B385

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00E33E80 CoCreateInstance,

0_2_00E33E80

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00CD9160 LoadResource,LockResource,SizeofResource,

0_2_00CD9160

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

File created: C:\Program Files (x86)\WindowsInstallerFQ

Jump to behavior

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

File created: C:\Users\user\AppData\Local\AdvinstAnalytics

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_03
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Mutant created: \Sessions\1\BaseNamedObjects\??
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Mutant created: \Sessions\1\BaseNamedObjects\NIpizDg64rfvhLyrCQMywaHQBENjzMv1R6uEoR8NfcvFEqARIU

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

File created: C:\Users\user\AppData\Local\Temp\INAF03F.tmp

Jump to behavior

Source: Yara match	File source: 15.0.Bor32-update-flase.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.2536019030.00000000034E6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2588994186.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\rtl120.bpl, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe, type: DROPPED

Source: ZwmyzMxFKL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ZwmyzMxFKL.exe, 00000000.00000003.2599862594.00000000064A9000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.2605227782.00000000064A9000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2601950300.00000000064A9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SELECT `Message` FROM `Error` WHERE `Error` = 1709;

Source: ZwmyzMxFKL.exe

String found in binary or memory: https://installeranalytics.com

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

File read: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ZwmyzMxFKL.exe "C:\Users\user\Desktop\ZwmyzMxFKL.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7E6189B68D04BCCC687811EFCABCB7B7 C
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Process created: C:\Users\user\Desktop\ZwmyzMxFKL.exe "C:\Users\user\Desktop\ZwmyzMxFKL.exe" /i "C:\Program Files (x86)\WindowsInstallerFQ\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\DnLIMGKCARTO" SECONDSEQUENCE="1" CLIENTPROCESSID="2488" AI_MORE_CMD_LINE=1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2D3D4FA1C75486B2FBEFE9E283CEBF24
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIF1CE.tmp "C:\Windows\Installer\MSIF1CE.tmp"
Source: C:\Windows\Installer\MSIF1CE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU" -o"C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73" -pe6ab90d5741a3329XSJ -aos -y
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Installer\MSIF1CE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR" -o"C:\Program Files (x86)\DnLIMGKCARTO" -pd90abf5032721ffaBCX -aos -y
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Installer\MSIF1CE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX" -o"C:\Users\user\AppData\Roaming" -p5ccac7f27f4c789fFPK -aos -y
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe "C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe"
Source: unknown	Process created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe "C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe"
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Process created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe "C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe"
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Process created: C:\Users\user\Desktop\ZwmyzMxFKL.exe "C:\Users\user\Desktop\ZwmyzMxFKL.exe" /i "C:\Program Files (x86)\WindowsInstallerFQ\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\DnLIMGKCARTO" SECONDSEQUENCE="1" CLIENTPROCESSID="2488" AI_MORE_CMD_LINE=1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7E6189B68D04BCCC687811EFCABCB7B7 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2D3D4FA1C75486B2FBEFE9E283CEBF24	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIF1CE.tmp "C:\Windows\Installer\MSIF1CE.tmp"	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU" -o"C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73" -pe6ab90d5741a3329XSJ -aos -y	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR" -o"C:\Program Files (x86)\DnLIMGKCARTO" -pd90abf5032721ffaBCX -aos -y	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX" -o"C:\Users\user\AppData\Roaming" -p5ccac7f27f4c789fFPK -aos -y	Jump to behavior
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Process created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe "C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe"

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: libjyy.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: upsdk.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: tdpcontrol.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: tdpstat.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: libcurl.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: tdpinfo.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: wship6.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: hipsdiamain.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: msvcr100.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: napinsp.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: wshbth.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: winrnr.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: libmini.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: netdevenvspeed.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: dinput8.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: hid.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: ksuser.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: avrt.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: audioses.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: midimap.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Section loaded: msvfw32.dll

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

File written: C:\Users\user\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\tracking.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: ZwmyzMxFKL.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ZwmyzMxFKL.exe

Static file information: File size 58031336 > 1048576

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe

File opened: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.VC90.CRT\msvcr90.dll

Source: ZwmyzMxFKL.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x237c00

Source: ZwmyzMxFKL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ZwmyzMxFKL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ZwmyzMxFKL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ZwmyzMxFKL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ZwmyzMxFKL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ZwmyzMxFKL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ZwmyzMxFKL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ZwmyzMxFKL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wininet.pdb source: ZwmyzMxFKL.exe, 00000000.00000003.2205932646.0000000005AAD000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287973947.0000000003454000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000052B9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\ddvsm\out\Intermediate\vscommon\perfwatson2.csproj_FB008427_ret\objr\amd64\PerfWatson2.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp100.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004C94000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb$$ source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdbRR#GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmauthd-log\win32\release\vmauthd.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb` source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb.. GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\gitproj\7z2201-src\CPP\7zip\UI\Console\Release\Console.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000000.2509814537.0000000000EB8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000002.2563722076.0000000000EB8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000002.2579228395.0000000000EB8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000000.2564720225.0000000000EB8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000D.00000002.2582161674.0000000000EB8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000D.00000000.2580311769.0000000000EB8000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb!! source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdbII#GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdbf source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\HTTPRequest.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb'' GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb% source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2630195593.00000000006F8000.00000040.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.0000000004180000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdb source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdbLL%GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mfc90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004938000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\etcp5.0\Release\etcp.pdb source: Bor32-update-flase.exe, 00000012.00000002.2630195593.00000000006F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: libEGL.dll.pdbs source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004DBB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2635879280.000000006B941000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: E:\8168\vc98\dev\bin\vcspawn.pdbMZ source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb11 source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdbDD!GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar32\Release\RAR.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallerAnalytics.pdbz source: ZwmyzMxFKL.exe, 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004C94000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwCommonUI.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wininet.pdbUGP source: ZwmyzMxFKL.exe, 00000000.00000003.2205932646.0000000005AAD000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287973947.0000000003454000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdbL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdbAA#GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004DBB000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\8168\vc98\dev\bin\vcspawn.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdbZZ source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\419058\out\Release\360AppCore.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576780854.000000000418E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2576367223.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\fhbemb\src\bin\Release\fhjyy.pdb source: MSIF1CE.tmp, 00000008.00000002.2583131691.000000000033E000.00000002.00000001.01000000.0000000B.sdmp, MSIF1CE.tmp, 00000008.00000000.2507945484.000000000033E000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\kwlogsvr.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdbp source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdbp source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004DBB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19188697\cayman_glib\glib\src\build\win32\vs14\Release\Win32\bin\gmodule-2.0.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\fhbemb\src\bin\Release_NL\fhbmini.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, Haloonoroff.exe, 00000013.00000000.2616993472.000000000083E000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\368203\out\Release\HipsLog.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: ZwmyzMxFKL.exe, ZwmyzMxFKL.exe, 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmp, ZwmyzMxFKL.exe, 00000000.00000000.2147860998.0000000000F09000.00000002.00000001.01000000.00000003.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2590257935.0000000000F09000.00000002.00000001.01000000.00000003.sdmp, ZwmyzMxFKL.exe, 00000004.00000000.2275584066.0000000000F09000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb.. source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004DBB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdbWW'GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004DBB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: libEGL.dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\WallPaper_feihuo\windows\FFWallpaper\bin\Release\bfcipc.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \WallPaper\windows\FFWallpaper\bin\Release\FFWallpaper.pdb source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb-- source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\basichttp\win32\release\basichttp.pdb source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallerAnalytics.pdb source: ZwmyzMxFKL.exe, 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb//' source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb__(GCTL source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp

Source: ZwmyzMxFKL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ZwmyzMxFKL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ZwmyzMxFKL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ZwmyzMxFKL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ZwmyzMxFKL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: shiF07E.tmp.0.dr

Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00DEE740 LoadLibraryW,GetProcAddress,LoadImageW,FreeLibrary,

0_2_00DEE740

Source: initial sample

Static PE information: section where entry point is pointing to: .code1

Source: shiF07E.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shiF07E.tmp.0.dr	Static PE information: section name: .didat
Source: Safelive.dll.2.dr	Static PE information: section name: .IShareO
Source: safemon64.dll.2.dr	Static PE information: section name: .share
Source: safemonhlp.dll.2.dr	Static PE information: section name: .manifst
Source: shell360ext.dll.2.dr	Static PE information: section name: .orpc
Source: shell360ext64.dll.2.dr	Static PE information: section name: .orpc
Source: Sites64.dll.2.dr	Static PE information: section name: text
Source: SiteUIProxy.dll.2.dr	Static PE information: section name: shared
Source: SMLLauncher.dll.2.dr	Static PE information: section name: .menu_sh
Source: SMLLauncher64.dll.2.dr	Static PE information: section name: .menu_sh
Source: spsafe.dll.2.dr	Static PE information: section name: .share
Source: spsafe.dll.2.dr	Static PE information: section name: .hlpsec
Source: spsafe64.dll.2.dr	Static PE information: section name: .share
Source: spsafe64.dll.2.dr	Static PE information: section name: .detourd
Source: spsafe64.dll.2.dr	Static PE information: section name: .detourc
Source: spsafe64.dll.2.dr	Static PE information: section name: .hlpsec
Source: vccorlib140.dll.2.dr	Static PE information: section name: minATL
Source: WdHPFileSafe.dll.2.dr	Static PE information: section name: .MAGIC
Source: WdHPFileSafe.dll.2.dr	Static PE information: section name: QProtect
Source: WdHPFileSafe64.dll.2.dr	Static PE information: section name: .MAGIC
Source: WdHPFileSafe64.dll.2.dr	Static PE information: section name: .code0
Source: WdHPFileSafe64.dll.2.dr	Static PE information: section name: .code1
Source: uni_links_desktop_plugin.dll.2.dr	Static PE information: section name: _RDATA
Source: url_launcher_windows_plugin.dll.2.dr	Static PE information: section name: _RDATA
Source: window_manager_plugin.dll.2.dr	Static PE information: section name: _RDATA
Source: window_size_plugin.dll.2.dr	Static PE information: section name: _RDATA
Source: NetmTray.dll.2.dr	Static PE information: section name: .menu_sh
Source: NetmTray64.dll.2.dr	Static PE information: section name: .menu_sh
Source: npaxlogin.dll.2.dr	Static PE information: section name: .orpc
Source: Ntvbld64.dll.2.dr	Static PE information: section name: .share

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_06797DA0 pushad ; ret	0_3_06797DA1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E851AE push ecx; ret	0_2_00E851C1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00DCB3E0 push ecx; mov dword ptr [esp], 3F800000h	0_2_00DCB516
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CEB860 push ecx; mov dword ptr [esp], ecx	0_2_00CEB861
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CA558F5 push edi; retn 0004h	0_2_6CA558F6
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CA548D8 push E86CB00Ah; iretd	0_2_6CA548DD
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00E851AE push ecx; ret	4_2_00E851C1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00DCB3E0 push ecx; mov dword ptr [esp], 3F800000h	4_2_00DCB516

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSIF1CE.tmp

Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe

File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGXlong.sys

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\netmstart.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vcruntime140.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Local\Temp\6494656\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFD44.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBEC4.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\safewrapper32.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\settingcentercfg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\swverify64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\rtl120.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\Ntvbld64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Local\Temp\6493640\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdui3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\mcommu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdres.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\KwLayoutMgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SpeedUp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\safe505.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NetDiagDll.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\lockkrnl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\safemonhlp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shi8AA2.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\hipslog.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yhregd.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\KwCommonUI.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\TPClnVM.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIECCC.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vclx120.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\UninstAgent.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F71.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wuhelp.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Local\Temp\6494718\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NetmLogin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB5F9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\qutmload.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wddisam.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\libmini.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcr120.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.VC90.CRT\msvcr90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\vxproto.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\vcruntime140.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\RX.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NetSpeed.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp80.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\PSpendZ.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QMRtpDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFD04.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSI85B4.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QMAVProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrLiteBase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SxWrapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\ebHost.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\KwLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\vcruntime140_1.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\BBC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSI85E4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdtHelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\fhjyy.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\HipsdiaMain.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\StartSD.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\7z.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.VC90.CRT\msvcp90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBF03.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9ED3.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMEventBus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF1CE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\ramuser.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QMOfficeScanX64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\TDPSTAT.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shi7D41.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp100.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\npaxlogin.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\libjyy.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Watson2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\lzmaextractor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\vccorlib140.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\madBasic_.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\np360SoftMgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\X64For32Lib.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMAVProxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcr110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\UnifyCommon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\swverify32.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\lco.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\shi9BD5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SomProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F41.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdexhelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\safehmpg64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\spsafe64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\qutmvd.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\PackageMgr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFDC3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\webprotect.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\zlib1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSI8E2.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\TDPCONTROL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\QseCore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\sites.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\MiniUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\safemon64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\window_size_plugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wuhelp64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SiteUIProxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Local\Temp\6493578\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\zip.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\NetDevenvSpeed.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\WDRecord.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\shiF07E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\UninstDisplay.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.VC90.MFC\mfc90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\uniconft64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\url_launcher_windows_plugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\svcMonitor.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\ATellPhon	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\shell360ext64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\PopSoftEng.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\qroscfg.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\XLGameUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\urlproc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\safewrapper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\sysmon.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\oDayProtect.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Local\Temp\6494625\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QQFileFlt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NetmTray.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QMOfficeScan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\ntvbld.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SXIn.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\iopdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File created: C:\Users\user\AppData\Local\Temp\13072\....\Microsoft.TransCompositib.msi (copy)	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\TDPINFO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SomAdvUtils.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr110.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Local\Temp\6494687\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SomPlugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\Safelive.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\7z.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\spsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140_1.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\MemDefrag.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\mobileflux.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Ntvbld64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFD74.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SoftUpdate.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QMDns.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SysSweeper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\WiFiSafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\OTGContainer.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\bpchelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NetmonEP.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\PackageMgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\TuserEx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\qutmipc.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\shell360ext.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vcl120.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\APXhttp.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Agent	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\Sites64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\INAF03F.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\intl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NetDefender.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\pp_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\UPSDK.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SpeedupOpt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\statslib.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\madExcept_.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdzerop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\ToastImage.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File created: C:\Users\user\AppData\Local\Temp\25838\....\Microsoft.TransCompositia.msi (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB5C9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdexhelperx64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcr80.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QQPCHwNetwork.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\WHelp.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\libcurl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdefence.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SpeedldSetting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\TrashClean.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SXIn64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NetmTray64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\oDayProtect.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shi8A15.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\DrawContent\DrawContentNoname.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\Tuser.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\KwLogSvr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SelfProtectAPI2.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\libcurl.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\rar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdui2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\UDiskScanuser.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp110.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File created: C:\Users\user\AppData\Local\Temp\1732544537\....\Microsoft.TransCompositio.msi (copy)	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vmauthd.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\madDisAsm_.bpl	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NotifyDown.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcr90.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shi7DCF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF13B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\sysoptm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF1D8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\uniconft.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFE60.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\window_manager_plugin.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Local\Temp\6493546\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\Netgm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\probe.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SMWebProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\sysfilerepS.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\qex.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFEAF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\PDown.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\zpthdo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\safehmpg.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.Bcl.AsyncInterfaces.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\APXmodule-2.0.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\ntvbld.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\bfcipc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\pluginmgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMDns.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\sbmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\WindowInjection.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\zeropmgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr100.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\N0vaDesktop.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\uni_links_desktop_plugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NewKernel.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB5F9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB5C9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\libjyy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBF03.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9ED3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF1CE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBEC4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIECCC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F71.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F41.tmp	Jump to dropped file

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\madBasic_.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\madDisAsm_.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\madExcept_.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\rtl120.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vcl120.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vclx120.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Agent	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\ATellPhon	Jump to dropped file

Source: C:\Windows\Installer\MSIF1CE.tmp

Code function: 8_2_6BB410C0 ProcessMain,_memset,CoInitialize,CoCreateGuid,CoCreateGuid,swprintf,CoUninitialize,_memset,lstrlenW,lstrlenW,RegCreateKeyW,RegSetValueExW,RegCreateKeyW,lstrlenW,RegSetValueExW,RegCloseKey,RegCloseKey,RegCreateKeyW,lstrlenW,RegSetValueExW,RegCloseKey,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,__wcsrev,_memset,lstrcatW,lstrcatW,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,_memset,wsprintfW,wsprintfW,_memset,wsprintfW,_memset,wsprintfW,_memset,ShellExecuteExW,ShellExecuteExW,WaitForSingleObject,WaitForSingleObject,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,

8_2_6BB410C0

Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Zpkaeob141422srg

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: C:\Program Files (x86)\DnLIMGKCARTO\qex.dll, type: DROPPED

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\msiexec.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	System information queried: FirmwareTableInformation			Jump to behavior

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File opened / queried: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\themes\ovfenv-vmware.xsd
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File opened / queried: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\themes\ovf-vmware.xsd

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: GetAdaptersInfo,GetAdaptersInfo,

0_2_6CA75B60

Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe

Thread delayed: delay time: 86400000

Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Window / User API: threadDelayed 579
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Window / User API: threadDelayed 1679
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Window / User API: threadDelayed 2978
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Window / User API: foregroundWindowGot 1761

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\netmstart.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6494656\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFD44.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIBEC4.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\safewrapper32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\settingcentercfg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\swverify64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\rtl120.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6493640\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\Ntvbld64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdui3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\mcommu.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\KwLayoutMgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdres.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SpeedUp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\safe505.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NetDiagDll.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\lockkrnl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\safemonhlp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi8AA2.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\hipslog.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yhregd.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\KwCommonUI.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\TPClnVM.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIECCC.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vclx120.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\UninstAgent.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9F71.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wuhelp.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6494718\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NetmLogin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB5F9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\qutmload.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wddisam.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcr120.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.VC90.CRT\msvcr90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\vxproto.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\vcruntime140.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\RX.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NetSpeed.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp80.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QMRtpDLL.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\PSpendZ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFD04.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI85B4.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QMAVProxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\ebHost.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrLiteBase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SxWrapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\KwLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI85E4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdtHelper.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp100.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\7z.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\StartSD.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.VC90.CRT\msvcp90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIBF03.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9ED3.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMEventBus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\ramuser.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QMOfficeScanX64.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi7D41.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\npaxlogin.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Watson2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\vccorlib140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\lzmaextractor.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\madBasic_.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\np360SoftMgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\X64For32Lib.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMAVProxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcr110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\swverify32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\UnifyCommon.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\lco.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi9BD5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SomProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdexhelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9F41.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\safehmpg64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\spsafe64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\qutmvd.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\PackageMgr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFDC3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\webprotect.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\zlib1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8E2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\QseCore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\sites.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\MiniUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\safemon64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\window_size_plugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SiteUIProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wuhelp64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6493578\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\zip.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\WDRecord.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiF07E.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.VC90.MFC\mfc90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\UninstDisplay.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\url_launcher_windows_plugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\uniconft64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\svcMonitor.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\ATellPhon	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\shell360ext64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\PopSoftEng.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\qroscfg.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\XLGameUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\urlproc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\safewrapper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\sysmon.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\oDayProtect.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6494625\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QQFileFlt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NetmTray.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QMOfficeScan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\ntvbld.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SXIn.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\iopdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\13072\....\Microsoft.TransCompositib.msi (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SomAdvUtils.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr110.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6494687\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SomPlugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\Safelive.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\7z.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\spsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140_1.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\MemDefrag.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\mobileflux.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Ntvbld64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SoftUpdate.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFD74.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QMDns.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SysSweeper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\WiFiSafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\OTGContainer.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\bpchelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NetmonEP.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\PackageMgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\qutmipc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\TuserEx.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\shell360ext.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vcl120.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\APXhttp.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Agent	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\INAF03F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\Sites64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\intl.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\pp_helper.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NetDefender.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SpeedupOpt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\statslib.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\madExcept_.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdzerop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\25838\....\Microsoft.TransCompositia.msi (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\ToastImage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB5C9.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcr80.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QQPCHwNetwork.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdexhelperx64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\WHelp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdefence.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SpeedldSetting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\TrashClean.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SXIn64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NetmTray64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\oDayProtect.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi8A15.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\DrawContent\DrawContentNoname.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\Tuser.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\KwLogSvr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SelfProtectAPI2.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\rar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\UDiskScanuser.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdui2.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp110.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vmauthd.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\madDisAsm_.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NotifyDown.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcr90.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi7DCF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF13B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\sysoptm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF1D8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\uniconft.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFE60.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6493546\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\window_manager_plugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\Netgm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\probe.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SMWebProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\sysfilerepS.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\qex.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFEAF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\PDown.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\zpthdo.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.Bcl.AsyncInterfaces.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\safehmpg.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\APXmodule-2.0.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\ntvbld.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\bfcipc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\pluginmgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMDns.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\sbmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\WindowInjection.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\zeropmgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\N0vaDesktop.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\uni_links_desktop_plugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NewKernel.dll	Jump to dropped file

Source: C:\Windows\Installer\MSIF1CE.tmp

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

API coverage: 8.5 %

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe TID: 4152	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe TID: 3704	Thread sleep time: -432000000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe TID: 4928	Thread sleep time: -579000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe TID: 4872	Thread sleep time: -109000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe TID: 5208	Thread sleep time: -112000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe TID: 6008	Thread sleep time: -90000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe TID: 4928	Thread sleep time: -2978000s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerFQ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerFQ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E10640 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_00E10640
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00DEB1B0 FindFirstFileW,GetLastError,FindClose,	0_2_00DEB1B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E1A4B0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00E1A4B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CF0880 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,	0_2_00CF0880
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E1A8B0 FindFirstFileW,FindClose,	0_2_00E1A8B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00DEA850 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00DEA850
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00DEABE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,	0_2_00DEABE0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00DF8F30 FindFirstFileW,FindClose,FindClose,	0_2_00DF8F30
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00DCFE80 FindFirstFileW,FindNextFileW,FindClose,	0_2_00DCFE80
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CA97870 FindFirstFileW,FindClose,GetLastError,FindClose,	0_2_6CA97870
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CA8D070 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,	0_2_6CA8D070
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CAB6B85 FindFirstFileExW,	0_2_6CAB6B85
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00DEB1B0 FindFirstFileW,GetLastError,FindClose,	4_2_00DEB1B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00DEABE0 FindFirstFileW,	4_2_00DEABE0
Source: C:\Windows\Installer\MSIF1CE.tmp	Code function: 8_2_003374DA FindFirstFileExW,	8_2_003374DA
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E38BA4 __EH_prolog3_GS,FindFirstFileA,FindFirstFileW,FindFirstFileW,	9_2_00E38BA4
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E9D528 FindFirstFileExA,	9_2_00E9D528
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E9D7E0 FindFirstFileExW,FindClose,FindNextFileW,	9_2_00E9D7E0
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E9D9C1 FindFirstFileExW,	9_2_00E9D9C1
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E9D996 FindFirstFileExA,	9_2_00E9D996

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00E19310 _wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00E19310

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00E819D1 VirtualQuery,GetSystemInfo,

0_2_00E819D1

Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Thread delayed: delay time: 86400000
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Thread delayed: delay time: 30000

Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CompanyNameVMware, Inc.b
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <description>"VMware Authorization Service"</description>
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-vmx.exe%s%c..%c%svmware-vmx-debug.exevmware-vmx-stats.exeNo ticket found
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: StartVirtualMachines%s: Failed to retrieve info from %%ALLUSERSPROFILE%%%s.
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareAutostartServiceVMAutostartRunServiceStarting service control dispatcher
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[vmwarestring.dll??0string@utf@@QAE@ABV01@@Z??0string@utf@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z??0string@utf@@QAE@ABV_bstr_t@@@Z??0string@utf@@QAE@ABVubstr_t@@@Z??0string@utf@@QAE@ABVustring@Glib@@@Z??0string@utf@@QAE@PBD@Z??0string@utf@@QAE@PBDW4StringEncoding@@@Z??0string@utf@@QAE@PB_W@Z??0string@utf@@QAE@XZ??1string@utf@@QAE@XZ??4string@utf@@QAEAAV01@V01@@Z??8string@utf@@QBE_NABV01@@Z??9string@utf@@QBE_NABV01@@Z??Astring@utf@@QBEII@Z??Bstring@utf@@QBE?BVubstr_t@@XZ??Bstring@utf@@QBEABVustring@Glib@@XZ??Hstring@utf@@QBE?AV01@ABV01@@Z??Hstring@utf@@QBE?AV01@I@Z??Mstring@utf@@QBE_NABV01@@Z??Nstring@utf@@QBE_NABV01@@Z??Ostring@utf@@QBE_NABV01@@Z??Pstring@utf@@QBE_NABV01@@Z??Ystring@utf@@QAEAAV01@ABV01@@Z??Ystring@utf@@QAEAAV01@I@Z?CopyAndFree@utf@@YA?AVstring@1@PADP6AXPAX@Z@Z?CreateWithBOMBuffer@utf@@YA?AVstring@1@PBXH@Z?CreateWithLength@utf@@YA?AVstring@1@PBXHW4StringEncoding@@@Z?CreateWritableBuffer@utf@@YAXABVstring@1@AAV?$vector@DV?$allocator@D@std@@@std@@@Z?CreateWritableBuffer@utf@@YAXABVstring@1@AAV?$vector@_WV?$allocator@_W@std@@@std@@@Z?GetUtf16Cache@string@utf@@ABEPB_WXZ?IntToStr@utf@@YA?AVstring@1@_J@Z?InvalidateCache@string@utf@@AAEXXZ?Validate@utf@@YA_NABVustring@Glib@@@Z?__autoclassinit2@string@utf@@QAEXI@Z?append@string@utf@@QAEAAV12@ABV12@@Z?append@string@utf@@QAEAAV12@ABV12@II@Z?append@string@utf@@QAEAAV12@PBDI@Z?assign@string@utf@@QAEAAV12@ABV12@@Z?begin@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?begin@string@utf@@QBE?AV?$ustring_Iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?bytes@string@utf@@QBEIXZ?c_str@string@utf@@QBEPBDXZ?clear@string@utf@@QAEXXZ?compare@string@utf@@QBEHABV12@_N@Z?compare@string@utf@@QBEHIIABV12@@Z?compareLength@string@utf@@QBEHABV12@I_N@Z?compareRange@string@utf@@QBEHIIABV12@II_N@Z?empty@string@utf@@QBE_NXZ?end@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?end@string@utf@@QBE?AV?$ustring_Iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?endsWith@string@utf@@QBE_NABV12@_N@Z?erase@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@V34@0@Z?erase@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@V34@@Z?erase@string@utf@@QAEAAV12@II@Z?find@string@utf@@QBEIABV12@I@Z?find@string@utf@@QBEIII@Z?find_first_not_of@string@utf@@QBEIABV12@I@Z?find_first_not_of@string@utf@@QBEIII@Z?find_first_of@string@utf@@QBEIABV12@I@Z?find_first_of@string@utf@@QBEIII@Z?find_last_not_of@string@utf@@QBEIABV12@I@Z?find_last_not_of@string@utf@@QBEIII@Z?find_last_of@string@utf@@QBEIABV12@I@Z?find_last_of@string@utf@@QBEIII@Z?foldCase@string@utf@@QBE?AV12@XZ?insert@string@utf@@QAEAAV
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: name="VMware.VMware.vmauthd"
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PANIC: %s599 vmware-authd PANIC: %s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb!!
Source: MSIF1CE.tmp, 00000008.00000002.2583613291.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: ZwmyzMxFKL.exe, 00000000.00000003.2600677563.000000000648C000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2205533134.000000000648C000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2202784867.000000000648D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.2605043902.000000000648C000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2514036789.000000000648C000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2599958859.000000000648C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwarebase.DLL
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Unicode_TrimRightvmwarebase.DLL
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 17.5.0 build-22583795VMware Workstation%s Authentication Daemon Version %u.%u for %s %s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2562562631.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VGXVGX/HoursBrokerVGX/HoursBroker/DrawContentVGX/Microsoft.VC90.CRTVGX/Microsoft.VC90.MFCVGX/OptimizatVGX/Optimizat/pluginsVGX/Optimizat/themesVGX/pluginsVGX/plugins/RunHoursVGX/UtilsVGX/versionVGX/BoukenVGX/BoukenPVGX/Browser_2VGX/AgentVGX/APKwait.batVGX/ATellPhonVGX/bbnn.rbgVGX/Blend.visualelementsmanifest.xmlVGX/Browser_1VGX/BseziofVGX/cbg.sigVGX/cdm.sigVGX/chrome_200_percent.pakVGX/contribscr.iniVGX/cor.sigVGX/DataTransform.iniVGX/dmEetfzcFeMLeUVbVGX/HoursBroker/CIM_ResourceAllocationSettingData.xsdVGX/HoursBroker/CIM_VirtualSystemSettingData.xsdVGX/HoursBroker/common.xsdVGX/HoursBroker/hi.pakVGX/HoursBroker/hr.pakVGX/HoursBroker/hu.pakVGX/HoursBroker/li.datVGX/HoursBroker/LICENSE.3rdVGX/HoursBroker/LICENSE.libcodecsVGX/HoursBroker/LICENSE.libdtVGX/HoursBroker/livehis.datVGX/HoursBroker/Microsoft.VC80.ATL.manifestVGX/HoursBroker/Microsoft.VC80.CRT.manifestVGX/HoursBroker/package.jsonVGX/HoursBroker/rpi.datVGX/HoursBroker/slist.datVGX/HoursBroker/versionVGX/HoursBroker/xml.xsdVGX/intchar32VGX/intchar64VGX/LastnamaVGX/LastnameVGX/LastnymcVGX/libtemp.batVGX/LostVGX/LostHeVGX/LostPVGX/LostPHeVGX/LostPSheVGX/LostSheVGX/madBasic_.bplVGX/madDisAsm_.bplVGX/madExcept_.bplVGX/Microsoft.VC80.ATL.manifestVGX/Microsoft.VC80.CRT.manifestVGX/Microsoft.VC90.CRT/Microsoft.VC90.CRT.manifestVGX/Microsoft.VC90.MFC/Microsoft.VC90.MFC.manifestVGX/Microsoft_VC90_CRT_manifestVGX/NetSpeedLogVGX/NULL.binVGX/NVIDIA_GeForce_Experience_jsonVGX/Optimizat/plugins/am.pakVGX/Optimizat/plugins/ar.pakVGX/Optimizat/plugins/bg.pakVGX/Optimizat/plugins/Microsoft.VC80.ATL.manifestVGX/Optimizat/plugins/Microsoft.VC80.CRT.manifestVGX/Optimizat/plugins/vd.icoVGX/Optimizat/plugins/versionVGX/Optimizat/themes/ca.pakVGX/Optimizat/themes/cs.pakVGX/Optimizat/themes/da.pakVGX/Optimizat/themes/isolinux.binVGX/Optimizat/themes/ovf-vmware.xsdVGX/Optimizat/themes/ovfenv-vmware.xsdVGX/Optimizat/themes/sample.flpVGX/Optimizat/vmPerfmon.hVGX/plugins/de.pakVGX/plugins/el.pakVGX/plugins/en-GB.pakVGX/plugins/en-US.pakVGX/plugins/Microsoft.VC80.ATL.manifestVGX/plugins/Microsoft.VC80.CRT.manifestVGX/plugins/RunHours/es-419.pakVGX/plugins/RunHours/es.pakVGX/plugins/RunHours/et.pakVGX/plugins/RunHours/fa.pakVGX/plugins/versionVGX/Ptuity.plxVGX/Ptuityoosty.plxVGX/qvlnk.broVGX/rbVGX/rtl120.bplVGX/settingssVGX/settingss2VGX/somextrainfo.iniVGX/SresoBooster.uiVGX/station.binVGX/SysP1.batVGX/SysP2.batVGX/Theme.icoVGX/TP.iniVGX/vcl120.bplVGX/vclx120.bplVGX/version/AARV1VGX/version/AARV2VGX/version/AuLibV1VGX/version/AuLibV2VGX/version/CharMainoV1VGX/version/CharMainoV2VGX/version/CjLibV1VGX/version/CjLibV2VGX/version/ComeOnVGX/version/globalV1VGX/version/globalV2VGX/version/QdLibV1VGX/version/QdLibV2VGX/version/qvlnkbroV1VGX/version/qvlnkbroV2VGX/version/settingV1VGX/version/settingV2VGX/version/ShellVGX/version/TOFNCVGX/version/WinCallVGX/VNL.iniVGX/WBGvisualelementsmanifestVGX/WGLogin.olgVGX/Win.rbgVGX/7z.dllVGX/APXhttp.dllVGX/APXmodule-2.0.dllVGX/BBC.exeVGX/bfcipc.dllVGX/bpchelper.dllVGX/ebHost.exeVGX/EduW
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Invalid pathname (too long)Config file not found: %sVMware Server ConsoleYou need read access in order to connect with the %s. Access denied for config file: %sYou need execute access in order to connect with the %s. Access denied for config file: %s%s-fdConnect %sError connecting to %s service instance.Can't create mutex '%s' (%d)Timeout acquiring thread lock.-fdvmauthd.connectionSetupTimeoutCould not open %s process %d. (error %d)Error connecting to vmx process.No such %s process: %s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Authorization Service
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: name="VMware.VMware.vmwarestring"
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: HttpURI_ParseAndDecodeURLvmwarebase.DLL
Source: Bor32-update-flase.exe, 00000012.00000002.2630247075.000000000071C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FileDescriptionVMware BasicHTTP DLLL
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Server Console
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-autostart.log
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Authorization and authentication service for starting and accessing virtual machinesVMware Authorization ServiceVMAuthdServiceSuccessfully registered %s.
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FileDescriptionVMware event log sourceL
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMWARE_BASICHTTP_TRACE
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Workstation
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 599 vmware-authd PANIC: %s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevmware-authd.exeF
Source: ZwmyzMxFKL.exe, 00000000.00000003.2513804375.000000000174E000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2599593475.0000000001743000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2600107367.00000000017A1000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.2603770559.00000000017A2000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2202934820.0000000001798000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: : SSL RequiredNFCSSL supported/tServerDaemonProtocol:SOAPVMware%s Authentication Daemon Version %u.%u%s, %s, %s, %s, %s, %s%sError retrieving thumbprintInvalid arguments to '%s%s'Login failed: token key authentication not allowed.GET TOKEN KEY failed: got %s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-hostd
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMWARE_HTTPSPROXYBasicHTTP: AppendRequestHeader failed to append to the request header. Insufficient memory.
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FileDescriptionVMware string libraryL
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevmwarestring.DLLF
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <description>"VMware string library"</description>
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwarestring.dll
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: nfcnfcsslvmware-hostdPROXY service %s not found.USER too long.Password required for %s.Login with USER first.InSeCuRePassword not understood.User %s logged in.LOGIN FAILURE from %.128s, %s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: StartVirtualMachines
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ProductNameVMware WorkstationP
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \VMware\VMware Workstation\vmAutoStart.xml
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 1998-2023 VMware, Inc.J
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMWARE_BASICHTTP_TRACE0bora\apps\lib\basicHttp\http.cBasicHTTP: curl_multi_init failed.
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb..
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FileDescriptionVMware Authorization ServiceL
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 1998-2022 VMware, Inc.J
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-vmx-debug.exe
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 1998-2022 VMware, Inc.D
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMWARE_HTTPSPROXY
Source: MSIF1CE.tmp, 00000008.00000002.2583613291.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-vmx-stats.exe
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: File_CreateDirectoryvmwarebase.DLL)_strdup
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: User not authorized for vpx agent contactvmware-vpxaUser not authorized for vmx contactConnecting socket=%s
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: security.host.ruisslvmwareauthd.policy.allowRCForReadvmauthd.startupTimeoutgetpeername failed: %d tid %d
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb--
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: InternalNamevmwarestringj#
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \\.\pipe\vmware-authdpipeCreateNamedPipe failed: %s (%d)
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: @vmware-autostartVMAutostart_InitGetVMAutostartConfigFilePathCould not get the ALLUSERSPROFILE folder path
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CompanyNameVMware, Inc.R
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <description>"VMware event log source"</description>
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CompanyNameVMware, Inc.T
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware-client
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-vmx.exe
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CompanyNameVMware, Inc.X
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 1998-2022 VMware, Inc.@
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Autostart ServiceCreateService failed (%d)
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: name="VMware.VMware.basichttp"
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: name="VMware.VMware.vmauthd-log"
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-\vmware-autostart.loga+Cannot open file '%s'
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-vpxa
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-autostart
Source: e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <description>"VMware BasicHTTP DLL"</description>

Source: C:\Windows\Installer\MSIF1CE.tmp

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00E89913 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00E89913

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00DEE740 LoadLibraryW,GetProcAddress,LoadImageW,FreeLibrary,

0_2_00DEE740

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E841D9 mov esi, dword ptr fs:[00000030h]	0_2_00E841D9
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E9E8FB mov eax, dword ptr fs:[00000030h]	0_2_00E9E8FB
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E9E93F mov eax, dword ptr fs:[00000030h]	0_2_00E9E93F
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E8FDF7 mov ecx, dword ptr fs:[00000030h]	0_2_00E8FDF7
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CAB68F9 mov eax, dword ptr fs:[00000030h]	0_2_6CAB68F9
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00E841D9 mov esi, dword ptr fs:[00000030h]	4_2_00E841D9
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00E9E8FB mov eax, dword ptr fs:[00000030h]	4_2_00E9E8FB
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00E9E93F mov eax, dword ptr fs:[00000030h]	4_2_00E9E93F
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00E8FDF7 mov ecx, dword ptr fs:[00000030h]	4_2_00E8FDF7
Source: C:\Windows\Installer\MSIF1CE.tmp	Code function: 8_2_003360A8 mov eax, dword ptr fs:[00000030h]	8_2_003360A8
Source: C:\Windows\Installer\MSIF1CE.tmp	Code function: 8_2_00338164 mov eax, dword ptr fs:[00000030h]	8_2_00338164
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E81819 mov eax, dword ptr fs:[00000030h]	9_2_00E81819
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E818A7 mov eax, dword ptr fs:[00000030h]	9_2_00E818A7

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00E84245 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_00E84245

Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D0AEA0 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00D0AEA0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E84CCD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E84CCD
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D0D8C0 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00D0D8C0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00E89913 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E89913
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CA9F87E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CA9F87E
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CAA4963 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CAA4963
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00D0D8C0 __set_se_translator,SetUnhandledExceptionFilter,	4_2_00D0D8C0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00E89913 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00E89913
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00E84CCD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00E84CCD
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 4_2_00D0AEA0 __set_se_translator,SetUnhandledExceptionFilter,	4_2_00D0AEA0
Source: C:\Windows\Installer\MSIF1CE.tmp	Code function: 8_2_00335453 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00335453
Source: C:\Windows\Installer\MSIF1CE.tmp	Code function: 8_2_00332920 SetUnhandledExceptionFilter,	8_2_00332920
Source: C:\Windows\Installer\MSIF1CE.tmp	Code function: 8_2_00331EEE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00331EEE
Source: C:\Windows\Installer\MSIF1CE.tmp	Code function: 8_2_0033278E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0033278E
Source: C:\Windows\Installer\MSIF1CE.tmp	Code function: 8_2_6BB41BC3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6BB41BC3
Source: C:\Windows\Installer\MSIF1CE.tmp	Code function: 8_2_6BB42521 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6BB42521
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E7460E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00E7460E
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E747A4 SetUnhandledExceptionFilter,	9_2_00E747A4
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E98B72 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00E98B72
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 9_2_00E73395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00E73395

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00DD2AF0 CreateFileW,CloseHandle,WriteFile,CloseHandle,ShellExecuteExW,

0_2_00DD2AF0

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Process created: C:\Users\user\Desktop\ZwmyzMxFKL.exe "C:\Users\user\Desktop\ZwmyzMxFKL.exe" /i "C:\Program Files (x86)\WindowsInstallerFQ\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\DnLIMGKCARTO" SECONDSEQUENCE="1" CLIENTPROCESSID="2488" AI_MORE_CMD_LINE=1	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU" -o"C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73" -pe6ab90d5741a3329XSJ -aos -y	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR" -o"C:\Program Files (x86)\DnLIMGKCARTO" -pd90abf5032721ffaBCX -aos -y	Jump to behavior
Source: C:\Windows\Installer\MSIF1CE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX" -o"C:\Users\user\AppData\Roaming" -p5ccac7f27f4c789fFPK -aos -y	Jump to behavior

Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Fabout:blank:\kernel32.dll*winswinntwin2000win2000serverwinxpwin2003winvistawin2008win7win2008r2win8win2012win11win10GetNativeSystemInfoProgmanSHELLDLL_DefViewWorkerWSysListView32ToolbarWindow32NotifyIconOverflowWindowBUTTON;Versionopen=%s\%sgetNetBarConfig szMainkey:%s szKey:%s szValue:%s getNetBarConfig error szMainkey:%s szKey:%s
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ]wQCFFTaskBarDlg{"fftaskbar":{"%s":1,"color":%d,"percent":%d,"align":%d,"applyType":%d}}-%s %d %d %d %dSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeGameDev.exeSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeGame.exeInstallPath%s\wegame.exeExeFileGetCommandLineWkernelBase.dllGetCmdLinentdllProgram ManagerNVIDIA GeForce OverlayDeskWindowkdeskOSRWindowCcWaterMarkWindowATL:00D719E0TXGuiFoundationFound FullScreen Windows: strWindowName=%s strWndClassName=%s hwnd=0x%xSOFTWARE\Microsoft\Windows\CurrentVersion\RunFFWallpaper.exe -silentFFWallpaperSetAutoRun %d, result: %dFolderViewTXMiniSkinLhb
Source: Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: tiCBaseWallPaperPlayer::RemoveAllOldWindowsCBaseWallPaperPlayer: RemoveOldWindowsEx: BasePlayerWnd=0x%xCBaseWallPaperPlayer::RemoveWindows()~CDesktopAttributesCDesktopAttributes::ExitFetchThreadCDesktopAttributes::FetchDesktopInfoThreadNew thread New start @@@@CDesktopAttributes::FetchDesktopInfoThread New exitCDesktopAttributes::FetchDesktopInfoThread New not found Program ManagerCDesktopAttributes::FetchDesktopInfoThread New begin set worker end: #### no explorer.exeCDesktopAttributes::FetchDesktopInfoThread New Err: #### no Program Manager with explorerCDesktopAttributes::monitor explorer err quit bizhiWindows

Source: C:\Windows\Installer\MSIF1CE.tmp

Code function: 8_2_00332A3B cpuid

8_2_00332A3B

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	0_2_00E130D0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6CAB9C73
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: GetLocaleInfoW,	0_2_6CAB9975
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: GetLocaleInfoW,	0_2_6CAB1A87
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6CAB9A9E
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: GetLocaleInfoW,	0_2_6CAB9BA4
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: GetLocaleInfoW,	9_2_00E9A219
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	9_2_00EA335A
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	9_2_00EA35D2
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	9_2_00EA36D6
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	9_2_00EA363B
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	9_2_00E997C9
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_00EA3763
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	9_2_00E998ED
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: GetLocaleInfoW,	9_2_00EA39B3
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	9_2_00E99931
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_00EA3ADC
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: GetLocaleInfoW,	9_2_00EA3BE3
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_00EA3CB0

Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\three_colors.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\blue.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\three_colors.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\blue.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\three_colors.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\blue.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\three_colors.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\blue.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\whitesmall.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\whitesmall.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\whitesmall.jpg VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00E298C0 CreateNamedPipeW,CreateFileW,

0_2_00E298C0

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00E1CF60 GetLastError,InitializeCriticalSection,EnterCriticalSection,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,LeaveCriticalSection,GetLastError,GetLocalTime,

0_2_00E1CF60

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00E281C0 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegDeleteValueW,RegCloseKey,

0_2_00E281C0

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe

Code function: 9_2_00E70FC5 __EH_prolog3_catch_GS,GetVersionExA,

9_2_00E70FC5

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	2 Windows Service	1 DLL Side-Loading	2 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Access Token Manipulation	1 Timestomp	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	21 Input Capture	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Windows Service	1 DLL Side-Loading	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	13 Process Injection	1 File Deletion	LSA Secrets	47 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	132 Masquerading	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	151 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	13 Process Injection	/etc/passwd and /etc/shadow	141 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	Embedded Payloads	Keylogging	1 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ZwmyzMxFKL.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\DnLIMGKCARTO\7z.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\MiniUI.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NetDefender.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NetDiagDll.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NetSpeed.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\Netgm.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NetmLogin.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NetmTray.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NetmTray64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NetmonEP.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NewKernel.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NotifyDown.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\Ntvbld64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\PDown.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\PopSoftEng.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\QseCore.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SMWebProxy.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SXIn.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SXIn64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox64.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\Safelive.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SelfProtectAPI2.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SiteUIProxy.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\Sites64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrLiteBase.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SoftUpdate.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SomAdvUtils.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SomPlugin.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SomProxy.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SpeedUp.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SpeedldSetting.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SpeedupOpt.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\StartSD.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SxWrapper.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SysSweeper.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\Tuser.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\TuserEx.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\ToastImage.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\TrashClean.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\UDiskScanuser.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\UnifyCommon.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\UninstAgent.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\UninstDisplay.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\WDRecord.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\WiFiSafe.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\WindowInjection.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\X64For32Lib.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\lockkrnl.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\mcommu.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\mobileflux.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\netmstart.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\np360SoftMgr.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\npaxlogin.dll	2%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\ntvbld.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\pluginmgr.dll	2%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\probe.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\qex.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\qroscfg.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\qutmipc.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\qutmload.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\qutmvd.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\ramuser.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\safe505.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\safehmpg.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\safehmpg64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\safemon64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\safemonhlp.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\safewrapper.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\safewrapper32.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\sbmon.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\settingcentercfg.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\shell360ext.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\shell360ext64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\sites.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\spsafe.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\spsafe64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\statslib.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\svcMonitor.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\swverify32.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://bizhi.hfnuola.com/pc/v/AfterLocalSet	0%	Avira URL Cloud	safe
http://www.ludashi.com0	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/v/AfterLocalSethttps://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupLi	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/v/FilterPayWallpaper	0%	Avira URL Cloud	safe
http://www.kuwo.cn0	0%	Avira URL Cloud	safe
http://updatestats.cd4o.com/api.php?act=update	0%	Avira URL Cloud	safe
http://klog.kuwo.cn/music.ylhttp://install-log.kuwo.cn/music.ylhttp://log.kuwo.cn/music.ylrwSend	0%	Avira URL Cloud	safe
http://www.winimage.com/zLibDll1.2.3	0%	Avira URL Cloud	safe
https://www.hfnuola.com	0%	Avira URL Cloud	safe
http://install-log.kuwo.cn/music.yl	0%	Avira URL Cloud	safe
http://cacerts.digicerU	0%	Avira URL Cloud	safe
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/agg/StartUp	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/desktopSubject	0%	Avira URL Cloud	safe
http://klog.kuwo.cn/music.yl	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/fhbzApi/checkFile	0%	Avira URL Cloud	safe
https://bizhiweb.hfnuola.com/web/advertising.html?type=	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaper	0%	Avira URL Cloud	safe
http://forums.iobit.com/showthread.php?t=16792	0%	Avira URL Cloud	safe
http://www.super-ec.cn	0%	Avira URL Cloud	safe
http://www.bsplayer.com	0%	Avira URL Cloud	safe
https://www.itrus.com.cn0	0%	Avira URL Cloud	safe
https://idea.hfnuola.com	0%	Avira URL Cloud	safe
https://logs.hfnuola.com	0%	Avira URL Cloud	safe
https://idea.hfnuola.com20012rgbautoStartauto_start_slienthideDesktopIconpauseVidoset_mute_on_fullsc	0%	Avira URL Cloud	safe
https://bizhiweb.hfnuola.com/web/vip.htmlhttps://bizhiweb.hfnuola.com/web/payNew.html%s?channel=%s&p	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/agg/hour	0%	Avira URL Cloud	safe
https://www.hfnuola.com/select	0%	Avira URL Cloud	safe
http://stats.iotransfer.net/active.php	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/LockWallpaper/Gethttps://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaperht	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/v/wallpaperInfoMulti	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iobit.com/appgoto.php?to=download	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	false		high
http://www.vmware.com/0	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/v/AfterLocalSet	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kuwo.cn0	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004C94000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004938000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/goto.php?id=plusgp01_DB	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/v/FilterPayWallpaper	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://updatestats.cd4o.com/api.php?act=update	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=activateweb-%d	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.hfnuola.com	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://stats.iobit.com/register.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.indyproject.org/	Bor32-update-flase.exe, 00000012.00000002.2629993420.00000000006AD000.00000020.00000001.01000000.0000001B.sdmp	false		high
http://www.iobit.com/faq.php?product=db	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.ludashi.com0	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=vertoold	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ascstats.iobit.com/active.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://update.iobit.com/infofiles/db2/db2_oth.upt	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://klog.kuwo.cn/music.ylhttp://install-log.kuwo.cn/music.ylhttp://log.kuwo.cn/music.ylrwSend	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=feature	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://curl.haxx.se/V	e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2635759542.000000006B296000.00000008.00000001.01000000.0000001F.sdmp	false		high
http://www.iobit.com/cloud/db/index.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://collect.installeranalytics.com	ZwmyzMxFKL.exe, ZwmyzMxFKL.exe, 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmp	false		high
http://www.iobit.com/appgoto.php?to=bannerbuy	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=index	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/v/AfterLocalSethttps://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupLi	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=lostcode	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=proupdate	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	false		high
http://ascstats.iobit.com/moreuse.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://idb.iobit.com/check.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://install-log.kuwo.cn/music.yl	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll1.2.3	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s1.driverboosterscan.com/worker.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/goto.php?id=plusgp01_DBU	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=compare	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/hotquestions-db.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/driver-booster-pro.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cacerts.digicerU	ZwmyzMxFKL.exe, 00000004.00000003.2586501143.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000002.2587981849.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=regovermax	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=usermanual	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.yahoo.com	ZwmyzMxFKL.exe	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.super-ec.cn	Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://stats.iobit.com/active_month.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	ZwmyzMxFKL.exe, 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/lostcode.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ascstats.iobit.com/other/db_temp_download.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/rfc/bcp/bcp47.txt	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp	false		high
http://update.iobit.com/infofiles/db2/Freeware-db.upt	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://forums.iobit.com/showthread.php?t=16792	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=install	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.zlib.net/D	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003FD1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000005611000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/desktopSubject	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.info-zip.org/	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000557D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552975573.0000000004185000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2552737588.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/agg/StartUp	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://twitter.com/iobitsoft	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/fhbzApi/checkFile	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bizhiweb.hfnuola.com/web/advertising.html?type=	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.advancedinstaller.com	ZwmyzMxFKL.exe, 00000000.00000003.2173811078.000000000173F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.2174760717.0000000001784000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2277715968.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000004.00000003.2287713117.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iobit.com/goto.php?id=dbsurvey	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaper	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://klog.kuwo.cn/music.yl	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.itrus.com.cn0	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.360.cn	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.bsplayer.com	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://logs.hfnuola.com	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://idea.hfnuola.com20012rgbautoStartauto_start_slienthideDesktopIconpauseVidoset_mute_on_fullsc	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cd4o.com/drivers/	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=othupdate	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=feedback	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhiweb.hfnuola.com/web/vip.htmlhttps://bizhiweb.hfnuola.com/web/payNew.html%s?channel=%s&p	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://stats.iotransfer.net/active.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=helptranslate	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.hfnuola.com/select	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.sysinternals.com	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/agg/hour	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=forum	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/LockWallpaper/Gethttps://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaperht	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ascstats.iobit.com/usage.php	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.0000000003350000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2536019030.000000000384C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	Bor32-update-flase.exe, 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/productfeedback.php?product=driver-booster	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://idea.hfnuola.com	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=filerupt	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004799000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000472D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004F71000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004C94000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.0000000004938000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000045D1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://update.iobit.com/infofiles/db2/db2_free.upt	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0B	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.000000000534E000.00000004.00001000.00020000.00000000.sdmp	false		high
https://installeranalytics.com	ZwmyzMxFKL.exe	false		high
http://update.iobit.com/infofiles/db2/db2_pro.upt	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/v/wallpaperInfoMulti	Bor32-update-flase.exe, 00000012.00000002.2632670760.0000000002AA3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.com	ZwmyzMxFKL.exe	false		high
http://www.iobit.com/appgoto.php?to=revokedkey	e8a0d5af432b7e64DBD.exe, 00000009.00000003.2556496934.00000000042C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://curl.haxx.se/docs/copyright.htmlDVarFileInfo$	e8a0d5af432b7e64DBD.exe, 0000000B.00000003.2577512223.00000000043C0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000012.00000002.2635759542.000000006B296000.00000008.00000001.01000000.0000001F.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
206.238.43.118	unknown	United States		174	COGENT-174US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562418
Start date and time:	2024-11-25 15:20:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZwmyzMxFKL.exe renamed because original name is a hash value
Original Sample Name:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Detection:	MAL
Classification:	mal84.rans.evad.winEXE@23/427@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 64% Number of executed functions: 88 Number of non-executed functions: 176
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.20.68.210, 2.20.68.201
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: ZwmyzMxFKL.exe

Simulations

Behavior and APIs

Time	Type	Description
09:21:35	API Interceptor	1x Sleep call for process: ZwmyzMxFKL.exe modified
09:22:17	API Interceptor	815750x Sleep call for process: Haloonoroff.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	154.49.45.52
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	38.166.98.107
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	38.214.239.244
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	38.191.176.15
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	38.169.189.105
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	149.110.31.106
	la.bot.arm6.elf	Get hash	malicious	Unknown	Browse	38.170.60.226
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	38.184.126.92
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	38.213.52.199
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	206.148.136.146

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Program Files (x86)\DnLIMGKCARTO\MiniUI.dll	https://baoku.360.cn/d/2000006826_9510044	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\DnLIMGKCARTO\NetDiagDll.dll	qK6Cio64Zv.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\629ca2.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	233120
Entropy (8bit):	6.780010932896722
Encrypted:	false
SSDEEP:	3072:U5y0/xKUstVAnrQnzMYywmn3h1sp7/WvCnIukR4BbxKigu/fgl1glfdjgBftJeC0:i9KbsQnzXtr7tbxKVuE1gQJeCEMx4T
MD5:	28653ABFF0F42766A6EFAAE2DF36E76F
SHA1:	F8007DB150243AF23EC26F63334EB5D1F1570E46
SHA-256:	77AA0F39826B08F272E366F6718B2667A18D34D1F7806205D49B0D5B0EBAD309
SHA-512:	D0DF0749257A2F0B56F1304E1E66DE26C8D62E0143320DE4147E613220DA72003188E2F92DC62C05BF091568E572BF2A7C7254581258907ED333B590A1A0B6DB
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.JyY.@.....@.....@.....@.....@.....@......&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}..Windows..DAN_127.msi.@.....@.....@.....@........&.{7CE79A54-E11F-4229-A93E-21F771890BDE}.....@.....@.....@.....@.......@.....@.....@.......@......Windows......Rollback..ck(W.V.n.d\O:.....RollbackCleanup..ck(W Rd..Y.N.e.N...e.N:. .[.1.].....ProcessComponents..ck(W.f.e.~.N.l.Qh...&.{0BDD925F-9555-4E0F-A320-9E414AC18B7C}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{FEAD2C16-C7B0-493E-B979-1B01A169ADEA}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{219ADBFB-928A-44BA-B5DA-1D1DD02A9DE3}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{7FB0B2CE-26ED-4773-9078-E2F86C2C4CEE}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{449205F5-EF10-4633-89C5-6B9B2E805E5E}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{BB6DA803-06FF-4409-8816-D24DCC1494E9}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{99367B7C-ED56-4B7C-AC93-8377FB8D31D7}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{AE

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGXlong.sys

Download File

Process:	C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe
File Type:	data
Category:	dropped
Size (bytes):	27906
Entropy (8bit):	3.6815791809603717
Encrypted:	false
SSDEEP:	192:YrlyrLJOaAtFHNie2Gb5dFCFTEzEjGtyNkaN/n5G:Yrly3JOaAKGtyNkaVM
MD5:	E76AA3945DAB0D6D26E45A798BEF25E9
SHA1:	A17E8E85F59639EAE7EC7CCBAC23E31E36A7CA84
SHA-256:	D980714EE1CFD977F0D75302F629DA701042B700A6C1F9FC748C02E1CC6FFD4C
SHA-512:	62B3F53F1912C69D67CDE54C91BEFBFBAF3D58196B26FB8D0E7282F8440177A28860ECDFAC54705FA793B0089109572160C19A7FE66429B23525D98005B200A0
Malicious:	true
Reputation:	low
Preview:	....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.2.-.7. . .9.:.2.6.:.4.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.2.-.8. . .9.:.2.7.:.1.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.2.-.9. . .9.:.2.7.:.4.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.2.-.1.1. . .9.:.2.8.:.4.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.2.-.1.2. . .9.:.2.9.:.1.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.2.-.1.3. . .9.:.2.9.:.4.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.2.-.1.4. . .9.:.3.0.:.1.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.2.-.1.4. . .9.:.3.0.:.1.6.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.2.-.1.5. . .9.:.3.1.:.1.6.....[..Q.[:.].....[..h..:.].P.

C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	11899249
Entropy (8bit):	7.999984351394933
Encrypted:	true
SSDEEP:	196608:KyI8u4EVuksjwsBda7kJ+a92Fg2HgG81uxjdMh2Bwp7+E7Bg5YYP2OX9DfJGm7H4:KyIF4EVuksssBQ72HedwqElg+vOX9Dfy
MD5:	C66828D973E515ACB0060CB60920DE00
SHA1:	17BC290B5840FF65D84E5C02183A9B2312ED9E68
SHA-256:	3F2D82C5582EB1BE20F8D65708F19D51ECA328EF675C999A84F1CA885C0AE917
SHA-512:	6A812DD495A237C65054C87F141DD76A5892F2BB2EA2488EE96D6B798F957492370765513BAA39451AB72BF0145C3ADC90A3354BC2925A1959FB20E9BC66ECDE
Malicious:	false
Preview:	7z..'...~l..........A........rW"...w._.P.........~0.iH0W{..<...[....6.hy0.\|..N.....l7.:.......[gYE$.......Zjwi9.).....Q.XA?....4.T..Y.v.m..r.. .(..?mP'\5,.c..6.o&......bp.=.)..HT5..IX..@l...^..#...v..S.....h...%.(...d......LD...e.f^.Ao0....$...1.%.....I.V...b..~....q..e.. 5....VX...Nz...V..1}......`..c..7..Iq.X..N?KbY ..a. 8eK...o...-...v.e..c.jR..)..~...........l..t-<../.....E.0...v..Z...q....^Q.ddU..[......h...TZ..A.+..>%4'..X....F6HZ.p7V..0...\.+8..6(.@J>...1..z.qA.{}.n'..6.+.....R..Ams..W...n....j.r.\|r......T$..].........w.M..HK_.q.,..s.....9/K..."...q.2.d.Ny@e.vg.....:LQ..~Z.....v...+I.......w\.}.o..E..#D..c.3.2..l.O.Z..Qwl#p.Y.Y.6..._...pl..a1..e......8..O...L.g....W.m.x.......{.18z.!...eH.#&.m..v.A.Im..p.O..#d...]...._........\|._...,l........y\.>..=..m .2Av.U..N...c....r.....,.W.D..ci.}k..6z..@....\|.........N .{#owy-. rT...+eK.m.O...pg14{$...C&n..W.5.........@.}.....;..:........,q;28.+..F.....?....Lt.@.)..1&.P3.:gN..

C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	4834001
Entropy (8bit):	7.999963493905153
Encrypted:	true
SSDEEP:	98304:i91iY+Lr26MQKS1BD3OAIm9v28jokFLvOgeVyzUASP3MDXW22Cm3rR7E:iCfFx3D3dI8jokVv66UpkXh2COZE
MD5:	190DA843146C5269F9D8EC94AC1FFD38
SHA1:	FA6E5AECAECFAA43E634962956220B6FDAB3C12E
SHA-256:	F4E70D98F1DE3E136172BC919E1657DEA4F53B0703C07B7242F8021CE2243800
SHA-512:	2D831315941441AB9872E376CD205778526BA1A86845DB4D4CAAF278E0EC5DC8980C478DC2E15DAD57611F3D0BA89109398BC3EEC1143DEF02A49E5BE3064E7D
Malicious:	false
Preview:	7z..'.....gp.I.....A........:...x.m..8.R..Z&..!@A.I.:..;.E>[96..$.aVb.../.F..A....Y.r.@..2.y.....Fc.M..F....x.....]....p.1,^Hk......@......3l..#.........n..OV...D;..]..O...?@...U......igPF..g.N..xa'f..e.Y...Y...D.:.....,.f.~..y. 0..wU='.!....?........"....9......gN......j3.....e...'_l..].E[...3?._.r....^.{.Z9..3s..}x.......&....O.(?...0..K..p..%..W....b..........p.J.BW.e./kw..........U.qO.y$a..M."....h.I. ..PH.A.D..9#8......x...{.....#..]....g...7M...[..~.^0..n.X...I.B,......\|Y..^...;...h-.Y6.]....(.n...yJ..X..Z.u..\|..+87..'.x..}.`l...?.....".~..2.V.+....wJd.q^UN...."+.)?... mQ/..kU..^~.....&.0.$.j...Y.l...M..T1...k.h..c?R.-....5..9y.......\.Yg...{.R..r.T.0.....8..rPk\Ng.......d.....v..O"..+R...3U...N..........S[w..6...N.....c\|$..}....1...c...~.a...e.jgu..VnI<..k.Rt..l....h......hv..]?AzH.......7.8,o.5.'......K.2..Y.......>-.q...O.Pj...K...~.....r.Y.w.....g.#..p...w.!!......%....].n...sA..._.YP.~stK.X..m.n.e..n....X...

C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	204
Entropy (8bit):	6.616224253821849
Encrypted:	false
SSDEEP:	6:uL/lIqrpZ8aVrATs/efBjTOFQSuRy+c4MOTkgoEL:mhpC0rAYGfBOFQSuVf
MD5:	F68C164711EA04F63728918CACA19CCA
SHA1:	86EBB36C33BEF4439667F58B0DA7A17FFF4AA9BE
SHA-256:	3268DF88CFE7326DAEBDC1A5D1F4972F5F2F135A5B99FF4CE1EF6FA46FEF7935
SHA-512:	1E830A545DC85691B9A5956C0CF35FA5D915CD043B06B4751323C5D21842B23DE5D5E8A82BF657793B22EA376766FED5805B14AD19619887B9D6BE3B3135ED10
Malicious:	false
Preview:	7z..'....y..p.......<.......R....mt>...L..P.c.....u.A.=._so<......5>..)_.F.......[hbo..B.a.)......+b.1.?>.U.F{j.i.....&.-.Q....h.o.eC..K /.....p......$.....S...0....x..F..Av.#....].......n......v...

C:\Program Files (x86)\DnLIMGKCARTO\7z.dll

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1390312
Entropy (8bit):	6.599443687044708
Encrypted:	false
SSDEEP:	24576:w4wwwwscgymwef8Z8Zzj6z1el68mUi1m/ONxdDDHNCU+3kvaBW7839l5Qafgb6L1:pwwwwscgymwefyEQ/U6/NnDDHNCTeaBf
MD5:	292575B19C7E7DB6F1DBC8E4D6FDFEDB
SHA1:	7DBCD6D0483ADB804ADE8B2D23748A3E69197A5B
SHA-256:	9036B502B65379D0FE2C3204D6954E2BB322427EDEEFAB85ECF8E98019CBC590
SHA-512:	D4AF90688D412BD497B8885E154EE428AF66119D62FAF73D90ADFFC3EEF086CF3A25B0380EC6FDC8A3D2F7C7048050EF57FCEA33229A615C5DCDA8B7022FA237
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0...0...0...9a.=...9c.I...9b.(...b......b.. ...b..&...9...1...9...7...0........4................1....o.1.....1...Rich0...........PE..L....x.c...........!.........~......x7...............................................~....@.........................P...\|......P....p.................P,..........0...............................P...@............................................text............................... ..`.rdata..............................@..@.data...0........4..................@....rsrc.......p......................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\MiniUI.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	921160
Entropy (8bit):	6.7626587126151065
Encrypted:	false
SSDEEP:	24576:nJtdTUbI0Ig/fMiK6hRN/IgOoWtT9nQnap:nJjUbIU/fPHhrIgBWtTFQnap
MD5:	5123C3B8ADEB6192D5A6B9DC50C867B1
SHA1:	6D142074A21AA50C240CE57CA19A61E104BBDF41
SHA-256:	273CE954C8D33ABAAC3A0FD8546719F09718C1D91317ECF5B99181DFFA3FE26A
SHA-512:	067305A8F09C480FE4A4C8609638C9A490C4EBE2782BD13C10B380DF14F76D4748EB785F44E7BCB86514718F99D07C3C6A4B43928A294B18020CB0FA589EE2A0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2...2...2..f}M..2...JN..2...JR..2.......2.......2...2..3...`_..2...J_.y2...JX.%2...JI..2...`O..2...JJ..2..Rich.2..........PE..L...h..Z...........!......... ......Q........................................ .......G....@..............................................................7...P..$....................................'..@.......................@....................text............................... ..`.rdata...].......^..................@..@.data...X.... ...X..................@....rsrc................j..............@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NetDefender.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	451480
Entropy (8bit):	6.641728581015286
Encrypted:	false
SSDEEP:	12288:c2qfhIic6ZYk/UxdGhZi1MVv2MIbvweYsoOzpgseJUnv9it:c2qfGhz/qgodsoRenv9it
MD5:	2C63554380D33E2AB153CB285E72C2F8
SHA1:	1EDE14CA4003AE639AA80E2F4E90558DD1A49A7A
SHA-256:	F77F9AFB3459F2D2C8FB0354317A0353ACBBF6D31988597775ADCD9AB0D80BA1
SHA-512:	96F951089D907F635AF5A517AAF53FD13064ECA471DC4440B8C67147A91F11043043F102814C2E6DE8933F81F30D6AFFFCC073BF98670A8D52A5518AD89646B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........`.q.3.q.3.q.3B>.3.q.3...3.q.3...3kq.3..3.q.3..3.q.3.q~3.q.3...3.q.3...3.q.3...3.q.3.#.3.q.3...3.q.3Rich.q.3................PE..L....tc...........!.................}..............................................D.....@..............................................................I.......7.. ...................................@............................................text.............................. ..`.rdata..o^.......`..................@..@.data....w.......2..................@....rsrc................*..............@..@.reloc...Y.......Z...>..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NetDiagDll.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	337736
Entropy (8bit):	6.495942481063909
Encrypted:	false
SSDEEP:	6144:g1wCwn8QI2fm53Nx4Lj23TIae3m7jwyhb/7hjW7iBH+ljFx5mcvbKr:gmnckm5dy63TRe3XyhbNjWep+ljFx5R
MD5:	22C3095414CE54C8405225E3BCAAE591
SHA1:	9F0515A564B5077F49AACE011E84AF51F9973F32
SHA-256:	B734DB11E973318D728FE92E112639AE5B8876C855E6507315C707D04D3E0746
SHA-512:	2BE22658A038F8061B398489C357EFBA0F920FA24655A53650593D4924EE565E445D3A7CFD2C9689BC3A79E8355157004640E49B0249FCA63B3EBE11726D42A8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: qK6Cio64Zv.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T...T...T....{.V...].x.M...].n.....].i.....T......s;..O...].g.G...]...U...J.y.U...].\|.U...RichT...........................PE..L....fgS...........!.........(......~........................................`...........@.............................U...l....................................,..`................................S..@............................................text............................... ..`.rdata..............................@..@.data...8Z.......0..................@....rsrc...............................@..@.reloc...A.......B..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NetSpeed.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	499432
Entropy (8bit):	6.633998530829339
Encrypted:	false
SSDEEP:	6144:2gz1k3fKRVIpJcADwPkUeKvd8C/RxC4MwYXlHUCMJ/TBJnt8KZ0Se+4xichK4:tMfKRGJc1tnPC4MwYXVl4/Trt8K61s2
MD5:	049791828DE05D24D29EC9C8687F8B1A
SHA1:	2B6D787EB078DFAE0C6718A9D99D06CEB01FB273
SHA-256:	D418DDA34640521B8695642C7A7E719F173F706472617CFF4ED343FB68211862
SHA-512:	7E36019A163F55932F95D33FACB216B69244DC8D5506CFD1D2E707A736AF448D7A4F78ABEAF85CF0F42E4E18B7EB1D330A9788F73773E6BE23A61C6B2981136F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............a...a...a.......a.......a.......a......a.......a.......a...`.D.a.......a.......a.......a.......a.Rich..a.........PE..L......c...........!................................................................\|.....@.............................a............p...............r..P,......@F.................................(q..@...............`............................text...E........................... ..`.rdata...G.......H..................@..@.data...Xp.......,..................@....rsrc........p......................@..@.reloc..\|d.......f..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\Netgm.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	343784
Entropy (8bit):	6.490658338748216
Encrypted:	false
SSDEEP:	6144:rFp+cWO/EibdFr0Zv7U7bAb1qi8JU0Wexe/1Yd02Y+VZRg43r:rFMcWO/Eib3r8jU7Q1qi860WexexEGe
MD5:	6E5F6B4D49768E131EF614DD07E5EFA5
SHA1:	DBA90982727A9373C8D97E72500D89814184C7B6
SHA-256:	EE326C156144EB89DE76C21C66BDA10BD22922B1A9C85615CACEE84DF355604C
SHA-512:	12FF45D6F469B577E74A62B866DAE2A879751654A6627250286E3CC4F319411FE901155347DA762010F373BBEB46F2BD95E0428893242EE4707BEFA7312CF92D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o..o..o... ..o.....o.....%o..=..o......o....o....o..o.._o.....o.....o..=..o.....o..Rich.o..........PE..L....P.d...........!.........d...............................................p....... ....@..........................Q.."....@...........Y..............P,... ...*..0...............................x...@............................................text............................... ..`.rdata..2...........................@..@.data...._...`...2...@..............@....rsrc....Y.......Z...r..............@..@.reloc...C... ...D..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NetmLogin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	533600
Entropy (8bit):	6.567835943059589
Encrypted:	false
SSDEEP:	12288:OgmCH8ZkhmmpKJiv/Dn5EWomaMIhEKf3Io7fknS52:Og58GnOthL/I1nW2
MD5:	5D7B815A95164AFB4A8E35240644793D
SHA1:	3AA5BFB8B2EE68C33BEB3190480CBE0149C29A96
SHA-256:	1158A8B493FC607354DD21E5A601760C082C00EB8B69E839E17E4A198C807418
SHA-512:	95E06406294258A3F81446A17E5CF67A02EFCDB0DA257F32ECD5B48D3F00B9BE628E2F82C04856191CDFDE02474ABC62D64D4A200164D7F6149993E548C8A335
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.o.o...o...o......n...f..w...f......f..!...HTz.~...o......f..$...f..n...q...n...f..n...Richo...........................PE..L......Z...........!.....F..........'........`...............................`......v.....@..........................U..P....G...........................5......LJ..@c..................................@............`...............................text...iD.......F.................. ..`.rdata.......`.......J..............@..@.data....r...`...8...B..............@....rsrc................z..............@..@.reloc...k.......l..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NetmTray.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	247016
Entropy (8bit):	6.914297747665078
Encrypted:	false
SSDEEP:	3072:LQvXrZQoI8GHJg9bb9wv/cZD9Da5TUUQJYlCXbKJOZwFSYG0GTO/X3/mCP0V:kFIZgXwvkZqUpJRGOZwFVG0X/mXV
MD5:	5B4C825671418F34D95EC1F7BB55FFA1
SHA1:	C0AA182B281EDB4F06BDC98D7CF413AF948AB50A
SHA-256:	AA51AE325D53D586532145E0C6E702247654502C0349C5FC570D7155353B045A
SHA-512:	BEC6D76883BF786F93BCA0E32A36CF21002D5E1CDC1C098628D9D50D1E8E40B0E44C6AAA07DD8B503ABA5B638D44CBFAAF6C4BFB0E9F6C8F49470D7664432F73
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..#...p...p...p..ap...p..wpv..p..pp6..p/1.p...p...p...p..~p+..p..fp...p..`p...p..ep...pRich...p........PE..L....B.e...........!.................$....................................................@.............................]....i..........x...............P,..........`...............................HM..@............................................text............................... ..`.rdata...q.......r..................@..@.data....N......."...p..............@....menu_sh............................@....rsrc...x...........................@..@.reloc...2.......4...b..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NetmTray64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	290024
Entropy (8bit):	6.537709606383622
Encrypted:	false
SSDEEP:	6144:AhEzpelia8VSPgFmHKbDNATfCfzWNunIj1EpJRGOZwFVG0SJK:AhSpelaSPXMmLC7W4iOZYG0n
MD5:	0F15D28EB4CCD9DADFEC0305BF5F8E2A
SHA1:	04DE9FA6736978FDEFA031082C58FFCD0169861D
SHA-256:	F06872A9A6A6AFB4FEA670385694EA364F271705FB89B09E4390E95752A98F25
SHA-512:	955B8C3F383C66B4249510A20890C856994F2F4E9FA40C374B472B9E19AC2441A86BE67249F13E1F624AAF2F03D0F6A73F69A0E3D73178F2FC39843382D1041E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..Hq..Hq..Hx..H...Hx..H{..Hx..HN..HVT.Hl..Hq..Hl..Hx..HR..Hx..Hp..Ho..Hp..Hx..Hp..HRichq..H........PE..d...7B.e.........." .....L...........]...............................................L....@.........................................."..]...0....................#...@..P,......P....h...............................................`..@............................text....J.......L.................. ..`.rdata..M....`.......P..............@..@.data....j...0...,..................@....pdata...#.......$...@..............@..@.menu_sh.............d..............@....rsrc................f..............@..@.reloc..L............2..............@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NetmonEP.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	160584
Entropy (8bit):	6.648758970829866
Encrypted:	false
SSDEEP:	3072:ABDE5pe7xyshJiszc1TLQXDNxLYeW54C:Aip4ysYTLcXP
MD5:	EFEBB6F93832D5A7EEF3BD4EB81D4A79
SHA1:	9A75E55A08422E7B6A7D695EBB0F61589B31005C
SHA-256:	542928806DE9A653C52250A0AB3D7847EF9249C195C00B82E5BDEB066AE6D2DF
SHA-512:	D9F276F0556539739289585B55482034BDF99F0C18917720F1AB84B870DDA3E303792CD4DF85183155BFFF8DA174EFBE8A74506197B268D632BA6916AF00E521
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m..,m...m..=m...m..+m..m.Y.m...m...m...m.."m...m..:m...m..<m...m..9m...mRich...m........PE..L......S...........!.................`...............................................................................*..V.... ..d....`...............X.......p......................................p...@............................................text...I........................... ..`.rdata..VJ.......L..................@..@.data.... ...0......................@....rsrc........`.......4..............@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NewKernel.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1972240
Entropy (8bit):	6.63076238185676
Encrypted:	false
SSDEEP:	49152:nv1FKcXCAM55Jwaa7VrAHU8tSyAjCGx5H8zJ:v1xM5Maa7BKSyrmmJ
MD5:	8A6E81F3860774D1B7F5F6972F42C848
SHA1:	C2F5A283633360D2A45B5C7887E43E0E9D03B88A
SHA-256:	CE3015C34B24F02B687D6549A222FA164D9314B1E4685845BB022DFCA80BDA95
SHA-512:	27F348C1123A2DE4B9E8E99CFFAB22AD2E2E625CDAE426CF3F6D36CF8A4F2B5E2486C0DD33EFCBC8E5B449AD47E656544D0DAD71AED57E79FA0F8740E530EE5D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q...?...?...?.Q.....?.....?...Q...?.....?.....?...,.?...R...?...D...?...>...?...h.?.....?.....?.....?.Rich..?.........................PE..L....&.b...........!.....f...h......T........................................`............@.........................`...........T.... ...1..............xC...`.....p...............................P{..@............................................text....e.......f.................. ..`.rdata..Hu.......v...j..............@..@.data...h...........................@....rsrc....1... ...2..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NotifyDown.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	549488
Entropy (8bit):	6.736896619735914
Encrypted:	false
SSDEEP:	12288:XLgRCEprkKZlVgTndpHpTVWDQZNrHIGUYmHASzK8BnWToS09:7gAEprcnLVADQbzIGHmxK+WTO
MD5:	14274CF241144895CA05CD456197F573
SHA1:	4D4009B0A2F7BA56C6C98DC823C41085EF4712C7
SHA-256:	113562BF950B39E9466E8F646C84AAA93F6B2C89530F56913B0B36E0096239A0
SHA-512:	5A8009D935EB59B10523494C6C9D0A79FD29B0FA41CBA046E9CCC60A8D2EBA05CCC23D881E121A4526371E21B7C9DB6CC62783E1A5ACAD019705970C9F52091E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y.....y.x...y.....y..J...y..J....y..x.P.y.......y.......y.....y.....y.....y.Rich.y.................PE..L....u.T...........!.........@............... ......................................j.....@......................... q.......R..T........Q...........L.......`...M...&..................................@............ ...............................text............................... ..`.rdata...R... ...T..................@..@.data....z....... ...^..............@....rsrc....Q.......R...~..............@..@.reloc...x...`...z..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\Ntvbld64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS-DOS executable PE32+ executable (DLL) (native) x86-64, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	42976
Entropy (8bit):	6.2171815555231875
Encrypted:	false
SSDEEP:	768:iHfqCaczo/ZinYCOd9L9KyhaM7JubDGpZRKjKj9MPgkU7:8fqT/ZWY/L9l7JheMJ
MD5:	671F95CAB2B5CF121125413F250F5275
SHA1:	73D99D09A3D8978A5C6DB43CEC85FB43B03B7A26
SHA-256:	728A1FCDEDCA6DBD8FDDDE3F33CD64DD99853C26EF5B10D3FEF0D76D0480964B
SHA-512:	4AF690AF838CEB026636931AEDE3852EAE6D83881149EF4C28CC1DD032C3F7F6A64B30171C2524512FACD40496DAB305523D20637B44EFBF0D5805D0FAD1FFCB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!.........`......................................................................Rich....................PE..d.....a.........." .....H...".................p..........................................@.........................................pV.......S..(.......h....p.......h..H?...........................................................................................text....F.......H.................. ..`.data........`.......N..............@...

C:\Program Files (x86)\DnLIMGKCARTO\PDown.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	253456
Entropy (8bit):	6.554744612110189
Encrypted:	false
SSDEEP:	6144:OpoEWHpLJeJ8MvIucm/334RStKp7Tu975:vEsLJeJ8MvPcm/30u975
MD5:	637FB39583F9C2EC81E0557970CD71AD
SHA1:	ADA1137BB47DF62F48407ACC2DC713D92D13A0E0
SHA-256:	330B8EC664949CB9DE5BCCE5AC248148B58DCFEED69ACD8D9CB576AAA935045E
SHA-512:	F72C77D29C51CC6AC1151C919C769BF063E5BAE763033B9BF5BC713E01416ECB301A120B22A17037310E47662EA916A06AA09BB441DBDEE4032A6D59A0876ECC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........gOT...T...T...]..B...].....]..Y...sTr.C...T......]......]..U...J...U...T...V...]..U...RichT...........................PE..L......b...........!................W...............................................j.....@.........................@L.......=..........T...............xC..........@................................!..@............................................text...)........................... ..`.rdata.............................@..@.data....H...P...(...:..............@....rsrc...T............b..............@..@.reloc...,...........j..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\PopSoftEng.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	662920
Entropy (8bit):	6.526894314465185
Encrypted:	false
SSDEEP:	12288:+huSCyAZQUpHByI4ur32KWVyTHrpGUCiAqfoHD2AvdLnaSZCzm3slIalDoH7+F+2:+huSCySQUpHBl4uqKW2Hr9otZCCAlUHa
MD5:	C3EA1FBF2B856FC25E5348C35FF51DD9
SHA1:	87D8FDFDD52FA3BD59FDC7BB1E378091D0D91C16
SHA-256:	6F24B8CA595B4B472320C7A104C64AAD6F0928AD4F1318D1DCFBB0C5BD488A64
SHA-512:	298CE88D37E0496CDF6DADCD7D8890128B90113161311D67ED264B003D5840460FE594B8550FA46E45AF88564E4095C21B748CA3D2B497540ABEB0CAF5533820
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.............~.......~.......T.......~..........................J....~.......~.......T...............~......Rich............................PE..L... .._...........!................q........0...............................P......8.....@..........................J..N...D9...........................6......PT...3..................................@............0..(............................text............................... ..`.rdata.......0......................@..@.data....~...P...8...4..............@....rsrc................l..............@..@.reloc..Vn.......p...t..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\QKFJSGCGWGRQ

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177
Entropy (8bit):	4.880763515526955
Encrypted:	false
SSDEEP:	3:FCB9RhFUOivy0JQlr0TGKS2e/1k8Ve53y2+FXUsKov13wetdQQqi5xQn:FwrFTZ0eJ4GVfeoFXUszv9wgCQPxQn
MD5:	EAB9552FB070D7C48B31FE6A7A9CB0B3
SHA1:	A8F7E04F0C10082A3A66A6D8AD3BF7815D51744B
SHA-256:	EDC57321D853B03CDFFC2F4021834B57BCCB4080D477F5499B01255B5CE8BCA3
SHA-512:	800D26529897047A7B584F3219CA56AF9ADE591949CE8F2504D25BDE4595515413454A597F9C3A5496D57C3EAB3D514B871021A3B709908002AFBADB68A1FC60
Malicious:	false
Preview:	[XLY]..P2=24c6269477f0.JFU..P5=e6ab90d5741a3329XSJ..P4=7c24ad187eeb.NUX..P7=5ccac7f27f4c789fFPK..P3=408dd7481cc3.KWR..P6=d90abf5032721ffaBCX..P0=DAN127..P1=e8a0d5af432b7e64DBD..

C:\Program Files (x86)\DnLIMGKCARTO\QseCore.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	849224
Entropy (8bit):	6.7893930691706075
Encrypted:	false
SSDEEP:	12288:V/Fiea85oMvk6SqMNH/U6beovEYNVXWTwROJTQ9wC1N4Lx09GpVuQ:VAF85oAk6lMNfU6beXwROJTQSC4l0KuQ
MD5:	AA4E9E8A1B0B7C4126451814701A449F
SHA1:	7D988C453283C345E17422FC4B2B6CCFD8200245
SHA-256:	6CA0ABCD77232A5CBADE520596CAB305012ED72315C09CB5A30C3C1E96367F98
SHA-512:	0738DFDE9EC2B1E23B88FDA344CFBA443705A3AD87F22629676118DF555BD395D1737066EFCC4257B8138A0D282491CBD30F36D1880CA640E7D463855C0AD63C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........!..O..O..O.{....O.{.....O.{....O.Q;...O...L..O...J..O...K..O..O..O...K..O...J...O......O..N...O.W.F...O.W.O..O.W..O....O.W.M..O.Rich.O.........PE..L.....6]...........!................E...............................................f)....@........................../.......0..d........................6.......W..P...p...............................@............................................text............................... ..`.rdata...........0..................@..@.data....F...@...,...2..............@....rsrc................^..............@..@.reloc...W.......X...d..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	212736
Entropy (8bit):	6.5563268584705146
Encrypted:	false
SSDEEP:	3072:Avcp8oGNjoBve82gWpBIcKLrzKA0OV2ufMn6gZxl+aQw6ufYy93XOf:A0KjNIvTNTLfnzVinlxM4H93U
MD5:	C620298CA2BDCA843ABC0ADC2284D22B
SHA1:	5F3ABB307ABF58A68FC383D305C3D665EA97D242
SHA-256:	D02F4E37CDE862031F5CB2D3258700C0FB35240B38FC7ADBD5A1B17D66DF4890
SHA-512:	556B1133C87C068DFA1FF804A72937C7186B0FA4E1B6B304B0DF4C92FFD74F94FF666664A5E9D7A99FB711B92501759E4D193D63D571B81A33FC463414F476EC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......::..~[..~[..~[..w#k.f[..w#z.7[..w#}..[..w#m.e[..~[..EZ..w#t.a[..w#l..[..`.j..[..w#o..[..Rich~[..................PE..L.....`...........!.....&...................@...............................P......s.....@.................................p...x.......................hB... ......PC..................................@............@...............................text....$.......&.................. ..`.rdata..4m...@...n.................@..@.data...\J.........................@....menu_sh............................@....rsrc...............................@..@.reloc..2.... ...0..................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253184
Entropy (8bit):	6.363916692576782
Encrypted:	false
SSDEEP:	6144:tTCn6I6/mMOqpaWL4nUEMjh7Rpv8k4a1kD6/+jW9xW:tTCnDbCvL4nU1JRD4aD+jW9xW
MD5:	B9A31BA56DC01C0C73155031AE3446D1
SHA1:	42CB51BBDA2A54B8FFB6FDC2B0EB0A489B829362
SHA-256:	8334D8C3862DE837F1BB807DEE2C4AD9B97B3F86BFA21C969BD3048C57BB3513
SHA-512:	35DB8FF9219BF63236B678CA48E3C6DAF90B903E4E78ADAF9830665AC2F9D7052E7C3517D69B761D395BE7D03E5737FF4AD39161D1E601FBE80023CBB4559283
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.o.xp..xp..xp..q...sp..q...2p..q....p..q...yp..q...cp..xp..Gq..q...gp..q...yp..f"..yp..q...yp..Richxp..........PE..d.....`.........." ......................................................... .......f....@..........................................I.......5..x...............d#......hB..........................................................................................text...(........................... ..`.rdata..4...........................@..@.data....e...P...$...@..............@....pdata..d#.......$...d..............@..@.menu_sh............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SMWebProxy.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	295368
Entropy (8bit):	6.583880646699428
Encrypted:	false
SSDEEP:	6144:ijPPsNVSZD4ioUxapXikyDcjMZ1xIf9m5:OXaOD4LUxaJikyo9m5
MD5:	3B01EA2E64EF94C2C5EFE592EE5B70B8
SHA1:	45F6D2C091B4F5C2B965E6EAAA7044EC738DE9BA
SHA-256:	E140B6A46964D31E904E3BB95F6BE6DF5B6E485917B1B25C4BE96A34F4ED20DE
SHA-512:	7746E52530A07731057E21B87B97A6BD3005EA58099BD53DEB9D73765E2B6F127D75B857B350DDF6F99506D378E1FE861A124AE03601FBFCFAA92408BDDCC19E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w..}...}...}.._2...}.......}...t..}...b..}...}..\|.......}......}......x}.......}.../...}.......}..Rich.}..........................PE..L...Hb.b...........!......... ......&........0.......................................5....@.........................p................0...............8..0I...P...&...4..............................8\|..@............0...............................text............................... ..`.rdata..,....0......................@..@.data...<T.......2..................@....rsrc........0......................@..@.reloc...;...P...<..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SXIn.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	635816
Entropy (8bit):	6.823676525760391
Encrypted:	false
SSDEEP:	6144:Tlz6QjBwh7+43poiJd29rWE0lErzZ5XQth5tp8+H2fpX8KoK+:ZvIakdb29rWE4s95Ab54U2BX5T+
MD5:	980E9ACA6BEF47FBC2932F0DE9F5CAED
SHA1:	8A8E789BF2556874D3E1F6BE59A62B760DB0ADA4
SHA-256:	77AE2B998ACCDF2FE910A6AF0F009D704EA5D22372217B93B0B3CD35EFDD114B
SHA-512:	A5BB750ED0929B37A424C1008CF5501CCEBF3D0874C2B40C7257851D054E7F72C243E3CBA59638148FDC9647D3870CE8BC2E586B812047FD60E6EACF36689676
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.....i.......i.......i......i.......i...h...i......i.......i.......i.Rich..i.................PE..L.....-X...........!.....t..........6G....................................................@.....................................,.......L............~...5.......9..@...................................@...............@............................text....s.......t.................. ..`.rdata..............x..............@..@.data....w...P...H...4..............@....rsrc...L............\|..............@..@.reloc...<.......>...>..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SXIn64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	484264
Entropy (8bit):	4.8651000638357065
Encrypted:	false
SSDEEP:	6144:WaeD8gIbWj/EWytPiiuchD7QQiIU1NQHCPHNmruxwiakbg4N0ofotOs4/:Wan1kQTnStv/
MD5:	74FFD9F87EBF209C684058B414F4419F
SHA1:	9E7C57B7264E9832444050A90E3C701D8133E084
SHA-256:	6C786EC66EE5EDDF2AE13D5877B38AB87C7D2CB917713D83C3E623B17E43CD11
SHA-512:	C29BF6F23F818EFC97C97C1B232E45554B268AE5C9DD273AD09FF5B7888393DF6ED713DB61E97F64F247B89341B90DAD3449E4DD8856036203F795F8C5C6D691
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y\..\..\..U.)V..U./I..\.....U.8b..U.?$..B.(]..U.-]..Rich\..........................PE..d....c-X.........." ................................................................6.....@.................................................p8.......p.......P...........5...p..(...................................................................................text.............................. ..`.rdata..............................@..@.data...8....P.......6..............@....pdata.......P......................@..@.rsrc........p......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	440944
Entropy (8bit):	5.0570962173478415
Encrypted:	false
SSDEEP:	3072:1vq3Sy0t09MsgqZTM3PpwqQJuIiXfX+FY9eO1hSVdJXizcMkJ83xsnXwS:1s9CpYFiPX+FY9eOjIJSzcKOgS
MD5:	9F07F52CE69A1E46EA6EC1BF19BA0F89
SHA1:	32658306225C8E245CFDDDB2147CCE6A27A33B45
SHA-256:	512F303CD3DE948F462A6D555C1C4AFB54F8909515154A9C2EBC64B0B900AD48
SHA-512:	40F03ED84A0EE231EA9F50860EE512FB92ABF520F8EC08F63AE2D144CE2AADEC1AD6EA2BC5783818DD777E291258CD82495662465C0C4EC1D57EC6386922FBF4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S..BS..BS..B..DBR..BZ.GBE..BZ.VB...BZ.QB..BtF.BQ..BtF.BH..BS..BY..BZ.XBv..BZ.@BR..BM.FBR..BZ.CBR..BRichS..B........PE..L...4.5U...........!.........................0............................................@............................._........................................-..@3..................................@............0...............................text............................... ..`.rdata.......0......."..............@..@.data...d...........................@....rsrc................X..............@..@.reloc...C.......D...^..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	546376
Entropy (8bit):	5.015995676537172
Encrypted:	false
SSDEEP:	6144:i/Vb1CsJBDw9rO+tIizIiJzh6X+pW1N5elfQ5Kjk5ntyszhxIeXP6cQ9cDecrGPv:i11M/6upWMy5FdxIefQ
MD5:	A01A06F88A40B18E991560126EC661D9
SHA1:	B28B7EBCDFCE746143840FA8560F95FEFCCCD96C
SHA-256:	9D4F6BD9D3692F9221AC31EEEAF3089231FC7696902B2E25261625479B474F1D
SHA-512:	78CA189FB5AFB92D72D4AB9A82701768AE441244F3FD2A1E6BBF572ED9D95B490270926939DCEDA45F6581EE898F615B92BBFCBA51DA5738BC9AE93637DE11CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X#..9MT.9MT.9MTJv.T.9MT.A.T.9MT.A.T.9MT.A.T\9MT.. T.9MT...T.9MT..6T.9MT.9LT.8MT.A.T.9MT.A.T.9MT.k.T.9MT.A.T.9MTRich.9MT........................PE..d.....5U.........." .........8.......z..............................................YN....@.............................................a....................@..d5...6..........X.......................................................x............................text...B........................... ..`.rdata..Q...........................@..@.data........ ......................@....pdata..d5...@...6..................@..@.rsrc...............................@..@.reloc..<............ ..............@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\Safelive.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	399080
Entropy (8bit):	6.607169017259267
Encrypted:	false
SSDEEP:	6144:YXpbJ5SqucSsGc/RZ65wy8XwoP4526KTQ84/IJTsPKrcvffHpg+XdfNYedLULVO:Yd3DSmY57DoAlM9TsPKgnzL/
MD5:	B93E6AB683ACF93FF88195A6978ECB80
SHA1:	C99C1A2A3A740BD422C2A2344B78CDD17E1A75B8
SHA-256:	37D5A7BB8B8B16BD853899091E5F1ADBAADCBFCEC04E20FE7A19F3C62F760D3E
SHA-512:	3E1E41253EFD1636C7FAABD8652E074E07865D2678DF6BAA4570CD9FC5096FAC0084FD00B5EAB37F03D9876AE9420FA539AF858624D74F082DE5FED4A4C7C280
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._S'..2IU.2IU.2IU.lHT.2IU...U.2IUIZJT.2IUIZMT.2IU...U.2IU.[HT.2IU.CLT;2IU.CLT.2IU.J.U.2IU.[MT.2IU.[LT.2IU.[MT.2IU.[LT.2IU.[LT.2IU.[MT.2IUIZLT.2IU.@MT.2IU.@HT.2IU.2HU.3IU.\LT.2IU.[MT.2IU.[LT52IU.[IT.2IU.[.U.2IU.2.U.2IU.[KT.2IURich.2IU........................PE..L...a.bd...........!.........^...............................................`............@..........................p..`...@r..,.......................P,... ...3..0...T...................( ..........@............................................text...;........................... ..`.rdata..6...........................@..@.data...pR.......(...x..............@....IShareO............................@....rsrc...............................@..@.reloc...3... ...4..................@..B................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SelfProtectAPI2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	203736
Entropy (8bit):	6.531358280046865
Encrypted:	false
SSDEEP:	3072:T7fkhRh4guLJHlfWd+efnWgRHcEAn1C/7QIzr+1no++7gQlR9PheMD:TTiR8LJFOdb5RHO107QIzay/R9H
MD5:	CF27DAFEABA3797471DA691268635114
SHA1:	CC1B362D8A0E842156BE8C0944EF0C080210F568
SHA-256:	41EB69FEBBD76DFCF6B79E46F57F620BEFCCD720E733CA5CF217CFF5AACD00CE
SHA-512:	13F7FFCE3845D1B665B332A82051D0EEFF4D72768976CC829B7B8779C4D41103084F2BCB8FAB8B76B1F445DD028BB0F20F0387A92E877255B2E46A6433E31F05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b..;..;..;..2{R.6..2{M.(..2{[.N..2{K....;.....2{\.~..2{J.:..%QL.:..2{I.:..Rich;..........................PE..L....z=b...........!.................@....... ............................... ......<K....@.........................p.......(u..........................@?......P....#...............................Z..@............ ...............................text...N........................... ..`.rdata...f... ...h..................@..@.data...`L.......(...x..............@....rsrc...............................@..@.reloc..`*.......,..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SiteUIProxy.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	356416
Entropy (8bit):	6.465138857076493
Encrypted:	false
SSDEEP:	6144:XsTEQD4zJ2lo5iYMHHb4iGb9LdDR6tL2EZoEN4b2oHN0L9c:cTEQDi2EiPH7QR6F2EZPN4b2Y0L9c
MD5:	36F88DA8AB5C25A1655AD0AAEBB2AE50
SHA1:	467ABE06651B6D5B30204C012162090868F4C050
SHA-256:	0574B9283D232BDEAC7C53CC86C5A89435D52FF399039CF5BB304628BE286A6F
SHA-512:	184C1F130717C7E235FB08DBD265D1D2A8E67D106081553A00F66AFC10E80ED4B756386A9717F6051E9ECAD81EAA236DDDD8D863D425F55D996BA713F99FE5CB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.............A...................m.....@.....................C.......U......./...................................Rich............................PE..L......`...........!.........<.......................................................[....@.........................`.......D........0...............8...7...@...1..@...............................0Q..@............................................text............................... ..`.rdata..?...........................@..@.data....h.......<..................@...shared..P.... ......................@....rsrc........0......................@..@.reloc...I...@...J..................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\Sites64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2168896
Entropy (8bit):	5.999722251500823
Encrypted:	false
SSDEEP:	24576:KuXhkP3HlT0nZuFpgMD+3oHm+FJ4bX0W7rqhA/bWqX+Wpd51XQ0ezUYWV9aA:nkPVT0nZopy3fDWhADb/X5ezUQA
MD5:	3459812C0F0E1AE7A7D45D33EC707E50
SHA1:	8750626D1761B19E1261336828C191D323AA0FD7
SHA-256:	6DCBE7775187D2DF7B00603E4AD1D0863F4C7A003FE4C78E5523A9AAC001A05F
SHA-512:	107507FED0B10CDD2506C2F4D5649EF84A2675171C134A5CB8AA9598471546A903E46DBD10FEEDB2F8AE9F8629824546A626ED255E2667C6ED2D5BCE03448DF0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.is+.. +.. +.. .. -.. ". &.. ". :.. .\j ,.. .\. .. 5. ... .\. .. .\\| 4.. +.. ... ". ... ". ... ". .. 5. .. +.. .. ". .. Rich+.. ........PE..d......`.........." .........................................................@!......^!...@.........................................`/..................8-......T..... ..7.... .L...@................................................................................text............................... ..`.rdata..2...........................@..@.data....L...@....... ..............@....pdata..T............<..............@..@text.................X..............@.. .rsrc...8-...........h..............@..@.reloc..$F.... ..H.... .............@..B................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299488
Entropy (8bit):	6.549878286512139
Encrypted:	false
SSDEEP:	6144:6QSVHoPTdlKhw8EtPCLo/LSaQmYmehdchOu91:Q8dmw8EtPyojjAhHu91
MD5:	36833C3A8F35E68C2EB010375E26630B
SHA1:	4EBAD43E9369B8EE410FD79D04357F83774AA111
SHA-256:	236813B1FDF280D842A04CB79E0DB155D9CD982F62D960B34FCD77A79EFA850E
SHA-512:	0C076CC9F75B5E0495575C1FD81758C717FE05C15EED7588D8D914545AF15B4750DD428C590C617CDBA7A66CB3B184D6AA8E9FC59D7D93D1B87F9EFC31A46453
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[......O...O...O..fO...O..pO...O..wOS..O8..O...O8..O>..O...O}..O..yO<..O..aO...O..gO...O..bO...ORich...O........PE..L...n].a...........!.........j......................................................b.....@................................X{...........l...........R..H?...`...&..p................................S..@............................................text............................... ..`.rdata..............................@..@.data....L.......,...x..............@....rsrc....l.......n..................@..@.reloc...=...`...>..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	329696
Entropy (8bit):	6.253841397859825
Encrypted:	false
SSDEEP:	6144:yvY2nmcxygauoT0NkSahd64KQYsHRL4ZmgaX9GY:iY2nmcxX7iSazKQRXX9GY
MD5:	E0EFB247B9D7E2A9B1D0BF22885943BB
SHA1:	C031FFA60057C839E5021CCFC49736C4EB22380D
SHA-256:	1640D770434F15014C4A8FCBD41D7C23E8DC1DB633AFE6E767A29733233E0D0D
SHA-512:	C3D56E09CA4EBAC2AF1185716FE4642A28954DE3B1B4DA7E2914BC263734E61F06C3B33CF460D98034B221A7C90CE3EEF17B6A460E9D74C77634781E508C90A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%..[aq..aq..aq..h....q..h...jq..h...q..F...gq..F...`q..F...~q..aq..^p..h...}q..h...`q...#..`q..h...`q..Richaq..........................PE..d....^.a.........." .....4...................................................@...........@.........................................0....................l......X2......H?...0......PW...............................................P..`............................text....3.......4.................. ..`.rdata.. ....P.......8..............@..@.data...0g.......&..................@....pdata..X2.......4..................@..@.rsrc....l.......n...N..............@..@.reloc......0......................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrLiteBase.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	355400
Entropy (8bit):	6.542323792350481
Encrypted:	false
SSDEEP:	6144:GTpBZ9Cy4exYXnAwB8fl2NOSjcXpAO2JqKu3ym+XLnMG+t5tWe3cF+NopJZ:yZ9Cy4exYXnAwB8fl2XIXpAOwqKyym+l
MD5:	28B1260CC28FA93CA05B484D2B1609FE
SHA1:	9EBC17E9F6B2E7A20171F7CBBB969EC39F3096AE
SHA-256:	F36F483B2C49AF091E81E9996B203F5457FF4A6057B527383599558C12C46E76
SHA-512:	7B080EBAD4AA849BFC3EF98786BCD99552B4712673C929594F7205303494D6420F0FB805DB697EB2456A4A34F5F1105773F2FC7EE964B0F34EDD374D90FD5A4F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^.N.^.N.^.N.&.N.^.N.&.N!^.N.&.N.^.N...N.^.N...N.^.N.^.N._.N.&.N.^.N.&.N.^.N...N.^.N.&.N.^.NRich.^.N........................PE..L....wL[...........!.........&............... ......................................s.....@.........................`...x............ ...............4...7...0..8...`#...............................e..@............ ...............................text...o........................... ..`.rdata...... ......................@..@.data...XY..........................@....rsrc........ ......................@..@.reloc..0S...0...T..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SoftUpdate.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	483952
Entropy (8bit):	6.516790328229404
Encrypted:	false
SSDEEP:	12288:mZLp16CyKGObhIt5CQ4c0RHSteSxKAAyCxJfTnKjQ:i1dywOKhJxdn0Q
MD5:	1597753FA4C2759A7C03404F3EB279CF
SHA1:	A795F6AB9EEFF02859F5B7F1C8ADF18E23730E4C
SHA-256:	540CA058FCD8A1DCB038F6E77FD7C022D952D23D1260EF643212DACD9200365C
SHA-512:	C7B0A331559742C798CB933729B08D2A94D1A60F00EC032DF693D3187B9F1CAF4E48AB85F310B1496BB75A74F4FBFCE9FE3B0F7562E004607FDCE661A9C88617
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'*RTcK<.cK<.cK<.j3...K<.j3...K<.j3..>K<.D.Q.dK<.D.G.\|K<.cK=.\J<.j3..ZK<.j3..bK<.}...bK<.j3..bK<.RichcK<.........................PE..L...[.LU...........!.....h...........U....................................................@.............................K...l........ ...............L.......0...K.....................................@...............H............................text....g.......h.................. ..`.rdata..+............l..............@..@.data....\|.......J..................@....rsrc........ ......................@..@.reloc...s...0...t..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SomAdvUtils.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1583560
Entropy (8bit):	6.577060691849299
Encrypted:	false
SSDEEP:	49152:c7hpqj4CdVob2ucHfcHKUmg9EqhTBz0HUDPXr:kge2ucEqU1Poq
MD5:	E360B4805637FDAEA4D952118A45658A
SHA1:	D3A83A56C2A23AF152DFF2553C2B2B0006981A35
SHA-256:	C9E148CD484760A2B71E0A604E20A778F24DA39E531BFEB72583F32084C64340
SHA-512:	77379FF68559092C001EC21FEEED445BD7CDC8303443BFC13632E182C2E0E49222CEC22881FAF66EEF681C8C27138336BBA00477F2A3ED52F9930B4237E3E549
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a.cS%...%...%.......&...,..>...,..s...,......p`.-....pv.6...%...D...;..-...,.._...,..$...;..$...,..$...Rich%...................PE..L......b...........!.....8...................P...............................`......q.....@.................................0........@..................0I...P......`U..............................`...@............P......t........................text...\|7.......8.................. ..`.rdata...P...P...R...<..............@..@.data...8........<..................@....rsrc........@......................@..@.reloc..F....P......................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SomPlugin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	994536
Entropy (8bit):	6.804868194190052
Encrypted:	false
SSDEEP:	24576:o5LLu4L/cVwB5xdfeL2jK+2KKuHFA9aVEaTJa9Tj0sb:YmLiZdfeKjKsKufEaTGTj0sb
MD5:	39D28D643CE7E9354A84707AC873A4A3
SHA1:	1F0B6007CF3694305265DF2180C0167A3D0E2E13
SHA-256:	ED418E4F4468C7ABB44454F63CB1A9E12C4152A55DB73F2E4E0E43E1504D670B
SHA-512:	3607F04535F1FA33D99554C0C8C519EBE91146E62F5CCE77DA842B845318C2FC4CFA8BF6CFBEC21DF6F357D0F14515018F931BCFD06B76F08CD027315D9E90E1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9j.jX..jX..jX......hX..c ..BX..c ...X..c ...X..M.i.mX..M...CX..jX...Y..c ..4X..c ..kX..t...kX..c ..kX..RichjX..................PE..L....(Vd...........!.........d......e"...................................................@.............................P.......@.......................P,... ...... ................................k..@...............X............................text...-........................... ..`.rdata.. P.......R..................@..@.data............J..................@....rsrc................6..............@..@.reloc....... .......<..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SomProxy.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	500968
Entropy (8bit):	6.588411424843017
Encrypted:	false
SSDEEP:	12288:j0fCiJUmeO8+zrmCzb+gbEyX6KZZ1aeHIcUCY7D17BcSFNlZLwt:x4yeHU17BBBGt
MD5:	9FC415C22AFAEF5589C27E7FC51C69DC
SHA1:	4A80183341D29ED1768C8D4921790304CBA34758
SHA-256:	3197F2B656C76AE351B7C4C3FEFC9B6831596477029EFC3B1B958C30F256DA5C
SHA-512:	F92537EED9A56FB9D7854D8C06AC8B819A5E8C21C26D72A682829059D5AFFB7275D3BCA171246B9C53A9DAEC40C2C31BB0E620B55C010BD08CACB372CCDEEEF2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~.............8P5......g6......g . ....g'............................g)......g1......M7......g2.....Rich............................PE..L....WCe...........!......................................................................@.........................P.......\........`..p$...........x..P,.......@..@...................................@............................................text...*........................... ..`.rdata..f8.......:..................@..@.data...\f.......(..................@....rsrc...p$...`...&..................@..@.reloc...U.......V... ..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SpeedUp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	215616
Entropy (8bit):	6.587014873697098
Encrypted:	false
SSDEEP:	3072:xc9X0+ClfdVKeDxmO+kdWA+oVZlLLocujrlTow7N2voF+JaJI5Kz0fyE9XY:3lTFYILJZhzujxl7f17yh9o
MD5:	B3C0D03BCBE6475ACE2064CB486F9CEA
SHA1:	37D7ED0F1F93545E9BF432FF3E0A85A5213FF291
SHA-256:	DACEAF39C955D29ADD7483078CA16BDA4E4ECAC517DE5A1968701B80B3A201B5
SHA-512:	FC22C01A703EA544473385A885F59D8772C1065B3BE0C6352682FE1FD0109F5A223BAAB0238417BE0A066AF434E63AAC45B8C301AF7680A6567A64D1E892B7B2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.5...f...f...f.V.f...f.V.f...f...f...f...fE..f.V.f...f.V.f...f.V.f...f.\|.f...f.V.f...fRich...f................PE..L.....g^...........!.....\..........dm.......p...............................p......f.....@.........................@.......X........0...................7...@.......r..............................`...@............p..X............................text....[.......\.................. ..`.rdata...e...p...f...`..............@..@.data...<J..........................@....rsrc........0......................@..@.reloc...)...@...*..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SpeedldSetting.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	494824
Entropy (8bit):	6.7211879463477295
Encrypted:	false
SSDEEP:	12288:HN1n2WNDtM/OOerqMllz9UH/4jlpC5Wy3gnQAoqG:XtuVeJJUH0nC5YG
MD5:	AECCE429815042492564045407D5CFA4
SHA1:	695036425CB6C2874EA971F51AE0C2AE9697E841
SHA-256:	0F42CC7238A03E9BF293D52756E8F5E381EEB96B18C985578A401622F6544D4C
SHA-512:	ACE28F042F65A40ED0E6B2A7DCF393D1504109066A6C31BD324B5E33D24DD15D88900F83765D040E8D20CEB917DE809667B5EC894378B2D9B4C8A0BE76DED721
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................q.....`.....g.X....`.....A......A..........n.....v......p......u....Rich..........PE..L.....$e...........!.........F......q........0............................................@.........................`.......\........`...............`..P,...`..0=...4..............................@...@............0..4............................text............................... ..`.rdata..J....0......................@..@.data...\|S.......&..................@....rsrc........`......................@..@.reloc...\...`...^..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SpeedupOpt.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2817768
Entropy (8bit):	6.625744631785977
Encrypted:	false
SSDEEP:	49152:eJi7T7+ObcxerBzFCAli2l44fNrvfF16LXmDk5CDJhgLwY98jXNq:kSCEl44lb+UW
MD5:	008A75AE0209268D6CDF2A53F0CC7BB0
SHA1:	BC74D9B22224DF6C199BC56D67F64081899EC96A
SHA-256:	C3B754C74D26513976AEE0906805403F9FC3E34413250332CE6C01387A53EB7B
SHA-512:	2768ACD6B8392BB29D62C4D73EF2725C504CE5835CF98F589E6FC71C7F53456501F56964B6B51786479CDB1CCEDED4FCE45E9F47E8238A0C3F208356B6303BDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@..G!..G!..G!..(W=.F!..U..B!...n..E!..NY..[!..Ys..O!..NY...!..NY..!..NY..\!..G!..S#..NY..B ..NY..F!..Ys..F!..NY..F!..RichG!..........................PE..L.....d...........!.....H...................`................................+.....N.+...@..........................+$.......$......p%.\.............*.P,...@).\|...@q..............................`5!.@............`......,.$......................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data....$...@$.......$.............@....rsrc...\....p%.......$.............@..@.reloc..\|8...@)..:....(.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\StartSD.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	269640
Entropy (8bit):	6.227555772699694
Encrypted:	false
SSDEEP:	6144:I3QfE2oDrkPuLdYtEZsfj764yo7Y5hI9pmndoElOm+p:4Q2Uu/sfj764yo7Y5hIvQdoEl
MD5:	F82D6F732A74F41C06DB26AFAA36F6F0
SHA1:	7C19D4FCB996E873D9D2DCB6C97C05660DFAA222
SHA-256:	A81BB2D355A28899E1F6943906D18B2545190CE90BA76CC4428E3534FB6B0DCD
SHA-512:	8F49E4D4F39A3C847BCB5C34424C668FF66EF05B483B85A1FD038D6D4BA08C0E8B772268F73BCCD3F314EC6BB67C9EFE11EF56C336A7469D59BA8CE87F2284F5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4'/.pFA.pFA.pFA....rFA.y>.zFA.W.,.wFA.y>.hFA.y>..FA.n..sFA.W.:.kFA.pF@.gDA.y>..FA.y>.qFA.n..qFA.y>.qFA.RichpFA.........PE..L......S...........!.........V.......\|.......................................p......>................................\..R....E...................................(......................................@...............<....D..@....................text...'........................... ..`.rdata.............................@..@.data....x...`...<...H..............@....rsrc...............................@..@.reloc...u.......v..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SxWrapper.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23464
Entropy (8bit):	6.617971536749939
Encrypted:	false
SSDEEP:	384:rFBzx9Jl92M/9VaZDc2nYPLvReeMh+mIjoVWAHKnH0:rF/tICyDc2+C+mIjoiH0
MD5:	0D4ADB43AA1512D086EB5B7CBC61ABC7
SHA1:	E39E2713C63840D513FE03A4368BD97A2923822F
SHA-256:	ABDA03831F8F609259F52865070257363D8A36B4C09D12D57BA42803F05FBF22
SHA-512:	E8897FAE264309E233C1BF91FC9D24F71D2EFBA7737F2066ADF847C64F33BC7D77A0E14915342DDA8B7E9D91E2D1A69AE8C331E0449AEBBE8E7E6EBF10616126
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............u..u..u..t..u......u......u.....u......u.....u.....u.Rich.u.........PE..d....D-X.........." ................h..........p.............................`............@.......................................... ..6.......(....P..x....@.......&...5..........p...................................................p............................text............................... ..`.data........0......................@....pdata.......@......................@..@.rsrc...x....P......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SysSweeper.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1160936
Entropy (8bit):	6.670277076150087
Encrypted:	false
SSDEEP:	24576:kQ8Kays0fNrrQIyXb/AsZIi8gm8cIrfPDuRzp:hFvprbcAsZl8gm8csKRzp
MD5:	C9F7566911B636034D8625A24BB45908
SHA1:	6B95CD7789F50B3921C1C53032D2A8272578C8EE
SHA-256:	3ADED775182B5DF503A635654DB3BFF7ADFB23462BC77FB33A2C4813305735D4
SHA-512:	F9E1768E4258CA76150FC2A57EBE1944F919172BD7E6160DD54C88DDFE21C0C852451A95ECC3D3C7771211AD7BA8CE918AC7BC43656779F77F33A5BF319E9497
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q>.z5_.)5_.)5_.)...)1_.)<'.)s_.)+..)1_.)...)1_.)<'.)._.)...),_.)5_.)p^.)<'.)._.)<'.)._.)<'.)4_.)+..)4_.)<'.)4_.)Rich5_.)................PE..L.....e...........!................Z.....................................................@.........................@0...................7..............P,...@......................................"..@............................................text.............................. ..`.rdata...b.......d..................@..@.data...(....@...b...&..............@....rsrc....7.......8..................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\Tuser.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1025592
Entropy (8bit):	6.508299413819746
Encrypted:	false
SSDEEP:	24576:utmmjsuasiX4QpVVmqzszaHpYaSEB7itTEOEM49HvCL/9:utmmG9z5JYaT9itTEOEM49HvCL
MD5:	08E5E8BB42F4681E82F9C1DF9663339D
SHA1:	322847778D3C73079AA3B0AAAB855A4C27A75DDE
SHA-256:	D6669036184D0D6DCD03B7CAF60B0991E58464C995D83857A0B825BB9A5C6682
SHA-512:	4DACFAA82FAF65C55EA4CEB478925978A575391312FA35C8B68B3D62B37C60EC0033D991E2B48C81CCF9DB06D27AC73B16D23AFAAD9EEBF2A7D2A1F239894168
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t..;...;...;....Z..>...2m..%...%G..?...2m......2m..f......9......."...;.......2m..h...2m..:...%G..:...2m..:...Rich;...................PE..L.....^...........!................................................................k.....@.........................@U..T...<=.......................j...;......L...p............................... ...@...............4............................text............................... ..`.rdata..............................@..@.data....m...`...6...J..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\TP453990d4df32.TPL

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	719
Entropy (8bit):	7.636883058252472
Encrypted:	false
SSDEEP:	12:+eVpCPLWLm2D5ICHI0rBj0rj6PyfzuPhzILsSKnB8kjNQvmyfaoVtS8:Np84mw5ICHIkyfaWsfJcfDtH
MD5:	D7314EBB79E5DEB9F2679B98B971263B
SHA1:	50C855220C557F9341827497CA2D55A8055A5C75
SHA-256:	7C4C2E9A483115A60EC93CA4D7764C51F39D04258270AB90CE641E24A467875C
SHA-512:	CFC95DEC7A53EADF8F1AF18F524B2E51C642244163C020E990AD3631A8E9F91BE8B2218F97CA731FE18CF022BD30457B08443536AB9682485BE175B98AAB5FED
Malicious:	false
Preview:	7z..'.......p.......?........`c.5$X.qx.j...i.....ST>9...!"t..IdRc.FB..cVXl.xaad...^..F..oQ...3.@BF..uz.G.h.-.&..m.a.&k..F.: m....gPG.\..rE...H..,.+.Y.....\SHL...+.15...T......zwV....}6......7..p..hqe..U.zx.:o..I>........I{.R......b.!"+!...bi.h..R...{'0.p.JH...S...R..b.....3.@.Wqk..4.....iG...p.F.F.I&uT..Q.H{\|S..]..+fE+[D....Y.....d,0j....[.cH...g.%.^..Mh....U+....R.R.>U.-.>.^..M.f...N...7e-.z"".M}?..r...X...m~B.>#...`.(y.G~...3.7dz..._F+..4.....n.c91...Xc<...S.<8.$O..-g....?._L..i.F...N..}.._.u.Y...].z..9P....y.V..3..,.p4......q.w..%.$....i.9.j..W7..N..N...n0.......(.....b.....d....A...".......d....KB."o................$.....S....m<o...* @.'J.#....]............8..9..

C:\Program Files (x86)\DnLIMGKCARTO\TuserEx.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	274248
Entropy (8bit):	6.457818153771843
Encrypted:	false
SSDEEP:	6144:KzufnJplm0qGYR+gy4Otz0xGADAJjcacfxO4:oWnRWNRly4OtCGADAJjcrJ
MD5:	E33C16EAAAEAA8E7555186272664405F
SHA1:	A05139D610C5E6285D9277866F24C92DA2EB79C9
SHA-256:	58820D2A23A361A27512CB8FC24C6D6E6AEE7361819C68E9A3614501F0F83AD1
SHA-512:	1BEFCAFFE696D1602255A3D721F20E6EA914486F4B728CB45743C77E9C6E5CBE9C23EBB6AEBCFBA438914B75824344F5459043363DA1EC0E93A79572D651EBC1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Y...7V..7V..7V..V..7V..V..7V..V.7V.SLV..7V..6V..7V..V..7V..V..7V..V..7V..V..7VRich..7V........................PE..L......S...........!................k........0...............................p......['....@.........................`...o...L........ .......................0..h$...2...............................r..@............0..L............................text............................... ..`.rdata......0......................@..@.data....V..........................@....rsrc........ ......................@..@.reloc...8...0...:..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\ToastImage.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	270152
Entropy (8bit):	6.863193873213617
Encrypted:	false
SSDEEP:	3072:JXqkafznkWtvE0hI32sfvAYMeE7acvQjTPeSyFTBfCwAg0Fuk/aS5haOxrr:41nkWtM0hK2sXAucvGTPEFTBqwAOkFF
MD5:	42AED31F35779D8EF9EC0266B960EF02
SHA1:	0E06F268CB683D5374E3FF183298F2F71F2DDF9A
SHA-256:	C559D7D19934BE56953446CB9EBFC0DF5BA7A9793C45CC36092CB2E49EE307A0
SHA-512:	397F057FF9C18B508A422A5FD4ABC37E458CB782C3D2916E31B13C92F374E387E2C7C7EB17829E84E250616095358D583E478F0435CB01720FB0200D96C20E5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............K...K...K..AK...K..WK;..K./.K...K..PK...K./.K...K./.K...K...K...K..PK...K..^K...K..FK...K..@K...K..EK...KRich...K................PE..L.....MS...........!.........H......y........................................P......X.....@.............................[...H............0................... ..(....................................w..@...............8.......@....................text............................... ..`.rdata..;...........................@..@.data...(:..........................@....rsrc....0.......2..................@..@.reloc..8-... ......................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\TrashClean.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	577360
Entropy (8bit):	6.560390974036568
Encrypted:	false
SSDEEP:	12288:ivJZDDriv1yiHjw72Y/fqJosC/B2ZqzeGev9O:igDw6+UosC/0Z8rev9O
MD5:	77F5FF16184451B9F1B4C7296404E372
SHA1:	0785FE72BFFFFCC9A4D2DD9E51C73936529C5AE1
SHA-256:	A3F253E2EABD7D50B4076BF515A830C19B9521039C10E5BF2D0AB380BCA5D483
SHA-512:	56DF445258E01AB20B97DCE7F111D60D3033C05F2AE8A2CBEC6C0DEB240063919E6C56BBCB2B3D18F190E203E15CBB53E3A5BD47DD3446282FCEB523FF35E6FD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............R...R...R2.OR...R..LR...R..ZR'..R..]R...R..]R..R.\.R...R.\.R...R...Rn..R..SR...R..KR...R..MR...R..HR...RRich...R................PE..L.....F`...........!................................................................/*....@.................................\........P...................8...`..pi...................................-..@............................................text............................... ..`.rdata... ......."..................@..@.data....U.......(..................@....rsrc........P......................@..@.reloc.."....`......................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\TroPox-B_Plus

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	710888
Entropy (8bit):	6.630506217753264
Encrypted:	false
SSDEEP:	12288:5n9CCUQ0bGwLt1n/iswKJLUY2XOrEO/6awL7wU0s6OzeoXHhS6ckqIbpieFGrh1l:7+tLt1aNYrfBB6BAqZkyQgJ0VL
MD5:	C4A08B391245561157AEFD0FE7C40A11
SHA1:	28D15D43A1BDEBC83701AFD89E6EA9C24F90DB33
SHA-256:	53D7C8F2FD109E85FC9302B7424875BAD22A148D6EDC6C7FD8E4589E97259BFA
SHA-512:	24C7608346B76694BF9D8227FF6A794B26D73C0DA93FD231A2331CD371ACC86F293FB9093850F5513DFBE1D269114A56F47DCADBA11BD98C691AB38472A6CCC6
Malicious:	false
Preview:	Ta+....................[...............................................W.osp.....r.xt.~xuu...y\|...u.pu._jn.t..\|............*3}...........l......l..Y...l..... 8..... 8..... 8..............&..........~;.....~;.....~;.....~;.....~;.....ip~s...........................k\..W.....d..................u...C.......Y............[......................................[..........................................+..?...........#7..k....;..+r...W..o............................W..[.............................................\|.....Sw.......u.....................{...x.x..?0.......1..................[..[..x.x...Oi...K......................[......~...?....+.......A..............[..[..\|w.~..+r...;...s...Y..............[..Y........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\TroPox-E_Plus

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	54272
Entropy (8bit):	5.93759856622623
Encrypted:	false
SSDEEP:	768:84ZiY/4bFznHIFrduXNWvbJa38eZ7DAks8EA885ee0ZjjDCL5Ab:1ZizjohdudWvbY7DiJA885eeEuL5Ab
MD5:	1999663102E57D49FACEAB3360CEFE8A
SHA1:	32F38D84ED4B762213B0BEABED0F22E727988A20
SHA-256:	4DACA1889E9CA478550D22DCA129E68F4D808C5F91CD1A069C9E0015B2D611F7
SHA-512:	EDED16F83960F9EC438EF08BE7092CC07418BD98A6400F9212BE2A92C04399B347BA0EDFB5F0CAFB1BBB23B2A7B4ECDD425A695C70851ABA42BB1031E91A061A
Malicious:	false
Preview:	Ta+....................[...............................................W.osp.....r.xt.~xuu...y\|...u.pu._jn.t..\|............9.........................@.......C...............).......G.....................ip~s............k\..W...U.r....................................+............................................[............................n............................................................................[............+..k.............................\|.....S..............................{...x.x...J...+...K..................[..[..x.x.............................[....\|w.~.............................[..Y................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\TroPox-Z_Plus

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1390312
Entropy (8bit):	6.599443687044707
Encrypted:	false
SSDEEP:	24576:znhMjKSFXpFEzq7zZvjyswjzYnOAjPSy36c9RCvirRMNJbd3g:jhMt/nVo2O56tibxg
MD5:	C77EE913C46510A705A9DDDD91DE8302
SHA1:	CB5E045FA27186B9F23E4919590387478B9343D5
SHA-256:	092689651DB7B81A6816B1F78F8CF81476945D493E9566762F5791ADFC5BDA31
SHA-512:	A6C080D04C92EFBF8A1A4A1D1423837B1282E4CFC0E77D9DA4BC9F78E235AA6CD8AE3468B588FD9D35BA656A7A1B27AAE805662EB6C84B053D0149855F4A6514
Malicious:	false
Preview:	Ta+....................[...............................................W.osp.....r.xt.~xuu...y\|...u.pu._jn.t..\|...............K<+.K<+.K<+..@x.D<+..@~.P<+..@y.<+.y.,.<+.y./.<+.y...<+.@..H<+.@..B<+.K<(..<+.#...O<+.#./.<+.#.,..<+.#.+.H<+.#...H<+.#.).H<+.ip~sK<+.......k\..W......~.............................B.......;..........................................[.........................k...........k...................#...k..........K..............................k..[............;..7.............................\|.....<..............................{...x.x.......;......................[..[..x.x...K...;...O..................[......~..............................[..[..\|w.~.............Y..............[..Y................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\UDiskScanuser.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	332544
Entropy (8bit):	6.635882811141054
Encrypted:	false
SSDEEP:	6144:nrANFkfATA5+uIC955uwY5QZTJnTd4KiDeo9TBkzZaeeY9d:nrANFdSNIC954qrnT66o9TGzZL9d
MD5:	C4E503A0CD52EFCC173060CB2A210B82
SHA1:	AEF209CF2D973DECE2EAB847AC86273372BC3DC0
SHA-256:	538D54B99A4F6A658E4755F52237A42F2F840326AFCBA33ABEB4C905356FA87B
SHA-512:	BB897B5482AC98B2A6352BD74F3B62EF7C34C72CEA3D18FF1E7A3C205A7C449FA38188A7D7DB7C2AF7DED68770C81E4E889C06BBFF42D33FF7C0E6F56553B9EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;Xg.hXg.hXg.hQ..hLg.hQ..h.g.hQ..hgg.h...hZg.h...hMg.hXg.h.g.hQ..h}g.hQ..hYg.hF5.hYg.hQ..hYg.hRichXg.h................PE..L....E~`...........!.....n...\.......!....................................... ......."....@..........................p..}....`..........p...............hB.......&..`...................................@............................................text....l.......n.................. ..`.rdata..}............r..............@..@.data....N.......(...d..............@....rsrc...p...........................@..@.reloc...9.......:..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\UnifyCommon.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3427560
Entropy (8bit):	6.80730841012121
Encrypted:	false
SSDEEP:	98304:0RFEPq7kqY6ramU+knz/+5ZZ5sX+r2h7bwtwt67PvOzIkC:04q7C6OgkzW5ZZ5sX+r2h7bwtwt67Pvz
MD5:	5ABDEFBD44AC15D0857EEE79958D1F11
SHA1:	0A2C26843F4057ED3A598AC6A2C72831E2AB0BEE
SHA-256:	3FC9DCD1F26A08DE2ADF9D1603BC1AD53582F50C934DD5A9DF4AFE925FB39E05
SHA-512:	338AA807EDC5F706AE2067265574EB4EE907124E416B4F320A1138ADC5C84B0159999BCEC051A04B77C9477151912E572F025BB63231E74C4308F4D800E3B702
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......u;.1Z..1Z..1Z....[.'Z....Y..Z....X..Z..8").3Z.../..;Z..c2..+Z..c2..OZ..c2...Z..8"9.*Z..1Z...[..1Z..'Z.../...X..P ..9Z...3..,Z...3..0Z...3U.0Z..1Z=.0Z...3..0Z..Rich1Z..........................PE..L...\|..d...........!......&..V.......e#.......'...............................4......S4...@...........................1.(.....1.......2.............. 4.P,....2.D...P.0.T...................P.0.......0.@.............'..............................text.....&.......&................. ..`.rdata..H.....'.......'.............@..@.data.........1..z....1.............@....rsrc.........2......J2.............@..@.reloc..D.....2......P2.............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\UninstAgent.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	584304
Entropy (8bit):	6.4349103160648315
Encrypted:	false
SSDEEP:	12288:P6TyUZvFWlsxw1uj+3vIqzrQCM6iXIAc3eIZvP/RSa41b01:0zUsxPdarQT6iMe2vPAa4i1
MD5:	62DE8832F54584985FE7290C126BE2AA
SHA1:	543E609E0E3DD9CE3C3A42709959BEB851CFC7AF
SHA-256:	2A8D4F7EB4E7D8E9F487DDD19F2FEA8EA640DF597C57C85A7AA595FA80DCAC8A
SHA-512:	33F61DA1A9FE30BBD43E1854811DEF61186B735218FE1FAC8EE859255717A2AE4365DDC946908F02426F1D2BC84B2834B3DC234B8349849430D69A2EF8290940
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)V..m7i.m7i.m7i.dO..p7i.dO...7i.dO..57i.J...j7i.J...r7i.m7h..6i.dO..V7i.dO..l7i.se..l7i.dO..l7i.Richm7i.................PE..L.....5U...........!.....v...X......zc.......................................@......K.....@.........................`...h...............l.......................`i......................................@............................................text...9t.......v.................. ..`.rdata...g.......h...z..............@..@.data............J..................@....rsrc...l............,..............@..@.reloc...............4..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\UninstDisplay.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	313400
Entropy (8bit):	6.739961523183869
Encrypted:	false
SSDEEP:	6144:zhtWE/fEYO17Bu/2DKeqKPiR0M+mx6jgi9:zuEnfOdBu/ZeHPiKNjN9
MD5:	428746F79CC15E57B40C5F726A8B0EF9
SHA1:	60EDFD4B405375CC3CE7166873DF9465B408DFCC
SHA-256:	0223659CD051395E82AD5F782A52B3D3AF014CD922BF24CAC1D78AC0220BC207
SHA-512:	6403EC0128E5CA0B4ADE7AE7007029EFC950D6AD7FDD63B855382AF66579A945B32F5C37E2B0248014D041C70C3A5F5F1C627E8FD77F49B821040F88C7326FF3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3.].3.].3.].KO].3.].KY].3.]...].3.].3.].3.]...].3.].K^].3.].KH].3.].aN].3.].KK].3.]Rich.3.]........................PE..L...F..^...........!.................>..............................................M.....@..........................[..R...\M.......... ................;......d%...................................,..@............................................text...7........................... ..`.rdata...{.......\|..................@..@.data....5...`.......D..............@....rsrc... ............\..............@..@.reloc...%.......&...d..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\WDRecord.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	191816
Entropy (8bit):	6.578995841750193
Encrypted:	false
SSDEEP:	3072:X7Gibv6e0mL7N3WSLS8nCgY3EMbNVxV+Kw3ETPg6moQA5bGkdK3Fz:X7Gi7AOBK8Cg6PxV+Kw3ETPDvE
MD5:	2307166A21A812C0B7846C192E60836C
SHA1:	333F0E0F93DF5B9EB728DFA372027C793B6961CF
SHA-256:	50B92016D6C3D1896967AA781D9F39D2E02217C72D03AFD052B55F020563E8C1
SHA-512:	A7000289F1DC1BCFBF006E61DFFE2041434EB898AC487B59C7531F225282551B8592FD35A882402E873D1DBDE104DFEE8B72A51FE8DF257F57405D1655A54549
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&B.b#..b#..b#...l0.`#..k[3.p#..k[%..#..k[".X#..E...s#..b#...#..k[,.~#..k[4.c#..\|q2.c#..k[7.c#..Richb#..................PE..L......]...........!................X...............................................#v....@.........................@v..c....k..d........................6......4...@...............................@P..@............................................text...2........................... ..`.rdata...f.......h..................@..@.data....G...........`..............@....rsrc................~..............@..@.reloc...*.......,..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	516448
Entropy (8bit):	6.795771007069589
Encrypted:	false
SSDEEP:	6144:chM31nI5wT3LBHTNTHW3GlvM7lEWTvh365TnypuvUNaJicopnish+e1Xz1XvZ:4M31nIK3BRiAM7phqxny8vW9pi6RR
MD5:	74AE70EDD4674372D007CC67BD5008E2
SHA1:	721FCCE70AB1085FB553564103BA0842F2A3704C
SHA-256:	B3A888A145AA0B3146D661EEF292AABB6CA28279B16CB6B963BB8BF888707737
SHA-512:	3FCAFA83BBF2CCB65CEF0B24A1E5B52E1981F7EDDD1E58D50A837514DD6BAE12872D2FED76FAB0C6BABE97B265D171799FFD07C10BFCF203DA105A69B4372595
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........rM.s!M.s!M.s!D..!W.s!D..!..s!D..!..s!j'.!L.s!j'.!^.s!M.r!..s!D..!..s!D..!L.s!S..!L.s!D..!L.s!RichM.s!................PE..L......]...........!........................@.......................................V....@.............................g....v...........................4..~A..X>...................................................................................text....)......................... ..`.rdata...F...@...H..................@..@.data............J...v..............@....MAGIC..............................@....rsrc...............................@..@.reloc...P.......R..................@..BQProtect............................ ..`................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3557784
Entropy (8bit):	7.784085056422432
Encrypted:	false
SSDEEP:	98304:DSPdIaedyBu6/1xQjlJRQQ34T977E5Gf2:DZdGVxERLaRV2
MD5:	36A0DFF437629FC21D98C998C4B597C9
SHA1:	A865CEF3784C0B8BD5CD76AC76F8252AD8058F0E
SHA-256:	C7D713DF5E24AC7726CBD2D327AB8BEAD32881F05AA17CCF28A86692F23ACCEE
SHA-512:	5002A5F06925F15EAE54302B23D822A69E7B76ED25889C631D7EC800A8129F70FE207000A7E56758C237A9F1398046637362780E97ADE3B9C4432CEE343AC6AE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....k.c.........." .................zC......................................PY.......6...@......................................... .A.g....=......@Y.......X..T....6..I...0Y.......................................................=..............................text............................... ..`.rdata..g....0......................@..@.data........ ......................@....pdata..XP...0......................@..@.MAGIC..............................@....code0..............................`..`.code1..,.5..0#...5.................`..h.reloc.......0Y.......5.............@..@.rsrc........@Y.......5.............@..@........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\WiFiSafe.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1071120
Entropy (8bit):	6.488214903743234
Encrypted:	false
SSDEEP:	24576:IPHR62s8fQvd3rwOvPKEV0+DfMJHqsPQkyDO1P9O:HZ8c3rttVVkHqsPQkya1E
MD5:	677D39F6AACB13F92722D78AE7F11DB6
SHA1:	F40643E19D2F762CB77F0023517B478893401DD0
SHA-256:	077734051997415A15D0F1F2CAC30C85308F5EA5E98245A545FFC3EDD1122C18
SHA-512:	A516ADAD8AE726EF6A4588DF0A8190481FC088651C6B19AE679FA3793DD94261046C48A9D451595E36E2E2E601E4B3BC2FA755E02DF7FBCDE5C881187EB1D1A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........4u..U...U...U..F....U..Q$...U..y....U..=...U..=...U..S....U...<...U..Q$...U..P$...U...-...U..B<...U..}<...U..G<...U..G<...U..}<...U..=...U..4'...U..4'...U...U..T..B<...U..B<...U..B<...U...U...U..B<...U..Rich.U..................PE..L.....sb...........!.................t.......................................P.......i....@..........................;..h...x;..........X...............xC.........p...T...................h...........@...............\|............................text.............................. ..`.rdata..<...........................@..@.data....@...P...2...@..............@....rsrc...X............r..............@..@.reloc.............................@..B................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\WindowInjection.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	60592
Entropy (8bit):	6.645723421805483
Encrypted:	false
SSDEEP:	1536:1TI67ShpHfUIA1WWoYgihd83KskSl7jDxa:m67S30foYg8C6skSJ4
MD5:	9BE546331E54BC130D014C3097838F98
SHA1:	1E11D2C1620E58EAD05D9D64A73F2BCB845F8CAF
SHA-256:	2D056101AD9E8A02D2F1C503BA559D59EB3741F0C6F2F1874218E8BC6A59AE67
SHA-512:	27AB898FF68417518B3637337EEBF906E638211AC5ABABA9AD40807A52DAC73E05AEA27A9A0AB16015BDA4C47409FEB8A3419F6FD6BA5DB23083609EDA9700AA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yn..............w$.....Oz......Oz......Oz.......d......Oz.......d.......d...............z.......zH......z......Rich....................PE..d.....Rc.........." ................/....................................... ...........`.................................................d...................x........,..............p...............................8............@...............................text....)......................... ..`.rdata..0....@......................@..@.data...............................@....pdata..x...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\X64For32Lib.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64992
Entropy (8bit):	6.7012831663710655
Encrypted:	false
SSDEEP:	768:eSJSPDihy5w2MW/he0Z0kl9O2luUARPZVvHC01yRoMRWDDu9KyhaM7DGCiKjKj9c:9JSbt9hjZT9OuARPf8RkDu9lOeMa
MD5:	8239EFED88D656D30E32F4F1A8638638
SHA1:	4DFF685282667C9933205855E6AFE5C0FD6719A7
SHA-256:	70D6AF6748A59613A799E4880EFFF041523F497150C4CD60CACFD8E4FE185380
SHA-512:	2FDB30DD2AEBBD8D94E09FA773F07241F335EF2BE35B5A85BE623EE41102B19F384311AD1DDC4A18648A231719BFA92A04FABCF936D51BD4FA3D82704759C855
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........s...s...s.......s.....s.....s..z....s...r..s.......s.....s.....s.....s.Rich..s.................PE..L......a...........!.....v...B......u#....................................................@.........................p..........(.......................H?..........0...............................P...@............................................text....t.......v.................. ..`.rdata........... ...z..............@..@.data...<...........................@....rsrc...............................@..@.reloc..N...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	710888
Entropy (8bit):	6.630506217753263
Encrypted:	false
SSDEEP:	12288:6BMGnPEAEuRNz2HuiEJe0z6h5KEuEVv4D1wEM50+OD2evinKqcQUuWnI8:6BMGnPEAEyXiEw0xXD2evincvFnn
MD5:	FAE7D0A530279838C8A5731B086A081B
SHA1:	6EE61EA6E44BC43A9ED78B0D92F0DBE2C91FC48B
SHA-256:	EEA393BC31AE7A7DA3DBA99A60D8C3FFCCBC5B9063CC2A70111DE5A6C7113439
SHA-512:	E75C8592137EDD3B74B6D8388A446D5D2739559B707C9F3DB0C78E5C30312F9FCCD9BBB727B7334114E8EDCBB2418BDC3B4C00A3A634AF339C9D4156C47314B4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........f..............U.......U..B....U....................................................c.......c.......c.......c.......c.......Rich............................PE..L.....]d.................n...8......dB............@.......................................@.....................................d.......................P,.......g..pL..T............................L..@...............(............................text...Hl.......n.................. ..`.rdata...............r..............@..@.data...4R...0......................@....rsrc................:..............@..@.reloc...g.......h...B..............@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\lockkrnl.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	628184
Entropy (8bit):	6.631864802737484
Encrypted:	false
SSDEEP:	12288:Q9tUcJqS8DI9baOCmIJkPI9VYxPmb3pJ3xW2orMvM79G:GWKqS4OjlPUkmrpzWdSM79G
MD5:	BFF0CE8D5C44994EF19F63D63CC29EEB
SHA1:	B2837190927EE952721DBD5127C426D28FED9230
SHA-256:	08C6DDD72CD481672476625BAB435993F2F0C85F835B0313C593F46C49DE6781
SHA-512:	F527BB56DA57CA6BACDBA7871D65E48CA6ADEFE7F61240D766A6881C301B63C60063A09FA73E8BC64F40A01AD038B446B660A8ABC7719B84F1C6FE3654551420
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........<W..]9X.]9X.]9Xh-:Y.]9Xh-<Y=]9X.5<Y.]9X.5=Y.]9X...X.]9X.5:Y.]9X.5=Y.]9X.5<Y.]9Xh-=Y.]9Xh-8Y.]9X.]8X9]9X)40Y.]9X)49Y.]9X)4.X.]9X.].X.]9X)4;Y.]9XRich.]9X........PE..L....k%b...........!.....^..........=X.......p......................................c.....@.........................`................0...............V..@?...@..8F..pp..p............................p..@............p...............................text....].......^.................. ..`.rdata..jy...p...z...b..............@..@.data....8.......(..................@....rsrc........0......................@..@.reloc..8F...@...H..................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\mcommu.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3064552
Entropy (8bit):	6.880024408897335
Encrypted:	false
SSDEEP:	49152:KG3Vu1NMfK79ujn0y7IXf9NVOGHL6Joq8tOWJjkIST8TGGnW5RUwOGX6ZX:l3Vu1NMO94af9qGHuJoq80W85RKp
MD5:	9AC7B239AFACD78B78CCD853D1E2C8CC
SHA1:	39F12AEB844E7E0FC3830720F66F528E492CC724
SHA-256:	C96836CA5B833F16C97FC5A9BB7B99ABE7AC3B72E2DC9B9A3831ED3044645762
SHA-512:	97177E1B42EA1C42C7A4886811C38DAD0142D6157EEE58AFBD8AFBB34025904ED186BDF46DF92A6C81789607EAB4C3B81AC6DB3ACA7F53F190353A77A3BDD77C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w.=D..nD..nD..n+`RnI..n+`fn...n.YZnK..nMnYn`..nMnHn3..nMnOn...nc.n@..nc.no..nD..n...nMnFn...nMn^nE..nZDXnE..nMn]nE..nRichD..n........................PE..L......d...........!.....T!..<......\........p!...............................2.....{2/...@.........................@.(.......(......`-.................P,... 1.d....x!..............................................p!.d............................text....S!......T!................. ..`.rdata..Y....p!......X!.............@..@.data... .....)..`....(.............@...DLLShare..... -......<).............@...DLLShare.....0-......>).............@...DLLShare.....@-......@).............@...DLLShare.....P-......B).............@....rsrc........`-......D).............@..@.reloc..T.... 1.......,.............@..B................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\mobileflux.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	117064
Entropy (8bit):	6.436398487030181
Encrypted:	false
SSDEEP:	1536:pxNcrXn306zvccqtaGYvPCa/I7206aawWKxocUoiZw+BpQR9oLMm:pXcD30gccqtanCM0Wwiw+BpQR9oL
MD5:	80907BE35290D47A8C6DF50A0B44DECF
SHA1:	DBDDA59DD78716AD28FD37BF2619FC183D27CAE0
SHA-256:	4C4853E4F3990FFD0B3D6EB1436A885559564C1065C26490B777EC9D3586A5C4
SHA-512:	09D05C3133569548F4F231F0E06F6F29D57195C927B908F973CB05ABDE6214CA1E07399CB32EA5EC02635D81409B2A8F8F6BDA21F6B51B2A02115C2DF95B3B88
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)g..)g..)g.. ./.8g.. .9.Mg.. .>..g......:g..)g..g.. .0.!g.. .(.(g..75..(g.. .+.(g..Rich)g..........PE..L...%..S...........!.....,...\|......H........@.......................................O..............................P.......4u......................................0B..............................._..@............@...............................text....*.......,.................. ..`.rdata...A...@...B...0..............@..@.data..../...........r..............@....rsrc...............................@..@.reloc..~...........................@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\netmstart.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	171592
Entropy (8bit):	6.633100643329799
Encrypted:	false
SSDEEP:	3072:2g5d8g4gNv+wAGzpjdNwCR5t9Owr5HQ6UnsaP5YCnF+wFxDA:xDRpSs5t0u5wbfQ6E
MD5:	FF07224F63F62ECC5C6F2DED09DEB0AF
SHA1:	D3ADF969B20A3E42032E60A87DBD69834A748C1A
SHA-256:	A9F37F82413889A66F7063991F5C2E6DBA05A35A245891039204A478DE318357
SHA-512:	92B763A682C9F479F539AA945F245940351983EC04829FB6D614BB7ABCADE60E2205244C583F63547CF83F4819503529FF01411E08C9CBA26972222D2520AA4D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..X.y...y...y...+-..y....<..y......y....-.y..5....y...y...y....#..y....;..y...+=..y....8..y..Rich.y..........................PE..L....].[...........!................F.....................................................@.........................`...........x....p...............f...7..............................................@...............4............................text............................... ..`.rdata...N.......P..................@..@.data....L... ...(..................@....rsrc........p.......8..............@..@.reloc...".......$...@..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\np360SoftMgr.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	243944
Entropy (8bit):	6.56760832272308
Encrypted:	false
SSDEEP:	3072:YdtvVq01U5wXzfoUEwDTw3lCovmHDBYOfdv2xJ82wEdl/NPgqddBumr5365mwkq/:yNI0O4awI3AYqYEv2QIdZTJJYD1Y1a
MD5:	FA85435627D31663BECB82EFFDFBE2BB
SHA1:	C3D9EEA92EF90E652F500A1F900DA4E20A010C2A
SHA-256:	7E0343BC0108526442E8B3FE7E538272FA6240E425BD8F318924573B59BD9DFB
SHA-512:	7DA0E76E88D8E78D23E7E6BE0A184BF52DF5032113DFEBE087C3463AD990BE38CD4FD34586CCD367B381AE749F16E04573CF91E4B3D7A235A865D175FAACBDA8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................f.*......)......?.......8......}........z.....6.............(......-....Rich...........................PE..L....6.e...........!................3.....................................................@......................... G......\:..........h...............P,..........................................@...@...............<............................text...x........................... ..`.rdata...x.......z..................@..@.data....D...P.......<..............@....rsrc...h............T..............@..@.reloc...-...........\..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\npaxlogin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	404296
Entropy (8bit):	6.509440609680588
Encrypted:	false
SSDEEP:	6144:iwa9e5G4aES0Qux3nNj43ziT7U2mSBzRD44shPBTLaqqDL6UbwHUu:Y9exL3u0U2pBzm4sxBTrqn6Unu
MD5:	630AE5740C702AF919BAED414DE8CFE3
SHA1:	26A50EFF049B2DBC24BE11411032172E82B37B04
SHA-256:	C3F08B4843DAF466148EE99DBD0D300B2A92BB695FCDE001E288189A3582300E
SHA-512:	A714A6F13CE33D8EC31772F180F611C491110D438019D4FCD88F2EB114B41FBD28878B8B9C6BA723D892405DC825917EF1D4868FFB66069ABE49E5AF286F491F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t..,t..,t..,}.\|,y..,}.`,n..,}.f,o..,t..,h..,}.v,...,}.q,...,}.g,u..,}.a,u..,}.d,u..,Richt..,........................PE..L...[AVS...........!.....N...................p...............................p............@..........................x...... f.................................. 5...s..............................8...@............p..d............................text....K.......L.................. ..`.orpc...3....`.......P.............. ..`.rdata.......p.......R..............@..@.data....Y.......:...\..............@....rsrc...............................@..@.reloc..hc.......d..................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\ntvbld.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS-DOS executable PE32 executable (DLL) (native) Intel 80386, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	60896
Entropy (8bit):	6.847633229504993
Encrypted:	false
SSDEEP:	768:NnCuEmXB5UMI3nhKrbZCWg/0/NC8hUDVsa0T1zj9KyhaMQNDG0uKjKj9MPgkz:N7Rx5Ulll8/H+x0T1zj9lHeMy
MD5:	690612154E7E5233AA980016CEAEDEDD
SHA1:	9B16E2F3D799EA506AA6A8F53FA4DEB36D73F5D4
SHA-256:	FFB81D34A14B5837AC713657F7892E790F85564BC2BA792025B0F9E9E0959AD7
SHA-512:	1F93AF0CA40DB562F7ECDBF19A0D899044BCF1F181B03E57E6B6F2C72F532652798023612BE9DEFE6261D631D10898D30ADB28EEFF922B72734B4DB27189C210
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!........h.T.....................q.......q.......q.......q.......q.......q.......q......Rich............PE..L......a...........!.........\......2=.............p................................s`....@.........................p...........(.......h...............H?..........................................0+..@............................................text...v........................... ..`.data....F..........................@....rsrc...h...............

C:\Program Files (x86)\DnLIMGKCARTO\ovftool_open_source_licenses.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	28
Entropy (8bit):	3.553090083530327
Encrypted:	false
SSDEEP:	3:rKq5Ly:eqo
MD5:	E9C011751E3F6B87D9FBE3DA3DBC6BE3
SHA1:	5C45FBBA98E0FB43B608AB3B0977A1DBC400191A
SHA-256:	56DD16BDF345B47FE15FC1B3FAB509C78085280733C588C1C02804292C770B5C
SHA-512:	0E815B1DFA539E578B0B9B3893B6659D206BB5259AA62A4680AC7A76B1B50C82F45D9A5729F808F677B10DAADD430BDCFBB3F62C41EBB8692654E4D75B0FB361
Malicious:	false
Preview:	ovftool_open_source_licenses

C:\Program Files (x86)\DnLIMGKCARTO\pluginmgr.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	171848
Entropy (8bit):	6.451554967739461
Encrypted:	false
SSDEEP:	3072:NQbFXbsJHCPNUzpNd0hq6pPyNVD/fAudYMi429OYHUMu73zE55C8f:atWpnztVLffdYLN8YHa7w
MD5:	9828C8A355EA0F393260D6E3F7D511E5
SHA1:	DC587D4215DC083A35E4BBEE095FB3FB07A73C33
SHA-256:	B0D6D85D02E7650E03AB9AD04E90341EF6F5421DDC2AAA7AE65692944C298671
SHA-512:	178D1AF5ABB116762C37714F2C142DB02BE9AF8B0C9BCD4948DE122583A9C815E1AB1F709E3167A096947CCCCD6ABEDC4BAB7ED405D207F097BD35640926205A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........xL.+L.+L.+..+M.+E..+^.+E..+1.+E..+u.+k..+].+L.+..+E..+].+E..+M.+R..+M.+E..+M.+RichL.+........................PE..L...P.LS...........!................D.....................................................@..........................2..M....'..x...................................P............................... ...@............................................text...'........................... ..`.rdata...S.......T..................@..@.data...HU...@...,...(..............@....rsrc................T..............@..@.reloc...#.......$...^..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\probe.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	304640
Entropy (8bit):	6.443933218835315
Encrypted:	false
SSDEEP:	6144:1AXDdMpEeHyH/D1kApvwp+ZniFARcRdhAGXPR:1Az6WeHyfDOAdwp+doARcRdh5Z
MD5:	BB752561CE0859324FF01369BA8D25CC
SHA1:	8C42AA1FF9060E58CFFD0EE9997DF134FB3E8739
SHA-256:	A243D55655789EF26972546B7DC9723953564F52AE1C46087CCC2DB96F5B8D83
SHA-512:	0C493C6868F4E2D90E3FCD6B71116769F2FA2F61740BCB9671B1DEEFC4628BE05E4441CA2008F6AD3F72BAE7C14028A7565CC2FBE68478E620F3CF9418357182
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&PLYb1".b1".b1".kI..s1".kI..^1".kI...1".E.Y.o1".b1#..1".kI..n1".kI..c1".\|c..c1".kI..c1".Richb1".........PE..L....r.\...........!.....`...........?.......p......................................Cd....@.........................@%..B...X........p...............n..h7......@#...r..............................(...@............p..d............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data....6...0......................@....rsrc........p.......2..............@..@.reloc...0.......2...:..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\qex.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2322152
Entropy (8bit):	6.743036380076271
Encrypted:	false
SSDEEP:	49152:zGpgL5KH4fC/9OdL9Fyi9I4YToBT/zP2BDjWWC:zGiLY46/9gLbyi9Pf/zQq
MD5:	1A3FF3A13D0D1A1833CD0B06874E9019
SHA1:	30E5B3AC5DC440342FD22E226B50246167F4AFB5
SHA-256:	F13623397C7FFF988F7DBE606D51DAC45D6C3C953E0BEBC308A29C7C4AFF6147
SHA-512:	340C04022A94819AA84F0A18D55FC7C3A7432BCD0A59CE5DD97AA0B47E6C688D2AA2588D3289A83400F8B9878524B57918EAAF90304D85ACEE57CD566E5F9817
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: C:\Program Files (x86)\DnLIMGKCARTO\qex.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........4..EU..EU..EU......WU......U.....dU.....GU..~...^U......FU......LU..~...{U..~...aU..L-..GU..L-..RU..EU...U..#..DU..f..DU......BW......DU.....DU..EU..DU......DU..RichEU..........PE..L......d...........!........................ ................................#.....K.#...@A......................... .P...." ...... "..............B#.P,...0".....0...8...........................h...@............ ...............................text............................... ..`.rdata....... ......................@..@.data...@....0 ..l..." .............@....rsrc........ ".......!.............@..@.reloc.......0".......!.............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\qroscfg.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	138056
Entropy (8bit):	6.637936005523512
Encrypted:	false
SSDEEP:	3072:LKDfRbUTKLoDy1wSSH/2Lq62enAhXx2+EKI:KJITHu1wZf2Lq62UAh6
MD5:	F62317FC61CA698D45A54C0F7A8A78B8
SHA1:	F61D256EA3E3DD85CE7C44DC61AACC93E720F692
SHA-256:	59DC54DD624E26D07EE8A908476EE67DCC3B6BA690F566C30B5522B6DCB8EE85
SHA-512:	C06E046EDB18EE40D63411AA689280A73EBBEF3CE6977C51F629C43E6A6314895BCF2270E43CB1D9DD847B33874BC812778ACCEC07ED0FBFB9791556027FFCAD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./.j&k..uk..uk..u...ui..ub.uz..ub.uR..ub.u...ub.ux..uk..u...ub.u\|..ub.uj..uu.uj..ub.uj..uRichk..u........................PE..L.....,S...........!.....N...................`...............................P.......T....@.............................L...\........ .......................0..T...0b..............................8...@............`...............................text....L.......N.................. ..`.rdata...k...`...l...R..............@..@.data....A..........................@....rsrc........ ......................@..@.reloc.......0... ..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\qutmipc.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	170856
Entropy (8bit):	6.55483314591404
Encrypted:	false
SSDEEP:	3072:4JJiNkByXIzFu3wK672soO82qUyleRR2v6eY8lMnu+wqH6F3:477yIzFfKTsS2qUKeXC5lRR
MD5:	7EE49A57339ABCC35FCDE25D3F5EE8D9
SHA1:	7A7F471DADD973CA57C79C43D93828B4496570E8
SHA-256:	DC477A4B41CA92D94CB7092B458F35DEF2EF6F9A0B23A237A363E341E22AEABB
SHA-512:	F978F6C882D80CFD87B2EF75EBB1C18C9BFB6759D28C0F503395217373AE241E5B08212D4D42373F6B94AFFBF775959E06BD1CAD5D09C488DC139906A0D4AB4B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$...`..R`..R`..Ri.]Rk..R.BRb..Ri.ARr..Ri.WR...RV..Rb..RV..Rc..Ri.GRq..R`..R...Ri.PRZ..Ri.FRa..R~.@Ra..Ri.ERa..RRich`..R........PE..L...f..]...........!................K.....................................................@.............................a............................f...4..............................................................d............................text............................... ..`.rdata...O.......P..................@..@.data....n... ...(..................@....rsrc................8..............@..@.reloc..<#.......$...@..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\qutmload.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	111336
Entropy (8bit):	6.7222941004358425
Encrypted:	false
SSDEEP:	3072:PTxwTSQCdxm/78XLv6JYZeD9GIn+uowP0T:PCzCeeeYAD9E5T
MD5:	8719E73BC84D506FE7F0D367AE46ED20
SHA1:	D60A1FF7B2478ACDA7C5C1730E0B963594311FB9
SHA-256:	C110E1FF4F233669F1E035129E137ACED1A3632D17A8302502D160DC16FA9AF0
SHA-512:	AE00044E9EE7B5AF66105067877AFD68D79ECEB6C945CC07F390D15A2E1C0832C578146E6B0657FD8A29F865EC6DB78DEFEB7C1BA7E3AF0D1427EFD22A67F8B8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........z...z...z.f.'...z.....z.......z...{...z.....z.....z.......z.......z.....z.....z.Rich..z.........................PE..L...Z.Xd...........!.....Z...........A.......p...............................`............@..........................X..[...TM.......0..................P,...@..t... ...............................8%..@............................................text....Y.......Z.................. ..`.data........p.......^..............@....rsrc........0.......d..............@..@.reloc..f....@.......j..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\qutmvd.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	102496
Entropy (8bit):	6.557778827364857
Encrypted:	false
SSDEEP:	1536:LvHAH74ugMR7NrUCga4UkvmWKvOT2lXgODuqAo+rvnyfe0qmofvghl:LAbQkNUhajPXjDuq7+rvyfe0qVS
MD5:	2CEFF7B131BF05F6D98318C309F225B7
SHA1:	9A218DC20C839A7E64A82CC66ACE83AF210D4063
SHA-256:	70F19BE3113626A79783D68F5EEBC080D376F5DF6B647FB95FB9C5D7479C4FFC
SHA-512:	E285A1435D640A6CC457ACC32EEDA70C8E57C58E76D0A951800890D4FDDB25B32A46932A20432F536FD8C6A2AB1B9D271EBF80F2E5E424C7AB33BD7D4D6D55EB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w3\..]...]...]..n....]..n....]..n....]..n....]...\...]..n....]..n....]..D....]..n....].Rich..].........PE..L....Q.Z...........!.........p......l ..............................................p.....@..........................6...... /..(....................Z...5...........................................%..@...............X............................text............................... ..`.rdata..V7.......8..................@..@.data....K...@....... ..............@....rsrc................8..............@..@.reloc..T............>..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\ramuser.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1153496
Entropy (8bit):	6.942405258763643
Encrypted:	false
SSDEEP:	12288:Y7q8Cmtvv8T/2xkz88j8F7mA2CgVuHjnbbpyqTsziz824xzoxzD9+zNzXXVoyf92:wKEMqxkzvIdTjbbwqT5z8YuXVRf92
MD5:	2172263E6F1E7EEFB2C54517B1215243
SHA1:	0EF23327AA2F0EA7F2C74BA7A90C3FCD03A37238
SHA-256:	30423D3CA90C921D2A727B0A5F8C4CEC1A63823283B84BB6135C866CE33FA23D
SHA-512:	CCAA6CAD97380B4B70CA80B119B04D2D50BB4F1C018C168F185EBF7CAAED00F7E8679F2BC898B86A99F9B6EC15D6A4337EAAD2A2A03DE3E6D71A11D57762DD14
Malicious:	false
Yara Hits:	Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Program Files (x86)\DnLIMGKCARTO\ramuser.dll, Author: kevoreilly
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h.rE,}..,}..,}..2/..(}....q.-}...2..-}..%...1}..%...`}....g.9}..,}...}..%...&...%...k}..%...-}..2/..-}..%...-}..Rich,}..........PE..L.../.=b...........!.........................................................0......`.....@..........................I.......8.......`...............Z..@?...p......................................H...@............................................text...`........................... ..`.rdata..dz.......\|..................@..@.data........P...j...4..............@....rsrc........`......................@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\safe505.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	369760
Entropy (8bit):	6.607770750782929
Encrypted:	false
SSDEEP:	6144:473BJ75gdTR5O998Zo1H9T+h78cjiLxfV0jg36+YC:47NgdTR5OP8Z6k7djidf6j+CC
MD5:	A768269EE00AB4638DCC5A460926B253
SHA1:	19103167045C7412AA541340CE0346E3A806034B
SHA-256:	53D419051D9B93E142D592DCADEDBA4C419C31180CA76258ED80694FE7DC96EF
SHA-512:	1E2CFA00743D5BC73F59F90D3CFED8FF9315FB17F6F3D48997692CA109F36D5108D15604B5B1147FDFEE11305AE2666ABC78E52B80A1DD9C77B31F194C5F6D72
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V.............9......(....../.]....?..............&......>......8......=.....Rich............PE..L...:.$Z...........!.....:..........T!.......P...........................................@.............................................0v...........n...5...........S..................................@............P...............................text...'9.......:.................. ..`.rdata...i...P...j...>..............@..@.data....G....... ..................@....rsrc...0v.......x..................@..@.reloc...+.......,...@..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\safehmpg.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	703720
Entropy (8bit):	6.771739665522189
Encrypted:	false
SSDEEP:	12288:qHYltqwFRk6aev4ys/F3RZ6kjn+Kh0ayTJBJqrdvSdK2vV+N:qHEtqwF+oqr94vV+N
MD5:	2AF326EE56FFA7E49BA762C5D10F4AA7
SHA1:	00254A380996435EB22E101E3FF8B49CD3F3F226
SHA-256:	C454AA353AA32E66BBC9248901D82B8C1390A84965A2D2672FC763E5CCC84ADE
SHA-512:	BA6BE274609AEAE8C216FFB3AAC5561742861A8597B1940FB1B371658781740494EE00FEC1BCF1BC433A6DE3DED56429BCC51A7EBEA0C3812DCD50D3172E5626
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@7r..V.F.V.F.V.F...F.V.F...F.V.F...F.V.F...FUV.F#.qF.V.F#.gF.V.F.V.F:W.F...F{V.F...F.V.F...F.V.F...F.V.FRich.V.F........................PE..L...B@.d...........!.................2....................................................@.................................<...........................P,.......h.. ...............................08..@...............x............................text...m........................... ..`.rdata..............................@..@.data...\|(.......b..................@....rsrc...............................@..@.reloc..*...........................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\safehmpg64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	652520
Entropy (8bit):	6.448272877372563
Encrypted:	false
SSDEEP:	12288:hfi1q0q2sAOWd1ws5Q3F2mOWLt+0fTN1hNbPr+0UABa:hfi80MAr1ws59mHU0fTNXV7UD
MD5:	720E64BF6B33ABBCC122B68C9D695A9F
SHA1:	DAE0ECB2377C8E2C6A5DCD36DD52049F12A51E54
SHA-256:	D8402FF2B310B297D27D58DC353B4044B8BB47D0B53075C629B69AAECB8EA33B
SHA-512:	1F32E2CD50F8BD7EE536C330190B9DB19D9826EEACC8DE55025AC910A41EF83CBFEEACC7BA22495C08C353D68F4CB18E71811473EB60A17DB0500E3A9DC9D533
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}...........)....................!~....!.....!h.........................................Rich............................PE..d....>.d.........." .................o...............................................%....@.........................................0........................0...a......P,......4............................8..(....................................................text............................... ..`.rdata...:.......<..................@..@.data... .... ...>..................@....pdata...a...0...b...J..............@..@.tls................................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\safemon64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1978600
Entropy (8bit):	6.120484699876494
Encrypted:	false
SSDEEP:	24576:oFh9A7slFrZupqSUrmpnf5+LMHYHTuzVqCIuUzwHVu4UzSego1fTX8tmApd9DzH+:oFVlZEpqApnh+Le8qEZXnvzDTX81C
MD5:	68BE66953DF2CE4063120FC9341DC8A0
SHA1:	7EA1B1BC531C5A1E82C59BFA4E549604BE378DF5
SHA-256:	7DB7FED955AFD3F809C9F05F37A082D755C218580524CF87CB6EFA9B8DADE84E
SHA-512:	80D2343BC12F1B1019534AACD31C86479654B74E6C4F7687BAC54884A3BE5E4037F0571F72184D3CAD05AEF59BF58806181E29DAD57CD36DF9BBB624CF76CA2A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........qr.M..AM..AM..A._.AH..ASB.AH..ADh.A...ADh.A...Aj.qAG..Aj.AL..Aj.gAh..AM..AJ..ADh.AY..ADh.A...ADh.AL..ASB.AL..ADh.AL..ARichM..A................PE..d....B.d.........." .........X......\.........4g.............................0......;.....@.........................................` ..........@.......hi..............P,......d.......................................................P............................text............................... ..`.rdata..}a.......b..................@..@.data....B...0...h..................@....pdata...............t..............@..@.share..@....p.......b..............@....rsrc...hi.......j...f..............@..@.reloc...1.......2..................@..B........................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\safemonhlp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	919784
Entropy (8bit):	6.137864164977724
Encrypted:	false
SSDEEP:	12288:mdMC/9/eMFo5CnfGquRbNQvNynGcgfHh6Q1FWdAcAyTreixh41Hh:mdMC/9/LfGquNFGcgfHh6dA7yTxxh4Nh
MD5:	01515E6DB9E455E81F550A8E10FD007C
SHA1:	6705DE998ED07C348788580C6163AE711672756C
SHA-256:	D1B434F173CF6AE0A47441D4CF4EF74C1122E01A44ADB39FC27A3FB4350222A0
SHA-512:	E912A2B236F7BC68495FCC89AC451008F187FDCBDC88139C5339B70DF702E555E5F4D283B1FB3524EB1DC111B496B8C9E57407C14B60EADDECDA544C23FDC3ED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+q.BJ..BJ..BJ......FJ..K2..]J..K2...J..K2...J..e.r.JJ..e.d._J..BJ..jK..K2.. J..K2..CJ..\...CJ..K2..CJ..RichBJ..................PE..L..../:e...........!........."......nB..............................................7.....@.............................................................P,.......F...................................v..@............................................text............................... ..`.rdata..............................@..@.data............b..................@....manifst.G.......H...*..............@..@.rsrc................r..............@..@.reloc..ja.......b...x..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\safewrapper.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	46824
Entropy (8bit):	6.3718471080572385
Encrypted:	false
SSDEEP:	768:NQxyqGBvGVIFDgOLVScurGht5OQpLOI2/3V1VaXLkj9:NXvGV2EmSNGht5OQdOIU3P0U
MD5:	B5BC117906C4ABE912C05D21833BBDE9
SHA1:	BF8E06A3E00131885D6CF71CC2787C6701CBAA6D
SHA-256:	40D425FDEAF7EA3AFEFEFDC57A4886BDFC764EC7A240BA409180D4AC3523473F
SHA-512:	94FA9ACFBE586C3EB514B837CFEEE65B240308759D5FE4AB3827E3A996BB7C73E99CE063A2F6BAA2910A652C49DE0AE7EEAE6CE103ACCA9AA7087DF9EEC3044A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................f.......v......g......\|......a......d....Rich...........PE..d......d.........." .....R...B.......T.........p.....................................{....@.........................................0...c....}..(...............(.......P,..........@q...............................................p..@............................text...:Q.......R.................. ..`.rdata.......p.......V..............@..@.data................j..............@....pdata..(............z..............@..@.rsrc................~..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\safewrapper32.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34024
Entropy (8bit):	6.327492825656285
Encrypted:	false
SSDEEP:	768:hKskBJrdjjSRwvr6oMY7E2/d1V1VaXLkjF:lkzdj16oMY7EU/P0k
MD5:	B20C9D59DC0C12E7AE71AF20D8610BD8
SHA1:	37DD1D60B9EE1B0DBC62A614E7AFCCD263970352
SHA-256:	BAF7E72EA5CD525E5D3BEDFD6AD9A6F24EC306E433C1B6E2613A505B4358F080
SHA-512:	88AF78818D06E8EF4639E188BADA9B9C7D8F69F5E15BD34CDDB07086F21AB36F7903E8BAAF9CE5DCC1BC039432F06A840214C5EA56498DED0DDA09AD63740BDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................................Rich............PE..L...Z..d...........!........2......:%.......@.....p......................................@..........................K..c....G..(....p...............X..P,...........@...............................................@...............................text....(......................... ..`.rdata..k....@......................@..@.data...D....P.......<..............@....rsrc........p.......H..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\sbmon.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	376320
Entropy (8bit):	6.699956048285194
Encrypted:	false
SSDEEP:	6144:vdwxI+FMRNjYyxEeVU85PaFLz4Ux3qM1rio9TB1KlgDli:yxI6QNjYyeeVU8RaFLzbx6ario9TNJi
MD5:	0C8FDCD5FE400719EE5ED07CB32F8E5C
SHA1:	143569797ED124FE9C222BEFE7696FFEFAA36079
SHA-256:	41BEB055696B626CEDCA5B14C6613AECDD2B73DC389A61C961EA30029C6BFC1B
SHA-512:	2CFF0EB4D636F287FC742FCB5DBE81AE7D6733F566660FDCF936DDEAFB385E5F51856A2D71CDB5C4E26BE55C583F5D22A97742632E2935CA478D86B9E63B6FCD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.(.1.F.1.F.1.F.8..(.F.8..=.F.8....F.8..*.F.1.G..F.8..f.F.8..0.F./..0.F.8..0.F.Rich1.F.........................PE..L...W..^...........!................D.....................................................@.............................i...............................h7.......0.. ............................... ...@............................................text............................... ..`.rdata..Y........ ..................@..@.data....}... ...$..................@....rsrc................0..............@..@.reloc..2H.......J...:..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\settingcentercfg.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	296168
Entropy (8bit):	6.537790365460336
Encrypted:	false
SSDEEP:	6144:q1AV4DwqZh2u+GUUYGekXEwiqBNgHsXUUbQ:Dir34UGkXEwiqBNxU1
MD5:	C7989632E6C0C5859ABD9A142E8DE5A7
SHA1:	E1135468989051AB951FCAF57615E7CA6621FA72
SHA-256:	EE39FF4ECD99E7688FC99257BF746CD9A00CEE90EAB9BB57A4CDA04B8C641FBB
SHA-512:	8C026D01CAA09431CE56FB67BF6D217886561659759278D7B195854017B4768DC80B3F7AD06310955906C4EFBE1C64A2EF5A63B384960064F82C378A498DD228
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$..uJ..uJ..uJ.q:...uJ......uJ..'...uJ......uJ......uJ..uK..tJ.....PuJ.....uJ......uJ..'...uJ......uJ.Rich.uJ.................PE..L....upd...........!.........F............... .......................................'....@.........................0.......h........@..d+...........X..P,...p...&..P$..................................@............ ...............................text............................... ..`.rdata...... ......................@..@.data....d.......(..................@....rsrc...d+...@...,..................@..@.reloc...A...p...B..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\shell360ext.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	285024
Entropy (8bit):	6.42559804173613
Encrypted:	false
SSDEEP:	3072:99Wn7gp0UNCivmDCbdZcB0L6rOSQHq8qAEHsZwrooOaj4yFDXmqwgjczAdeyOy5T:9s7gmOWaGrOSUEH5rowVZJ9jcs3ZQdyx
MD5:	55720D486DF26BCA2517120018BE4526
SHA1:	AC8D6B78E5CACB0DB04DABE371C9B4DB3F75861B
SHA-256:	F109944B22046FEA6532067B73CF8159629AB6115A1F5765A6631F91596EC20D
SHA-512:	98474BB3CE5D90CB7625ADB28A2A862336116E38F629B4E19FFF59BBC5062453D402C4C5CA06C92371E75C1D8743D9DAF6750B6E52439847AFC9F7511EB7DCBE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..J7.j.7.j.7.j.....5.j.>...%.j.>...:.j.....4.j.......j.7.k...j.>...r.j.>...O.j.>...6.j.)...6.j.7...6.j.>...6.j.Rich7.j.................PE..L.....^...........!.................................................................H....@..........................g.......T...........h...........$...4...P...!......................................@...............p............................text............................... ..`.orpc...3........................... ..`.rdata..............................@..@.data...@c...p...B...D..............@....rsrc....h.......j..................@..@.reloc..J0...P...2..................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\shell360ext64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	337768
Entropy (8bit):	6.135707746088789
Encrypted:	false
SSDEEP:	6144:zzP3ynTk8o5nI863JGetFsPX0J91AVwWxNiUBEDBk1:3PinTk8kvYPtogwx2DB
MD5:	3BE0E20A43D852D54EB1A060EAE2CF71
SHA1:	CDDB97396A7BAF016A2F0C90D8E1A782265D6805
SHA-256:	C61FE57C613010CFB49D772F17C33D702CD7B152575C87F82C55015049E27775
SHA-512:	9040D3CCDEAD3C662E145796CC570C32945F25729A8D5EC01193E3F2B1E07926CA92EB003665E54D724A1FF4154AE6A1D27E481A21D6AEA2C3963237C750D036
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v...v...v..B91..v....2..v.......v.....v.....v...v...v....#..v....$..v....5..v...$3..v....6..v..Rich.v..........................PE..d......^.........." .........................................................P......."....@.............................................................\|h...............4...@..P....7...............................................0...............................text............................... ..`.orpc...5.... ...................... ..`.rdata..`....0......................@..@.data....~... ...V..................@....pdata...........0...L..............@..@.rsrc...\|h.......j...\|..............@..@.reloc..`....@......................@..B................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\sites.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1478720
Entropy (8bit):	6.243233564535013
Encrypted:	false
SSDEEP:	24576:8212+7QSyDgGz1FwHS2NH96QbxGO7yVBVtLWQb93:8S2+7myy2J96QbAO7MBVVd
MD5:	3F03F2C6000D713BF0C2824EB6021FE7
SHA1:	B03401B07BC2EDA58C4749E8A5EE14AB5CD056D4
SHA-256:	43923DD9F19E5089947F8376BE5E59A9683C4C9B566CE6FEB46A02D8A6E12C28
SHA-512:	CAFDDA7E6D67E3906E8DABECEC018DC45CDA69E505D074CF93DD3CB1A4E967263D8486A788EA97809E633036E06CED1257BBD96D23B441242E7B8ABC05948B37
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......<<.x]..x]..x]....7.~]..q%4.]]..q%(.u].._...p]..f.%.}]..x]..M_.._...g].._...y]..q%"..]..q%%..]..q%3.y]..f.5.y]..x]6.y]..q%0.y]..Richx]..........................PE..L......`...........!.....^...*.......a.......p............................................@.........................@...................8-...........X...7...........y.................................@............p..T............................text...V].......^.................. ..`.rdata...C...p...D...b..............@..@.data...8...........................@....rsrc...8-...........4..............@..@.reloc..T............b..............@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\spsafe.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	817368
Entropy (8bit):	6.738529048176569
Encrypted:	false
SSDEEP:	12288:uOUfiU0mT/a6QgN3GlNZ73udM/iJ2FyNRk/9nNV6hPyDHK9Tud8wgQ5wud59c:v+QgNy/XKRuV6hP19TSgQZd59c
MD5:	75D3BEE4F0D52A12BEB677AF61FA439B
SHA1:	1A4747E8A32C68DEC8CE4A3C5FF6423D894AA857
SHA-256:	39A593FB9BA310A32D3931F6E7D5634439DC34F15434C69499958DAB6D888636
SHA-512:	8C8FA0EB35EC7BCCF388E45694855BFE32695BD1FD38AB095F45F6BE0E4DD511CEF7974C9CA27B64EA87E0362FE2684D357B54D3A5FA6D811845CAB9723A7EA0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Xj..69..69..69...9..69...9..69.0[9..69.0M9..69..79..69...9v.69...9s.69...9..69...9..69...9..69Rich..69................PE..L...<._...........!.........j............................................... ......H.....@.................................P........P..0............>..@:...p..Hy...................................j..@............................................text...i........................... ..`.rdata...7.......8..................@..@.data...\|.... ...d..................@....share..8....0.......n..............@....hlpsec......@.......r..............@..`.rsrc...0....P......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\spsafe64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1111032
Entropy (8bit):	6.367597371319365
Encrypted:	false
SSDEEP:	24576:kkCtooV3NfPqy2qhkEmqpb6ik9TaGvU+Rg9e:kNow3NwqhQbTaXY
MD5:	0008371C62FF56FBF645A86F1C0E593D
SHA1:	E8B0F01777C6E2A44548C3355F5187159AE22AB0
SHA-256:	99E5A986C084144406DDC7BB15965859F10C1AB79B4B1323A8F59BFBB7557851
SHA-512:	214F7F961A73EC8145B61179BFA90D462AAE178C00E1647B68E261EF3B4073C7418447F9DB5F2782DCC50A93322F6D6BD2772C66B48147286FD2B526A8AD5877
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........YIN.7.N.7.N.7.G....7.ifZ.I.7.ifL.Q.7.N.6.v.7.G...7.G..C.7.G...7.G..O.7.P..O.7.G..O.7.RichN.7.................PE..d...;.._.........." .....F...f............................................................@.............................................................<....`..,.......`A...........j...............................................`...............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...pD..........................@....pdata..,....`......................@..@.share..D.... .......:..............@....detourd.....0.......>..............@....detourc.!...@..."...@..............@..@.hlpsec......p.......b..............@..`.rsrc...<............r..............@..@.reloc...).......*..................@..B........................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\statslib.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	143176
Entropy (8bit):	6.455813710383163
Encrypted:	false
SSDEEP:	3072:FrP8rNMpP/7CZjxyHWDqZ0tnkg5X5VBh:FroNA7cjxs6qGtDB
MD5:	5583AABC6B11C4A3BBB9981296F9FF1B
SHA1:	0C513EBA49A6363DFF931C4D492DAFAC2B553D1C
SHA-256:	B501774B6B363C32A60B93313EC340F61942F2F1A9AE85B77B4E57A5C37D8689
SHA-512:	BAE0F1B71D1A104B2047B0DCB89304A3F237A88CD9E8801B4F14522C36C4AB82C9B531059839C8F54397C0443441B284E274A7987D97578247F851764256DFC4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@nV.!...!...!..=n...!...Y...!...Y...!...Y...!....{..!...!...!...Y...!...Y...!...s...!...Y...!..Rich.!..........................PE..L....s.S...........!.....v...................................................p.......3....@.............................L.......x....@..d....................P.........................................@............................................text....u.......v.................. ..`.rdata..,H.......J...z..............@..@.data....R.......&..................@....rsrc...d....@......................@..@.reloc.......P... ..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\svcMonitor.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	287312
Entropy (8bit):	6.386260935863853
Encrypted:	false
SSDEEP:	6144:1s/nrf85ZwuovjyUWtlcojm2IifjxVSEnc/B7uSKxHFzJzcZ5ZH1V90/:1s/nrf8fwuovjyUWtlc8fjT2uftrzSHs
MD5:	858E2E9A81C7BF962F7002AB92FA2314
SHA1:	15D271B2075A29F34575D226DFFE907B9F58DC3E
SHA-256:	BC08141FF1715A940CE3EA9779E9A1C9BDEB332A7EFAD85CBDAB46A7AEFC4017
SHA-512:	9E4C07658F4BF62E052FA641B340BF2D01FB8B7F37FA8F052868FBB2C4FCB4958C88876705B7CB0B92A37BA1BDFB2A22D51D08149DA650E1BFAB6D5F40CB3E97
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........27..\d..\d..\d...d..\d...d..\d...d..\d...d..\d...d..\d.#'d..\d..]d!.\d...d..\d...d..\d...d..\dRich..\d................PE..d......a.........." .........(..............................................p......1.......................................................`........P....... ..@/.......I...`..4...@................................................................................text...r........................... ..`.rdata..............................@..@.data....O....... ..................@....pdata..@/... ...0..................@..@.rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\swverify32.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	111072
Entropy (8bit):	6.701224873797745
Encrypted:	false
SSDEEP:	3072:GQbFkKX/BAEHeC8mskn9qs4xDXZSBT5NyUK9yeML:GQbFbBAxS9qfDXcxu9u
MD5:	09B2D099C336C74B9CC6C299B6DA5A74
SHA1:	0151CADCBF5C2A0C584D48761028D0C3734D0E08
SHA-256:	DD02201425427832BD095F91EF3162BE8666D17467E0D208E874E458052E3FE1
SHA-512:	6932B59AB76EAE60B63FC7776557161C1526881AF7B9579D35DF0676B882CFA3616747AB0A8F4689188CC604B46C3F4831DEFB07C00794449A9A66270FBB8969
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........wU.q$U.q$U.q$\..$p.q$\..$D.q$\..$0.q$rG.$P.q$U.p$0.q$\..$E.q$\..$T.q$K..$T.q$\..$T.q$RichU.q$........PE..L...)..a...........!.........b......2k....... .......................................4....@..........................M..{...dF..<....................r..H?...........!...............................A..@............ ..L............................text............................... ..`.rdata..K.... ...0..................@..@.data....0...P.......>..............@....rsrc................T..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\swverify64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123360
Entropy (8bit):	6.490240359394299
Encrypted:	false
SSDEEP:	3072:JuTpkdF2q12lOyUbQdgBFL0M12bqv5lDwCx9geMq:JEu2c26vBFLvJx9p
MD5:	D06C9847CAC97EB184F5D3DAB9EE30EA
SHA1:	525D808680CD0D8DA05562C1FE6B7A9A65674322
SHA-256:	3A6AFEA3F96AE04F79891BB23D8C2499E44EA775810FC7D2D0F8B687F3C504C0
SHA-512:	2FDBCA6AE7D0098CCEFEDAD585560CF7A5529B783EB402F0F9C5B2DFC0548955F7702EEB100E3D1E803FC9AD1FC887BFABDA81FF26574ED59F2BEC2A8FD137A1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t. .0qNQ0qNQ0qNQ9..Q.qNQ9..QRqNQ9..Q9qNQ..5Q5qNQ0qOQWqNQ9..Q qNQ9..Q1qNQ.#.Q1qNQ9..Q1qNQRich0qNQ........................PE..d...0..a.........." .....&...v......................................................].....@.............................................e....w..<.......................H?...........C...............................................@...............................text....$.......&.................. ..`.rdata...@...@...B...*..............@..@.data....:...........l..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\sysfilerepS.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	296448
Entropy (8bit):	6.525001769554265
Encrypted:	false
SSDEEP:	6144:akQR4/gW/ulyJQks7fA8kbJHP9wgZLtGvZxZcy2:WRjW/ulyJQksrA8kFHP9wgFsvfw
MD5:	080B406556B06942C740D1B27E35B76B
SHA1:	DF0E1AAD009CFE0436C476619E9A046C74957F67
SHA-256:	B6D32F193CB1309963E0566ED54551854ECE722660726460C76713E1358896A6
SHA-512:	9256D83202FBC79469DB533CC0FF5E779B2A07AAFE4CCE39AAF7CB96006A91B2AB2F62E43E6EBCBC32B053326FCB1764866B5698B85951FB7C6959D41E4CE616
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........hUX..;...;...;..q....;..q..f.;..q....;..[....;...@...;...:.S.;..q....;..q....;..[....;.......;..q....;.Rich..;.........PE..L...7..\...........!.....0...................@............................................@..........................................@..H............N..h7...P...$..0C..............................@...@............@...............................text..../.......0.................. ..`.rdata......@.......4..............@..@.data...\|=..........................@....rsrc...H....@......................@..@.reloc..<;...P...<..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\sysmon.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	258376
Entropy (8bit):	6.381415913731279
Encrypted:	false
SSDEEP:	3072:5CXOfw2KvPOgIb2KelFX9yHikM+CEQnROYUYycCBmxa65ENnxMqH7N2La+5rs370:5CXOZKTnxKikDCVnuYxa6MxHAjE
MD5:	361F2EA84360B6A2F24AC4647E2D0A91
SHA1:	2CF1D0538DAF45BCF7C79BF429355AE78F47CF74
SHA-256:	29734631E6E901CDCBF7F6FBC62EE513EA3F11BDFBA65963D5F7C598793546AA
SHA-512:	7907AB407449611BEF00EB2678B4B3B24B721B1E2A08237DBF826E6A3017164B44C42164FA0BA81D1EC484A22B87723FE4B1A4387C3788EB4427187B507EB1FE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+4V]oU8.oU8.oU8.....nU8.f-..wU8.f-...U8.q...jU8.f-..PU8.H.U.nU8.H.C.rU8.oU9..U8.f-..LU8.f-..nU8.q...nU8.f-..nU8.RichoU8.................PE..L......S...........!................+........................................0.......u...............................i...... X..................................(!..................................83..@...............@............................text............................... ..`.rdata..............................@..@.data....`...p...8...Z..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\sysoptm.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	290656
Entropy (8bit):	6.600061339720852
Encrypted:	false
SSDEEP:	6144:KVA8XAqnlpVQgOakhfOM3WYMBhdJ6fo2KZjCoGR:KVA8XAqlpuvasOMm9Bh36fotjCZ
MD5:	307897B0DC7DB6F9CC95C11842A3DF53
SHA1:	BCBCDAA63A2F4482652C363A40C61F133D475E8B
SHA-256:	625A27386FFA51417CA2FA71A95051A77267A49631853EE44340CBF0E1C64316
SHA-512:	513134558006639DE122932B7E6BEDEB3CFDA6BFF457821F8AAE46CB8822ADBA94BE1C4786B79A6B96252513555CE6B016A0763FA2B62AD4B0C415E0E5A0F8A0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........P@...@...@.....E.A...I.F.U...I.P....I.W.}...gb..A...gb..[...@.......I.Y.a...I.A.A...^.G.A...I.B.A...Rich@...........................PE..L...m<.]...........!.....&..........l........@.......................................`....@.........................0.......d........0...............:...4...@...%...E..................................@............@...............................text....%.......&.................. ..`.rdata......@.......*..............@..@.data....L.......,..................@....rsrc........0......................@..@.reloc..X:...@...<..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\uni_links_desktop_plugin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	567984
Entropy (8bit):	6.423612441750911
Encrypted:	false
SSDEEP:	12288:A3Akvssp2hEOe4C6Eos37/t4eIroNtRT7tl4KO2TUyT611yOhYhn8rcRkoIx5pZh:AwNkUYhn7qHx5pZfrDjaA
MD5:	AD303BE2FD780FEC8DD371CF371C0539
SHA1:	0B177653F8457642717AA6A4E1C62432E6E92B39
SHA-256:	D7C3DA9AE5E8C6F33E4972784A0E73034B31576BF47248E5512F34D4BEB0F8C2
SHA-512:	1EC4BD2BBED3B4D783611A2943C93854425A4B6EAE070D37D61135F4CE826672A960FD0BDF1D4E7687B47A3B01CE6958E3F8C60B6DF4AC274C627CF0966BB498
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i}..-...-...-...Hz..'...Hz..?...Hz.......i..#....i..'....i..k...Hz..+....i......-...Y....i..)....i..,....i/.,....i..,...Rich-...........................PE..d....$)e.........." .........d......\|....................................................`.........................................0...........d............`..<B...~...,..........HO.......................Q..(...pO..8............@...............................text...`,.......................... ..`.rdata.......@.......2..............@..@.data....I.......2..................@....pdata..<B...`...D...&..............@..@_RDATA...............j..............@..@.rsrc................l..............@..@.reloc...............n..............@..B................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\uniconft.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	625896
Entropy (8bit):	6.808713443080818
Encrypted:	false
SSDEEP:	12288:non3WvMMk82bHdpvs9PBXy+S43znHwHIxDgb1ovXuY:udHdVW9zHwoxWaXuY
MD5:	DE5914A6EE0CAC54604E9F787F286055
SHA1:	2B9046B3BE75E4838E1A8AA37E03EBFFF81A67AF
SHA-256:	3494F5E4F6973BD8B0F0A826951BB411B4B6658CCFCF4BCEC916911541FE7F92
SHA-512:	6216953F9DBB73F6A5108C2540D9C37739A9761880976EBB6F2ADFF55B4BB2657C0E19DE8F0DC497673478B9369DAB34B9A97BDBB6929B1C5295E9EAE395D8B2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u...u...u....K.q...\|.H.n...\|.Y.?...\|.^.....R...y...R...b...u...u...\|.W.....\|.O.t...k.I.t...\|.L.t...Richu...........PE..L.... :e...........!.........T......Y........ ...............................P.......l....@.........................0...7...............\............`..P,......PT...%...............................g..@............ ..x............................text............................... ..`.rdata..g.... ......................@..@.data............:..................@....rsrc...\...........................@..@.reloc..nk.......l..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\uniconft64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	671464
Entropy (8bit):	6.467168734612751
Encrypted:	false
SSDEEP:	12288:ippXt1116sqOSsER4TvmwW/BoRseYX/WaWf7A6d7DEnIQcXizFry:Epn116sqvsEWT+wIBoRsBbWf7AgscXd
MD5:	7865D331C84B915DDB07D1F53BDA48FB
SHA1:	9B48C11FCC174C8ACF257E4D56985F3EAF489A4B
SHA-256:	67A60766372CA75BD26C1B6DAC7A92110B74844B20705D040F0E6DE17BDFB9DD
SHA-512:	D69BB5DDEBC011153B1620BAF205DD79146DD9640A4E00D9CADBEA2F9FB43971BD1D74C0DED9FDA752919688518EB1672AB7CC27377AE7E2C349F89B72755901
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5...T`..T`..T`.M....T`..,...T`..,..cT`.....T`.....T`.....T`..Ta..T`..,...T`..,...T`..,...T`......T`..,...T`.Rich.T`.........PE..d..." :e.........." .................\|..............................................D$....@..........................................d..7...hO...............p...^......P,...........7...............................................0..X............................text............................... ..`.rdata...4...0...6..................@..@.data........p...H...P..............@....pdata...^...p...`..................@..@.rsrc...............................@..@.reloc..n...........................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\url_launcher_windows_plugin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	340144
Entropy (8bit):	6.329282571887064
Encrypted:	false
SSDEEP:	6144:fF5bcRP41QtrfOacuF5Zt6cqgE6MohM5dm6c5rusFDpiJx:95bcm1QllP36flo+5dY5rushp0x
MD5:	F007F46A79FE228E5AADBCEACA242703
SHA1:	C0F347ACCE2EA2025D9E1EB35E4EB829344A30FD
SHA-256:	027E70B91A2BA89F40B768F3B3EB6C12792F422C931A310F097BDB992131AA6C
SHA-512:	524E11F557395D025D3658C035D87A909EEED7C2C3E89209869E0A1F000E998FF71C4BA3FB69836D44B5116B4FF56C2F1F0EAEB7DF3496421F3D1DB42354F4A4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k..k/..8/..8/..8J..9%..8J..9=..8J..9...8}..9!..8}..9%..8}..9f..8J..9)..8...9,..8/..8[..8..9(..8..9...8.?8...8..9...8Rich/..8........................PE..d...y$)e.........." .....,..........p+.......................................`............`......................................... ...\|.......d....@..........h........,...P......h9.......................;..(....9..8............@..X............................text....+.......,.................. ..`.rdata..xt...@...v...0..............@..@.data....5..........................@....pdata..h........0..................@..@_RDATA.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\urlproc.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	771816
Entropy (8bit):	6.687066668581742
Encrypted:	false
SSDEEP:	12288:t0JqX8wh7HCMdK/m8HBMZT7gcgx7KS/8SpbFtjmoTIiDuSFEna0VujIOI0eo9TX/:tPX8wBib/Qg1hpbFxmEIidCnaIujIgjV
MD5:	4F097904954CD6DEA1F8852E1E25B7A3
SHA1:	0B195A2CBDF09EAC55D8660860A9E9198C0BAB4B
SHA-256:	D883D681804C612FEE3D2EBC14946C789F7324F12AC0D1FFDA5F12863F326A65
SHA-512:	7E7AD7C922D731B8FEFDA9F86F3263701AEBA69C5F8475C8EAF944BAED82F660843CFF8B0790C2E0E95FFD97C74BC449F6B1CB9FDE2516C380FDAB1761AE0955
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........S.I.=.I.=.I.=...K.=.@...R.=.@.....=.@.....=.n.P.H.=.n.F.T.=.I.<.L.=.@... .=.@...H.=.W...H.=.@...H.=.RichI.=.........PE..L...d.,e...........!.........~......"........0......................................r.....@.............................?...(........`..................P,...p...b...4...............................3..@............0...............................text...S........................... ..`.rdata......0......................@..@.data....y.......B..................@....rsrc........`......................@..@.reloc..j....p......................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\vccorlib140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	264032
Entropy (8bit):	6.5509781606253386
Encrypted:	false
SSDEEP:	3072:Fd5S7spsLVDInjnhQWHaMMumlH+B9AI9eSxuUSfomwCapFR6gmDC2WYs3nPKsXO:P5Skg0njhQWHaMWlad3oUqomTaZwibXO
MD5:	BC928E85601A6826045D0E90113F8EFE
SHA1:	1A87B8A42F9C16409BCD0329C0913355A622760C
SHA-256:	9CD77163AB9A421D3512C7C95B76EF96160B341A31AFE83A77A9625AF0D5C517
SHA-512:	D8274E3C56182FF674E6EAD7EA43BCCAA4FA01489AC52B9D74D9D556193E83AEE3B7396608AA4AF22D09E96D5CB1FA9889EF86A555E14D93F5E15BFBD81E79F2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y......I...I...I..\|I7..I&..H...I...In..I&..H...I&..H...I&..H...I&..H...I&..H...I&..I...I&..H...IRich...I........PE..L....PZW.........."!................@........@............................... ............@A.............................=..............................`-.......Q...D..8............................D..@............................................text....,.......................... ..`.data....=...@...:...2..............@....idata...............l..............@..@minATL..............................@..@.rsrc...............................@..@.reloc...Q.......R..................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\vxproto.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	177264
Entropy (8bit):	6.8079906844124745
Encrypted:	false
SSDEEP:	3072:eIRXpGKDHXyf4zAEs6T/ZM4x+qkQTBfCLOLTt/u:eIhAEXYatnjkQTBKL25/u
MD5:	C44FD91C1FBF416174B7B40BD8C30D70
SHA1:	4E69E42AD67D81E835D5AFD5E507639112EB662A
SHA-256:	4EE61ECA19E8FFDFC3036AA3EF69452382F32C61BDDC6D8ADBE2D50E771256E2
SHA-512:	E8CDF246A6A034444CBB6E5D510733F4EECAE7F41EFCABC3AA49659CFB29FA2E55EC5657FD80050BBB09095F0C67AB7EFC7BD3E58DEF8FB4B8E28F8F1FDC2FC8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.3...`...`...`.Ye`...`.Y[`...`.Yd`...`.s.`...`...`...`.r``...`.rX`...`.Y_`...`...`...`.rZ`...`Rich...`........................PE..L...O>mU...........!................;....................................................@.........................`q......4r..P...................................p...8............................c..@............... ............................text............................... ..`.rdata..............................@..@.data....5...........h..............@....rsrc................~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wddisam.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2555112
Entropy (8bit):	2.7387589142497575
Encrypted:	false
SSDEEP:	12288:6pL8J2LiKWfo28YxtTOPTOPTKW+IUTHN0kBSbXHE:6pLG23YhTtTOPTOPTKW+IUTt0kBSbHE
MD5:	7394D42315891F0CCF3BE07B3AD05A72
SHA1:	F439123D1A50885203416E5D654A98C9E6A8AD20
SHA-256:	6B997B5404AB09E06C995991559D19B046438F448F1C37A4F0581A515B8C7B7C
SHA-512:	8059F64EBEBE194EE2F8719552125659F36E4092573589B669603E82D1F0BA5812F804736CC555CF91206C34452A7EDF153FD851ECA4F85E864BC4948D5486F5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w...............w.......u.?.....t......~.......~.......~.......n................................y.....................Rich............................PE..L...HZ.d...........!..........#...............................................'.......'...@.........................`.&.P.....&.P.....&...............&.P,....&.l6...r&.p...........................@s&.@...............L............................text............................... ..`.rdata..&.#.......#.................@..@.data...l.....&.......&.............@....rsrc.........&.......&.............@..@.reloc..l6....&..8....&.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdefence.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	158120
Entropy (8bit):	6.6036652086687475
Encrypted:	false
SSDEEP:	3072:r1OJQ+ekyb4aeTqvw3dJ5e5AfH9F757qDu3eCVn:r1w9seuvwtLe5AfljF
MD5:	835212E2D46361902835E35582133CF1
SHA1:	B17686F86A0517077D2386228F820E78EF4E6B48
SHA-256:	A7BB626C295E968E58297FADA6BF7FAD94436D8C5F8594DD84A5D323B62C2D50
SHA-512:	AEA4E226019C72546B21E25A5D62DF991D1AB208B4B1D4EBF86E71A158209675CDA99BDE8FC5149266D05E1835936E11BB61FC6D49A09E3DDD779553075E688E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.}X........................`...........=.h.................$...........................Rich....................PE..L......X...........!................v.....................................................@.........................0...G.......P....P...............4...5...`...... ...................................@............................................text............................... ..`.rdata..w[.......\..................@..@.data....N..........................@....rsrc........P......................@..@.reloc..b%...`...&..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdexhelper.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	105056
Entropy (8bit):	6.599290957656915
Encrypted:	false
SSDEEP:	1536:xa+VGSaCuW4B6+dcbJFS9dSkyrSdgq+r5dLbUFKd5okghM:dcSaCuwOcbWyEgq+r5dLbUIdKK
MD5:	4083E8CA56DBD193C1A2BC14C6F31F2D
SHA1:	DDE611369CC1864649EFAA550E2E9C8C817C029D
SHA-256:	E1944E23B2057913BBC77370FCF334CDE7B882E9662F18D05EE6098B01447419
SHA-512:	9EF369DCB65095A944DC58745886855C1763EEA342766676B9274738164CA66135734E7FACB8D9489B30D70149AE908D66559028CFA23AA40076BCF028B2701E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0...c...c...c..Ec...c..Tc...c..Bc..c.y.c...c...c..c..Kc...c..Sc...c..Uc...c..Pc...cRich...c................PE..L.....Y...........!.........l.......m...............................................B....@.........................`E..I...,=..P....................d...5..........................................X-..@...............p............................text............................... ..`.rdata...5.......6..................@..@.data...\|....P.......,..............@....rsrc................>..............@..@.reloc..p............D..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdexhelperx64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	132000
Entropy (8bit):	6.339466105998257
Encrypted:	false
SSDEEP:	1536:thmg9KxUvO94qfftyLElW+aKsbNKNfrsivHl3JnSFfKh2MYC8To5OY9u8o1Ygh:nmgF27KE0KGSDRvJnh2M18To5OY9I
MD5:	EA7DE7494A466832B1E17A0628EA7830
SHA1:	44370CD1376A2BBED6268837003EB08901DD632B
SHA-256:	A6066AD5E9FA49163871BF7B6B4223B02B8D31DFAF9CB8463C58880C6F649929
SHA-512:	B83458FFE5958C9F14F078E6BE3E44496A596F4568029F6630FFCBE217A3ED70167A22598F8101868B6C6F05CD4EDC155DA2D2F1404A85D1E0B400E92D9E3F7E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......cA.A' ..' ..' ...X... ...X..y ...X..- ...... ..' ..H ...X... ...X..& ..9r..& ...X..& ..Rich' ..........................PE..d.....Y.........." ....................................................... .......#....@.............................................I.......P........................A......0....C...............................................@...............................text....)......................... ..`.rdata..)X...@...Z..................@..@.data...x9..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdres.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	133192
Entropy (8bit):	6.613875361519417
Encrypted:	false
SSDEEP:	768:oDbvQ6mxE5tCWOiFDQM1no4ARzK2ORyALKk35LlKnI1w+HadlVQOFLQJpv5bJ8Nm:oDeYOi5BiQRdLj9/H44phbyGoWz
MD5:	AA503D702228E0F8E530CFC8D7194017
SHA1:	B9500C69197E87AB70D164C2B4E30058431E4A59
SHA-256:	B6F73E0B73F9AACB85EB0132DAC3662D6A8B3D7110B20D90BC9E31506ED3FEE7
SHA-512:	54F2FAD96825CD4AFC58A0A99EE3BFC6E7BED5BD5E0A8BF09083E72B6D34A7CED5BE77DBE8294D73FB092187C22CE943A1CB9BA130C3135A233B9AABB51FBBB8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.`.[.3.[.3.[.3.#R3.[.3.#C3.[.3.#U3.[.3...3.[.3.[.3.[.3.#\3.[.3..B3.[.3.#G3.[.3Rich.[.3........................PE..L.....[...........!.....d...f......M.....................................................@.....................................(........................7.......... ...................................@............................................text...Tc.......d.................. ..`.rdata..L".......$...h..............@..@.data...\...........................@....rsrc............ ..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdtHelper.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	361704
Entropy (8bit):	5.5673332951295516
Encrypted:	false
SSDEEP:	6144:UrIBDsruqjFm0MBU5Cv14COb+ZV8xuMYlWA6qU:UrEDsrLFmXBU5C9Sb+ZV8jY89
MD5:	AF271E2FE0E91A8340CF377F3934EAD1
SHA1:	11A29B7802A204FA3FD13789CE521B549C403A00
SHA-256:	42C330B5C5F2F82EA8A49A5149354D17940726AAAEB7551B63EB3009C0F341AB
SHA-512:	D0998CD6CBA7B1755FF9CBAB26CFCFA5E07E3B143156AF7E8713E12425914A265F95B545100C1173B47E3359F1254624C16A80929303DB9EC791F959AEDA929D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......).$.mcJ.mcJ.mcJ..,..ocJ.d...\|cJ.d....cJ.d...^cJ.J.'.ocJ.J.1.\|cJ.mcK..cJ.d...\|cJ.d...lcJ.s1..lcJ.d...lcJ.RichmcJ.................PE..L......d...........!.....b..........y.....................................................@.........................P................p...............X..P,......h%..`...................................@...............$............................text....a.......b.................. ..`.rdata../{.......\|...f..............@..@.data....l.......8..................@....rsrc........p......................@..@.reloc...4.......6... ..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdui2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1318632
Entropy (8bit):	7.1335534012386415
Encrypted:	false
SSDEEP:	24576:7hdgcG8llGny4MIxwhQlcONuG0ipbzMTKdL24biHUE4:EctGy4DxkocONuG0S4TKdrboUE4
MD5:	11DD5A778F13875767EC13A7641BFD39
SHA1:	D3E4E6CD393C3345D3ABFE33988671A41954D625
SHA-256:	2802030D0255BFC68151ED66C645A2D333E0D0AC6F0FC8E68E1B458FE628E007
SHA-512:	01914FB89FA3472D66DD7F28C7BC919CFDB1E1DA309E69A210FBA373B0B2AC10AA3F388E23E0BFBE87995C62ACA10F5D756E1F366E7B7EF5E403F88FC1A48D08
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..x&..x&..x&.]7...x&......x&.....Kx&.....x&..K..x&..]..x&..x'.y&.....x&......x&..*...x&......x&.Rich.x&.........................PE..L......e...........!................\'.......................................`.......N....@.............................[...$...,.......$...............P,..........................................H...@............................................text............................... ..`.rdata.............................@..@.data...<...........................@....rsrc...$............4..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdui3.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1094888
Entropy (8bit):	6.920698803896278
Encrypted:	false
SSDEEP:	24576:T5UVbnvH4EKtwgoZdwaN6N+Vi/VBdT2heApbeQ1DLzV:TdqjwaN6N+g/VHT2hveQ1DLzV
MD5:	DFFDFB7167BCF65E8F2A28283E34B2C1
SHA1:	B99275B7F2961E54D094E707401E9D4DCA0D39E1
SHA-256:	70F29595B45DB1284EA39898566D09191A4E81B5C3922F70C23E76C380D3B85A
SHA-512:	F081C44EBA05EA4CAF8D7550FA179A00F4341582BBBCA00F547D94D4906B311DFD358CCBDA96A839485E38FEF59A2920B136578B8AD5A78BCA6EA6EB8FAD5502
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hJ.h,+.;,+.;,+.;.d4;.+.;%S7;.+.;%S!;.+.;2y&;(+.;%S&;e+.;...;(+.;...;1+.;,+.;P*.;%S(;k+.;%S0;-+.;2y6;-+.;%S3;-+.;Rich,+.;................PE..L...V..c...........!.................................................................%....@..........................$..M...............xn..............P,...P..8...`...............................8W..@............................................text...L........................... ..`.rdata..............................@..@.data...<....0...X..................@....rsrc...xn.......p...l..............@..@.reloc..n....P......................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdzerop.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	238560
Entropy (8bit):	6.640593169975473
Encrypted:	false
SSDEEP:	3072:0VsImuW35nWIFuw3m8mjrzYb+aejgO2PKyjePvX/SIYlYFqah5+UT/8p9IR1eMv:2mD5t39m86nzyjePSI7Fm6/8p9Q3
MD5:	FCEA1FCBC94A5E75273C2B042DD4F8ED
SHA1:	4D017C718D732E8C18709332F0A69729CDBABEF0
SHA-256:	6392DCEF8AA143239D4E043A95DD9ACFB731CF7DAE3C88DDC8FDEBE54B79F946
SHA-512:	40671799109438C4D59E5A3242290C0E1DBF3D22853EA70102A4B16FEF430BCFCD515A7B9A699AD122710FC027C18530698D64E8EF05304090CB0A709EA2454B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l...^..^..^..^...^..^...^..^..^.dy^...^..^v..^..^..^..^..^..^..^..^..^Rich..^................PE..L......a...........!.....z..........P................................................V....@......................... ...K.......x....p...............d..H?..........p...................................@............................................text...hx.......z.................. ..`.rdata..k............~..............@..@.data...\|M... ...$..................@....rsrc........p.......0..............@..@.reloc...*.......,...6..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\webprotect.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	244552
Entropy (8bit):	6.4522910932056625
Encrypted:	false
SSDEEP:	3072:gIFk1jgk0hTxCvdRQeTfb0ydJdwcYsqmzm4RmkCaMsDfEFhA8VZv591zOgxx:l7BeUMXLwcUmzbpMs651
MD5:	5EBB43C91176A23B800D5A27DC1098C9
SHA1:	EB3CEBB63A522D97CDAD4F96CB91ED014A67D9E8
SHA-256:	2E42E4D5FCA0203A07341CD0307FA11F288DDB1C7ACCAAD6E66D07B4897EAF10
SHA-512:	388B5B21873827A0AC4AD7B05BB2BD8B0900F1BEB94908B66E906F28D23D4F63F2D9250BB62EA955C810F651BE09EC5006EE10B78568CD840834D958325044DE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c.P.'.>.'.>.'.>...%.>....0.>.....>.9...".>......>..hS.&.>..hE...>.'.?..>......>....&.>.9...&.>....&.>.Rich'.>.................PE..L......S...........!.....`...:.......U.......p......................................:.....@.............................P............P...`..........................0s..............................8...@............p...............................text....^.......`.................. ..`.rdata..0k...p...l...d..............@..@.data...\|l.......:..................@....rsrc....`...P...b..................@..@.reloc..z1.......2...l..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\window_manager_plugin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	612016
Entropy (8bit):	6.4174165848719955
Encrypted:	false
SSDEEP:	12288:Mg6WuC+Cyifm5/EiQ2JBhThEYYExBx5wBUvxbUwWmXB/e9YZJxSEzzoOCbdpZfjo:MgzV2JxS+zCbdpZfjHsFx
MD5:	F14F9BE66E48C18118C45CF9FCD3309B
SHA1:	1D290BE804D926F60BED30F8F850BDB085515A92
SHA-256:	4A80B9DBA44153735810E7531395A15476733F8A90A69F8FC5939A2C323873A1
SHA-512:	03B74AADC9A85C65024F4CC43AC6DDA1558A157708B26B2C655249034FE0617EB8C03E5D6158AE2AC197CE51B8947262A6450E1A4F41CE0CBDEC9A9F5CE4A0B1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6...X...X...X...[...X...].R.X...\...X...[...X...]...X...\...X...Y...X.N.Y...X...Y.o.X.;.]...X.;.X...X.;.....X.;.Z...X.Rich..X.................PE..d....$)e.........." .........~......,I....................................................`.............................................x............p...........E......,......H...............................(.......8............................................text...p........................... ..`.rdata..............................@..@.data....B.........................@....pdata...E.......F..................@..@_RDATA.......`......................@..@.rsrc........p......................@..@.reloc..H...........................@..B........................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\window_size_plugin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	564400
Entropy (8bit):	6.422469848275101
Encrypted:	false
SSDEEP:	12288:jEUEku6bXor/fKooWkyE+J3DXih1sf8KM7sniCf9JRn+TF4Jt+jL2T/g/You/dpa:oUozsjL2lf/dpZR9ZgjP
MD5:	8147BD2F71221360338CD14E3E7EA323
SHA1:	E59AC3F40454E7A4E8ABD63945994B836F283C80
SHA-256:	E0976CCEACED3FCB2C93821D760381ACD8BCB59B02D2E4DF8468CD021C65D96A
SHA-512:	F7FAAC494AA4347545B7A17EF56F3E05751D43425A17B80B9C9923924251CC5DFF306E5CEED18F856C84236A5AE174519C5FCB91726352B7B31ED73F399400B2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.^.]...]...]...;...]...;...]...;...]...(...]...(...]...(...]...;...]...(...]...]...]..e(...]..e(...]..e(...]..e(...]..Rich.]..................PE..d....$)e.........." .........V......L..............................................._I....`.............................................p... ...P............P...A...p...,......(....M.......................O..(... N..8............@...............................text...p,.......................... ..`.rdata.......@.......2..............@..@.data....A.......*..................@....pdata...A...P...B..................@..@_RDATA...............\..............@..@.rsrc................^..............@..@.reloc..(............`..............@..B........................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wuhelp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	78808
Entropy (8bit):	6.57997288223318
Encrypted:	false
SSDEEP:	768:KG4sS22vz/mn2/vftVzXsY1Vf6PnGwlNkptKbEYHm5ItEtrha+pedW3jX+4qCGo/:K392sz/sdup+BXsvk+0c3jOZo/
MD5:	59377AA3DE07D487BE3B434FB2864DC4
SHA1:	DD92A3C14A26973D9C32181584D738A7AE2F06C2
SHA-256:	AF398242657D8A8838104CF635B98B4E5CF7E2322D96C097AE0D810FC0197E16
SHA-512:	F6A011AC8A4A0E05FD429C4349051F5F526A96B06902307096E1331CFD935206B35D894F19903D61A2757DC50C8F30F465E361E5BC17ABA63F2947DD0EFD79AE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L..."O.."O.."OV..O.."O...O.."O...O.."O...O.."O...O.."O..#O.."O...O.."O...O.."O...O.."ORich.."O................PE..L......Y...........!.........X.......>.......................................`......?.....@.....................................P....0..................@/...@..H.......................................@...............\............................text...a........................... ..`.rdata...(.......*..................@..@.data....0..........................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wuhelp64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	86288
Entropy (8bit):	6.353633574899183
Encrypted:	false
SSDEEP:	1536:lU0yrG/FM7gb5vP3iSbmnyXS9IgWgR5sZhoQ+JLXe9HJo2PpJvvvvvvvvGzboEPO:lCOZtbmnoS9h5GPg69Hy2PpIoEJg
MD5:	D6E2A0D34AA617FCB82D832642E5470A
SHA1:	68125F81883B8BBBE65B16D2C0E0A5983FC59C20
SHA-256:	048EF535E135B4B13D85E4689268B404DBB97A0B29983BA9BF4FC8E97D2D051F
SHA-512:	A7ACFEF5858AFCFD8E43DEC41A1A9334645B10C00BAC65A474A438DF4CE1131983BEF47B5CDDAB69D5CEC4C2B0FC21C202CD844BD6BA3E11CB6D2C409ABC9B5C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4.i.4.i.4.i.=....i.=..j.i.=...>.i.=...3.i.4.h.V.i.=..=.i.*...5.i.=...5.i.Rich4.i.................PE..d...~..Y.........." .........`......\L.......................................p......"y....@.................................................X...P....P.......@..l.......x:...`.......................................................................................text............................... ..`.rdata...2.......4..................@..@.data....;..........................@....pdata..l....@......................@..@.rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yhregd.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	500968
Entropy (8bit):	6.598421975074313
Encrypted:	false
SSDEEP:	6144:q0tNHboDyDCVV/wrNuO5oJE9fCt7swJHcES+hfxsPipKg8ytAHfN6pISWjnHF1ob:q0thobXuuOuKzifxsP3ytK6pynHFm
MD5:	799918EF88A366AD37D33C2CFB5E8B43
SHA1:	93F782B07C2859CE4489692A9BA6334AC2011661
SHA-256:	B4EF6B60BF2799B487646046AF290D1FA84E92FE81A445C3FC9CB2E1B72CE25B
SHA-512:	DEE59DFC238BB237125C15C405242CC8540818D60D67D1B731ECBF2FC5F6FDE8A52738E9FB72F8A740B4FD2A61445382C522B5116A280B91D8DC14B1DA0BDD5F
Malicious:	false
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$........I.Y.(...(...(..Wv...(..@Y...(...@...(...@...(..B.p..(..@Y...(..AY...(...P...(..h.E..(..SA...(..lA...(..VA...(..lA...(..VA...(...@...(..%Z...(..%Z...(...(..@)..^A...(..^A...(..^A}..(...(...(..^A...(..Rich.(..................PE..L...h#?e...........!.................u..............................................0.....@......................... ...P...p...........l............x..P,......tK..@...T...................8...........@............................................text............................... ..`.rdata..Hb.......d..................@..@.data...@R...0......................@....rsrc...l............ ..............@..@.reloc..tK.......L...*..............@..B........................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	691760
Entropy (8bit):	6.65005121490335
Encrypted:	false
SSDEEP:	12288:z9dSp9WkHCGswmfwHaG3qNeNCGWmQ47/KkRjDMfZVt1UE3HZyr9oUTB2O:Ra7HCXwmfwHRI+HWmQ4HRjDIZVt1UE3a
MD5:	938C33C54819D6CE8D731B68D9C37E38
SHA1:	5DEBC5AECEA887D17E342E3651006E1DB351034F
SHA-256:	E705895392ACD9768F413E35545C6581B3BAC8C05DCE97BC9AF6A37BE7CB7DE3
SHA-512:	16DEAF3B8C9A29B73D6530474F2A0BF5AC756D44A04D2468464FB78C9048CA9F1E1EBBCC91ADFC74963B7083B0381A47F76C70BADDEB44026C969125EA1C929A
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe, Author: Joe Security
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c..........................................@.................................6............@...............................-...p...~...........:..0T.........................................................................................text...P........................... ..`.itext..t........................... ..`.data....5.......6..................@....bss....le...............................idata...-..........................@....tls....8................................rdata..............................@..@.reloc.............................@..B.rsrc....~...p...~..................@..@.....................:..............@..@................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\FLIEAC

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	2713088
Entropy (8bit):	7.9358560764847
Encrypted:	false
SSDEEP:	49152:gCE0mvBnEwvJm7T8UyHNzeBBHKZlYU13/1wUqq7vf2h0Vw:gCZmvBEqUyHcclt/mUCOa
MD5:	C625FE50C8CBC877CBFAF1D5212F02C0
SHA1:	90763CBEB446C7638F80851E55AF9976285DC56C
SHA-256:	F8890DFA4609D9CB2CA685339468C5256356066CF91AB13C9A771A3B8A566D12
SHA-512:	898703B75D27A9EE5055965BE16D7DEFA482A4199D6C008E539A0102230743AD4540945B76E78804F4CFA99D3DE79B9584D91F6C74C3FF2E6B8F4CC09E7F472C
Malicious:	false
Preview:	...SLSSSOSSSPPSS.SSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS[SSSA..AS.J...R..................................FFE.SSSSSSSB.....t5..t5..t5..x5..t59..5..t5y.~5..t5...5..t59..5..t5..u5..t5...5..t5..t5..t5...5..t5..p5..t5......t5SSSSSSSSSSSSSSSS..SS.RLSd..SSSSSSSSsSA.DRISS.SSCSSS3.S.E.SS#.SSC.SSSSCSCSSSMSSOSSSSSSSOSSSSSSSS..SSOSSSSSSMSSSSSCSSCSSSSCSSCSSSSSSCSSSC..S.SSSSC.SCMSSSSSSSSSSSSSSSSSSSSSSSSSS...SGSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....SSSSS3.SSCSSSSSSSOSSSSSSSSSSSSSS.SSs....SSSSS.SS#.SS.SSOSSSSSSSSSSSSSS.SSs....SSSSSCSSSC.SSOSSS.SSSSSSSSSSSSS.SS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....S....FJKH

C:\Program Files (x86)\DnLIMGKCARTO\yybob\HipsdiaMain.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	6.561876036819077
Encrypted:	false
SSDEEP:	768:iRsOLyueUFANmFloKvQX29dQ0pkZloKvQX29dQ0pkfo3MbvM1kvdCr+y:iRsJgO4lCXy60AlCXy60vcbvM1idCv
MD5:	0252D997E8633929A793DA5CD9F1A078
SHA1:	1C266679F251E9A82E64C0E0E3B0EE41842417DB
SHA-256:	246EB43F8272FBE34A5F45C5F91D109DD38C3A2B6967DF47D9A88322449F767D
SHA-512:	9FA44873C27638465485A427EBE486D0E047BB143F32E89CCF9FC0D360030D10ADAAA10C75742ABC3035C5A1428C258E49E8FE83C162743CDEE01D2E5B9A63ED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Jo.TJo.TJo.T%.UTHo.T%.WTOo.T%.cTAo.T%.bTHo.TC.ZTOo.TJo.T.o.T%.fTNo.T%.RTKo.T%.TTKo.TRichJo.T........................PE..L......g...........!.....>...................P............................................@.............................].......P.......................................................................@............P..D............................text....=.......>.................. ..`.rdata..M....P.......B..............@..@.data...$...........................@....reloc..(...........................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\PackageMgr.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	107120
Entropy (8bit):	6.416041804489009
Encrypted:	false
SSDEEP:	1536:ABHJ2sevEPtUiDHPsG78SkqRsEKk2UaWD+Ug1phiaeBvNdiizK3xg+rd3XjxxyhS:eHAR6tHDp/acgrItvNdiizK3xg+FXOS
MD5:	773D6EC38151B301FB8E45B4043E2E9F
SHA1:	475A42DD7FF0417D6826187F37AA3B5FFA65AE50
SHA-256:	E15E52A68BA167C0E6683EAFA3102079BBD0262EF5BF1005FE5A3B492374F66A
SHA-512:	FFDEEA69581B7C25CF5DC83A9803E94AB83D6C19254F5DE474240DAD3B630386D8D401B7A5EA25F97B1BF068D95266D53AD6324362E7CF94B1F326DAA9B5A1EF
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......L.,7.iBd.iBd.iBd...d.iBd37Ae.iBd37Fe.iBd.0Ge.iBd37Ce.iBd37Ge.iBd..d.iBd..d.iBd..d.iBd.iCd.iBd.7Ge.iBd.7Be.iBd.7.d.iBd.i.d.iBd.7@e.iBdRich.iBd........................PE..L.....3b...........!................(...............................................&.....@..........................=.......>..,....................p..p2......$.......T...................d...........@............................................text............................... ..`.rdata...P.......R..................@..@.data...$....`.......:..............@...minATL.......p.......F..............@..@.gfids...............H..............@..@.tls.................J..............@....rsrc................L..............@..@.reloc..$............^..............@..B........................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMAVProxy.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	99952
Entropy (8bit):	6.458473763443854
Encrypted:	false
SSDEEP:	1536:ZAUmWga/j5/IEHE2BzIfjwpDvdxeR1Ay01A4F1519hTnZmjjxy:jm+JrHElE9SRuy0hFX19hTZmM
MD5:	D902AF6BDCB8F3D47CC7A26B7F5AF840
SHA1:	B42E2C429F60551CAFDD92F5024DA7EDEC1270EB
SHA-256:	ADD79DE18ECBDEEC06D9765B2308FDBEAB3F788382A07D6235B614CA58BDA2B8
SHA-512:	1D55DC22AD3317622C3AE502B4B329B25DA6EB03D5FE8D2F4F7319110A196CDF08BD5E5DBB6322D6FC12B3C4472C629F9F64523FB23928E0433F96D0C8098911
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J...J...J.......J...N...J...I...J.g.....J...K...J...O...J...N...J...L...J...K...J.ys....J...K...J...C...J...J...J.......J...H...J.Rich..J.........PE..L...!8.d...........!................1...............................................v.....@..........................;..T...T;.......`..`............T..p2...p..t...4...p...............................@...............0............................text...%........................... ..`.rdata...h.......j..................@..@.data........P.......8..............@....rsrc...`....`.......<..............@..@.reloc..t....p.......@..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMDns.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51312
Entropy (8bit):	6.588801090147588
Encrypted:	false
SSDEEP:	768:gmaAkOI8/UgAXuuMnw415frUK5yPPTnDG3318RU7yw2MvZDGjENAMxaJ:gmPNN7wU5frbcba318aJjjxaJ
MD5:	BF125A12E9CE8568AADD6A9EE11C696D
SHA1:	4B8CF25506F5729D485171DECAA152B32EF2AFBF
SHA-256:	72C9E45E029115541AEBA55243BED56CCB5E594E50CE26DEFDE76D35B5B892C4
SHA-512:	B2FDCE478034312D7C7911F83E5A56DA505F9D5FF351CA74A8718B4256BB91DCBF341A268349DC992C7232A9B012BD986224BD650F7141261F8D38E9DCC43318
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T...T...T...].f.X......._.......W.......B.......P....;.U....>.]...T..........v......U......U......U...RichT...........................PE..L....1.d...........!.....H...R......7L.......`......................................qi....@.........................`...4...............X...............p2......p...p...p...............................@............`..d............................text...3F.......H.................. ..`.rdata...7...`...8...L..............@..@.data...\...........................@....rsrc...X...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMEventBus.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92272
Entropy (8bit):	6.543211290485113
Encrypted:	false
SSDEEP:	1536:5MUmmeVWAcHeFzyWQ+lh5W0pkw01pPafkNA0tDq3NnqFBjxxP:5MUsVF6eFvPPWBw01ofkNA0E3NnsBj
MD5:	23E97B1438152A4328FA97552F8B9AA1
SHA1:	F95D191EB1E6DDBCA5B20FAC2D0746FEBB0B2C12
SHA-256:	17CBD8771713566BEB469B300D34782986EF325582DCB575C4FB35C1FB397A9E
SHA-512:	FA497B5F806D851717C920755E245E65CDBF5CEFCE0975DA33A43C88005474F87D006FFEFE111A199ABF4FC68CA640CD18709FEDFC376FC64E6D6CC272D816A7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X\...=.N.=.N.=.N.E.N.=.N.2.N.=.NNH.O.=.NNH.O.=.NNH.O.=.NNH.O.=.N..ZN.=.N.=.N.=.N.._N.=.N.H.O(=.N.H.O.=.N.HkN.=.N.H.O.=.NRich.=.N................PE..L....2.d...........!.........z......e................................................[....@..........................&......('.......`...............6..p2...p..`.......p...........................8...@............................................text...}........................... ..`.rdata..VS.......T..................@..@.data... ....@......................@....rsrc........`.......$..............@..@.reloc..`....p.......&..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\TDPCONTROL.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1063616
Entropy (8bit):	6.674869382282474
Encrypted:	false
SSDEEP:	24576:2ODivXdRxWmQOhfbV5l7kZLWfGPeu/PUw6WmARlXDMmH6PBzT/Cn+m4q:2OuvbfGZGGKJT/Cn+Fq
MD5:	4FF45827EC92E40935F9939142CD40DC
SHA1:	CAD74928F3387E6BF28C3625803706061E956B34
SHA-256:	012ED8D16E9F7586FE44C0AFFE5BEA6FF68F27231A6526D439643869A103E434
SHA-512:	A3DFE7976E5FFB4BA0C68E218C0924568D343E7937ABB50785107DE5E0ADC11AD58A86E02FABB455845FBE8E545E48B57A67EB647C664390ED521D255FF3BEFE
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...~/._.....................j...................@................................. ...................................{........3.......................@...........................................................................................text...0z.......\|.................. ..`.itext.............................. ..`.data...D...........................@....bss.....e...@.......0...................idata...3.......4...0..............@....edata..{............d..............@..@.reloc...............f..............@..B.rsrc................V..............@..@....................................@..@........................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\TDPINFO.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	7.484270190239562
Encrypted:	false
SSDEEP:	768:tUqX/E3rJA4ZX6xUrLGwk9xAlvcuHnYoq7MNC3Il:tUc/+vKGnax8ESY17WkI
MD5:	63F6D9FECB240388D69CB668CFE50C00
SHA1:	2B67BB8AA45A9D0383E76F15E631C1131B28BB1E
SHA-256:	678D6ED15F6150BFD5BA8E823CF877C32BB492E8557E107FAC77143DAD3724F1
SHA-512:	176B096493206D2DADB17D778E959855DEEF0EC8D5343C09790CA6C067A338ECE44138FA9081888CAA2228A041D2A8C71B085AD8FEFAFE479505F667F6D2B7E6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#;\.gZ2.gZ2.gZ2..F<.rZ2.Q\|8..Z2..Uo.bZ2.gZ3.7Z2.Q\|9.sZ2.gZ2.fZ2..E9.eZ2..E6.fZ2.RichgZ2.................PE..L.....lf...........!.............p..................................................................................0...l...........................................................................................................................UPX0.....p..............................UPX1.............v..................@....rsrc................z..............@......................................................................................................................................................................................................................................................................................................................................................................................................4.21.UPX!....

C:\Program Files (x86)\DnLIMGKCARTO\yybob\TDPSTAT.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	388808
Entropy (8bit):	6.5956896905460125
Encrypted:	false
SSDEEP:	6144:B9su6Bohl2JJmgk1G8M0uQoRkQsKwxBF6CaSIU9ILZxxB5ARUWvAX+E:BSohl2JJmgk1U3QMkQsTx3paSIUixGRI
MD5:	B8253F0DD523BC1E2480F11A9702411D
SHA1:	61A4C65EB5D4176B00A1FF73621521C1E60D28EA
SHA-256:	01CEE5C4A2E80CB3FDAD50E2009F51CA18C787BF486CE31321899CCCEDC72E0C
SHA-512:	4C578003E31F08E403F4290970BC900D9F42CAA57C5B4C0ACA035D92EDC9921BF4034FC216C9860DA69054B05F98DADE5F6E218AC4BEE991BC37A3EF572FE9A0
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...8..^..........................................@..........................P..........................................c....p...........N...............<.......g..................................................Ts..P............................text...T........................... ..`.itext.............................. ..`.data....).......*..................@....bss....<X...............................idata.......p......................@....edata..c...........................@..@.reloc...g.......h..................@..B.rsrc....N.......N...d..............@..@.............P......................@..@........................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\Toolbox.ico

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	MS Windows icon resource - 6 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	104864
Entropy (8bit):	3.9053747079480448
Encrypted:	false
SSDEEP:	384:0ePYp7777777777FaTLcbLLLLEW/+Z+Z+I1m5aaaaaaaaaMsJju5wU4XcG8jUEPE:n7sAacGgUEc
MD5:	6CCA9307DEAF7B167C92BBE3D2AC59CA
SHA1:	FE2A51B84BD203BA0AEA43D50D664B1632F3B0B0
SHA-256:	771E0C7FF0514650DF7C62E237A8D8DDFA2D156A8B18473AE647E6684A483178
SHA-512:	C1E4639BCFF0C18713116973524E7527BEE31307C33AF2048F617CE0460580A2FEE88FF6E347F87C799AC990F4BCCB97A2FCEBCB82AD4A926EE95F211A033368
Malicious:	false
Preview:	............ .h...f... .... .........00.... ..%..v...@@.... .(B...;........ .(...F}........ .2...n...(....... ..... .....0....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v...w..w.........u...w..w..w..w..x.......\|...w..w..w...n...x...x...x...x...x...x...x...x...x...x...x...x...x...x...n...o...w...x...x...x...x...x...x...x...x...x...x...x...x...w...p...p...n..y...z...u...u...u...z...z...u...u...u...z...y...n..p.......p...s..w...w...w...w...w...w...w...w...w...w...s..p...........................m.p.p

C:\Program Files (x86)\DnLIMGKCARTO\yybob\UPSDK.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1165576
Entropy (8bit):	6.491752155251347
Encrypted:	false
SSDEEP:	24576:ptf4OLWmQQ3b6ZVtecP3Ufy/ilDqzybXIZ0xKHpWq0dGcz7msH0WQWmAdA7yJBzA:tLDlDgRGxKHpSJ28TU
MD5:	D75E14313FC8A0850F3190CE67509475
SHA1:	74474830BC0706E5C0A8B455A4E1B47D9F1DE741
SHA-256:	E5C711BDB99AB55EBD96B3636C7396566C98ACFFD03DF735A15F1E18936A718A
SHA-512:	A4260F1A9A77BC41FC54532BDBF51F831004767E08150BFF95374663930BBE4FCA81790AA4578C062674557A02A698EA798CFC00F2355F6B8FA71BF2915CBAAA
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......`..........................................@..........................0.......4...............................`..e....@..v........^...............A...p...Y...................................................C...............................text...x........................... ..`.itext.............................. ..`.data....".......$..................@....bss.....Y...............................idata..v....@......................@....edata..e....`......................@..@.reloc...Y...p...Z..................@..B.rsrc....^.......^...*..............@..@.............0......................@..@........................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\libcurl.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	333824
Entropy (8bit):	6.389952178495305
Encrypted:	false
SSDEEP:	6144:WyEhWbJNOcWd55OHSCw1ohITXVvrJGqdK2Dug6dGXLSuMAFi2TBfR:Wlu1IjOIohILJrc4Ezui2TdR
MD5:	EC9483F4B8C3910B09CAAB0F6CB7CD1B
SHA1:	9931AAA8E626DF273EE42F98E2FC91C2078FDC07
SHA-256:	4D9CAE6E2E52270150542084AF949D7B68300E378868165FF601378A38F7048F
SHA-512:	84B60FE3CD0EDE19933B37AE0EAEBA1F87174A21BC8086857E57C8729CEC88F9FEF4B50A2B870F55C858DD43B070FD22FFEC5CB6F4FD5B950D6451B05EB65565
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..S...........#................ .............$k................................. ........ .........................c.... .......`.......................p..\|$...........................P......................."..h............................text...T...........................`.P`.data...t...........................@.`..rdata..L.... ......................@.`@.eh_fram............................@.0@.bss..................................`..edata..c...........................@.0@.idata....... ......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc..\|$...p...&..................@.0B........................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp100.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.297676823354886
Encrypted:	false
SSDEEP:	12288:koBFUsQ1H5FH3YUTd/df0RA7XkNvEKZm+aWodEEiblHN/:dFUsQ1H5FHdGKkNvEKZm+aWodEEcHN/
MD5:	D029339C0F59CF662094EDDF8C42B2B5
SHA1:	A0B6DE44255CE7BFADE9A5B559DD04F2972BFDC8
SHA-256:	934D882EFD3C0F3F1EFBC238EF87708F3879F5BB456D30AF62F3368D58B6AA4C
SHA-512:	021D9AF52E68CB7A3B0042D9ED6C9418552EE16DF966F9CCEDD458567C47D70471CB8851A69D3982D64571369664FAEEAE3BE90E2E88A909005B9CDB73679C82
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..-`..~`..~`..~i.4~b..~{.;~c..~`..~...~..?~a..~{.9~a..~{..~P..~{..~Y..~{..~e..~{.<~a..~{.=~a..~{.:~a..~Rich`..~........................PE..d.....M.........." .........f.......q........cy..........................................@.............................................m......<....P...........=...0..P....`.......................................................................................text............................... ..`.rdata..-...........................@..@.data...0L.......8..................@....pdata...=.......>..................@..@.rsrc........P......................@..@.reloc..R....`......................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp110.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	661456
Entropy (8bit):	6.2479591860670896
Encrypted:	false
SSDEEP:	12288:akhiz9iVQi6mpiyMATITfluR3G1YdpTzYJQIbRdJN2EKZm+DWodEEt2L:WaQeIJN2EKZm+DWodEEt2L
MD5:	7CAA1B97A3311EB5A695E3C9028616E7
SHA1:	2A94C1CECFB957195FCBBF1C59827A12025B5615
SHA-256:	27F394AE01D12F851F1DEE3632DEE3C5AFA1D267F7A96321D35FD43105B035AD
SHA-512:	8818AF4D4B1DE913AAE5CB7168DCEC575EABC863852315E090245E887EF9036C81AABAF9DFF6DEE98D4CE3B6E5E5FC7819ECCF717A1D0A62DC0DF6F85B6FEEB8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.:..si..si..si~`.i..si..ri^.sis.i..si...i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..siRich..si................PE..d......P.........." ........."......<........................................p......L+....`..........................................3......l...<...............0E.......=... ..,....(..............................`...p............ ...............................text...:........................... ..`.rdata....... ......................@..@.data...p.... ...:..................@....pdata..0E.......F...D..............@..@.rsrc...............................@..@.reloc..FJ... ...L..................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp120.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	660128
Entropy (8bit):	6.339650318935599
Encrypted:	false
SSDEEP:	12288:t2TOv4Zur4nRc4RwlG4xH2F+O+/i2UA3YyB2hxKM5Qrt+e2EKZm+GWodEEwIP:qRhxKM5U2EKZm+GWodEEw4
MD5:	0A097D81514751B500690CE3FC3223FA
SHA1:	7983F0E18D2C54416599E6C192D6D2B151A2175C
SHA-256:	E299B35D1E3B87930A4F9A9EF90526534E8796B0DEF177FB2A849C27F42F1DF2
SHA-512:	74639F4C2954B5959EB2254544BF2E06AB097219FC8588A4F154D1A369B0657176128C17911958C84ED55421FE89BF98C8ED36D803A07A28A7D4598DB88027CE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ca.=...n...n...n..)n...n...n...n.R?n...n..%n...n.R=n...n.R.n4..n.R.nJ..n.R.n...n.R>n...n.R9n...n.R<n...nRich...n........PE..d......V.........." .....@...................................................`.......H....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	449280
Entropy (8bit):	6.670243582402913
Encrypted:	false
SSDEEP:	12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
MD5:	1FB93933FD087215A3C7B0800E6BB703
SHA1:	A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
SHA-256:	2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
SHA-512:	79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140_1.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31528
Entropy (8bit):	6.472533190412445
Encrypted:	false
SSDEEP:	384:R77JqjlI8icUYWhN5tWcS5gWZoMUekWi9pBj0HRN7RA5aWixHRN7osDhzlGs6N+E:R5D8icUlX5YYMLAWRAlypmPB
MD5:	7EE2B93A97485E6222C393BFA653926B
SHA1:	F4779CBFF235D21C386DA7276021F136CA233320
SHA-256:	BD57D8EEF0BC3A757C5CE5F486A547C79E12482AC8E694C47A6AB794AA745F1F
SHA-512:	4A4A3F56674B54683C88BD696AB5D02750E9A61F3089274FAA25E16A858805958E8BE1C391A257E73D889B1EEA30C173D0296509221D68A492A488D725C2B101
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..\4~.\4~.\4~...^4~.UL..X4~.Dz.[4~.D}.^4~.\4..v4~.D..Y4~.D{.O4~.D~.]4~.D..]4~.D\|.]4~.Rich\4~.........PE..d...W8.^.........." .........$............................................................`A.........................................>..L....?..x....p.......`..4....:..(A......p...@3..T............................3..0............0..0............................text...(........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..4....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140_2.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	193832
Entropy (8bit):	6.592581384064209
Encrypted:	false
SSDEEP:	3072:V7vC/HAiCsJCzwneNPXU7tm1hTt8KBDal8zg/0LwhORfewlMi0JHV:VTGAtweN85m1f8KBI9wfpsJH
MD5:	937D6FF2B308A4594852B1FB3786E37F
SHA1:	5B1236B846E22DA39C7F312499731179D9EE6130
SHA-256:	261FBD00784BB828939B9B09C1931249A5C778FCEAD5B78C4B254D26CF2C201F
SHA-512:	9691509872FDB42A3C02566C10550A856D36EB0569763F309C9C4592CAF573FBB3F0B6DC9F24B32A872E2E4291E06256EAE5F2A0DEB554F9241403FD19246CAC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........94..Wg..Wg..WgVt.g..Wg..g..Wg..Sf..Wg..Tf..Wg..Vg..Wg..Vf..Wg..Rf..Wg..Wf..Wg...g..Wg..Uf..WgRich..Wg........................PE..d...W8.^.........." ................p............................................... .....`A........................................ ..................................(A...........K..T........................... L..0...............P............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr100.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr110.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	849360
Entropy (8bit):	6.542151190128927
Encrypted:	false
SSDEEP:	24576:I+9BbHqWVFlB7s2ncm9NBrqWJgS0wzsYmyy6OQ:z9d7M3nS0wV
MD5:	7C3B449F661D99A9B1033A14033D2987
SHA1:	6C8C572E736BC53D1B5A608D3D9F697B1BB261DA
SHA-256:	AE996EDB9B050677C4F82D56092EFDC75F0ADDC97A14E2C46753E2DB3F6BD732
SHA-512:	A58783F50176E97284861860628CC930A613168BE70411FABAFBE6970DCCCB8698A6D033CFC94EDF415093E51F3D6A4B1EE0F38CC81254BDCCB7EDFA2E4DB4F8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........c.O.0.O.0.O.0.O.0}O.028g0.O.0?..02N.0?..0.O.0?..0.O.0?..0wO.0?..0.O.0?..0.O.0?..0.O.0Rich.O.0........................PE..d...n..P.........." ................l3.......................................@............`..........................................E.......1..(............... g.......=......8...`6..............................P...p............0...............................text............................... ..`.rdata.......0......................@..@.data...(q.......@..................@....pdata.. g.......h...(..............@..@.rsrc...............................@..@.reloc...".......$..................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr120.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	963744
Entropy (8bit):	6.63341775080164
Encrypted:	false
SSDEEP:	24576:lQ39+j16xw/86yY4ZOVqSs8cKPkb3vi4vwW1kCySQmWymTXY:S3tPDLfRbiow9Cyo
MD5:	E2CA271748E872D1A4FD5AC5D8C998B1
SHA1:	5020B343F28349DA8C3EA48FB96C0FBAB757BD5C
SHA-256:	0D00BF1756A95679715E93DC82B1B31994773D029FBBD4E0E85136EF082B86A9
SHA-512:	85D6BCAAF86F400000CF991DA1B8E45E79823628DC11B41D7631AA8EE93E500E7DA6E843EA04EDB44D047519DABEF96DCB641ADC2A7B3FAA5CD01E8A20B1F18E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F=&^'Su^'Su^'Su..u]'Su^'Ru.'SuSu.u.%SuSu.uo'SuSu.uh'SuSu.u.'SuSu.u_'SuSu.u_'SuSu.u_'SuRich^'Su........PE..d......V.........." .....j...:.......)..............................................+l....`.....................................................(............@...s...v...>......8...p................................2..p............................................text...eh.......j.................. ..`.rdata...9.......:...n..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................`..............@..@.reloc..8............d..............@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\oDayProtect.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57456
Entropy (8bit):	6.555119730119836
Encrypted:	false
SSDEEP:	1536:h4WOg3TER/nhU8Vbbb8O0WWVYgaatjJxl:h4WOg3TSr78O0WWVYg5tJ
MD5:	00FCB6C9E8BD767DDE68973B831388E9
SHA1:	2D35E76C390B8E2E5CA8225B3E441F5AC0300A02
SHA-256:	1CC765B67D071060C71B4774C7745575775CE46E675E08620E5BAB3B21B2CE79
SHA-512:	2B48701B5F4B8F1EB7FC3EB9A76370883FE6CAF45D92DA607AB164F93E0EED65D6C1369D4EA974A112C902FD0F5BAF06E7611ECB9B50BE3A599F261624B33BA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[..]..............3.....M......M......M......M.......{n......{k............................._.......7............Rich............PE..L...m>.d...........!.....`...R......._.......p............................................@...........................................P...............p2..............p........................... ...@............p..\............................text...._.......`.................. ..`.rdata...4...p...6...d..............@..@.data...$...........................@....shared.............................@....rsrc...P...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\vcruntime140.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	101872
Entropy (8bit):	6.5661918084228725
Encrypted:	false
SSDEEP:	1536:RCKWZGuEK0mOLSTxoPl9GIcuZrxi4hXX9oix8H+NCIecbGShwZul:RFWY1WxgGStJ8H2CIecbG36
MD5:	971DBBE854FC6AB78C095607DFAD7B5C
SHA1:	1731FB947CD85F9017A95FDA1DC5E3B0F6B42CA2
SHA-256:	5E197A086B6A7711BAA09AFE4EA7C68F0E777B2FF33F1DF25A21F375B7D9693A
SHA-512:	B966AAB9C0D9459FADA3E5E96998292D6874A7078924EA2C171F0A1A50B0784C24CC408D00852BEC48D6A01E67E41D017684631176D3E90151EC692161F1814D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w.............t:..............................................................Rich....................PE..d.....t^.........." .........^.......................................................e....`A.........................................0..4....9.......p.......P.......L...A..............8........................... ...0............................................text...2........................... ..`.rdata...?.......@..................@..@.data...0....@.......4..............@....pdata.......P.......8..............@..@_RDATA.......`.......D..............@..@.rsrc........p.......F..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\vcruntime140_1.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44312
Entropy (8bit):	6.623047237297825
Encrypted:	false
SSDEEP:	768:vG3xRsJTKdiibUoT2zvivbXXyJWqWZ8DZX:vG7DyM22DiJMCtX
MD5:	9040ED0FDF4CE7558CBFFB73D4C17761
SHA1:	669C8380959984CC62B05535C18836F815308362
SHA-256:	6CC4315DACEB0522816C60678344466CB452426267F70C7FAAE925361674E774
SHA-512:	303143006C781260540E9D0D3739ACC33F2D54F884358C7485599DD22B87CCE9B81F68D6AD80F0F5BB1798CE54A79677152C1D3600E443E192AECD442EA0A2E4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j&=..Hn..Hn..Hn@..n..Hn!fIo..Hn.s.n..Hn..In..Hn!fKo..Hn!fLo..Hn!fMo..Hn!fHo..Hn!f.n..Hn!fJo..HnRich..Hn........PE..d....h.].........." .....:...4.......A..............................................?.....`A.........................................j......<k..x....................l...A......(....a..8...........................0b...............P..X............................text...t9.......:.................. ..`.rdata..P ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..(............j..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\zeropmgr.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	415128
Entropy (8bit):	6.6210531109184965
Encrypted:	false
SSDEEP:	12288:l6LJqy9H1aBwUuL7/z+3Eh5sJfcAX09UcO9d:cCuLf7KfcAX09tO9d
MD5:	C499B812979EA663E6ED6A21AFF9255D
SHA1:	FE80FDDA3EB377956E8912868A5171D1D499517A
SHA-256:	DE18B8D7D975E0F757DD943EEABA8F1CFF7C7C5AB1CC14288D7AC5B13CAE49C2
SHA-512:	9D1BB3EC4B3F0679C7DE059B45D19A3786A9CF4E107B804F10638ED01D5A5F4282321CE371B76C3CDCBE2D25857474E8A7C540020EB3A6A3F6B2576866B58ED9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........}[x..[x..[x...76.Zx..R.5.Lx..R.#..x..E$.^x..R.$..x..\|...Zx..\|...Bx..[x...x..R..kx..R.2.Zx..E*4.Zx..R.1.Zx..Rich[x..........PE..L....@.c...........!.........L...............................................p............@.............................................................I... ..@/...................................=..@...............<............................text...p........................... ..`.rdata..............................@..@.data....d.......2..................@....rsrc...............................@..@.reloc..$F... ...H..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\zpthdo.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	821640
Entropy (8bit):	6.80570349308525
Encrypted:	false
SSDEEP:	24576:rAwdhdGhfsJRv5SKCqMsPk79yvwXl/N95:rAw7MfsJRRSGMsPkRYqV
MD5:	96AB7D0CE0AB68697D2B5736A2A8EF46
SHA1:	51FF7B82ECF28442C56BAC4F57D30AC3F0AEAA5D
SHA-256:	CE0A8DD9BAD2E32681E475C52852251F1B0A20D67013DADEEDE7C2D501302F3D
SHA-512:	35AD7EAFD8650C89E0B9123B3A7DC839D922CDEC4C22E1969642DAF0E3D9D45D3F60663987802D1915258F6E62A814D9FA89CE740215F00B86E0F0BB9AE4B577
Malicious:	false
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$..........[.z...z...z..u$...z..H....z.......z.......z..`."..z..`.!..z..L....z..H....z....F..z.......z..J....z..N....z..N....z...z...z..L....z....P..z....@..z...z..5{..N....z..N....z..N.,..z...zD..z..N....z..Rich.z..................PE..L......^...........!.........D.......a....... ............................................@.........................`...............@...............R...6...P...d...f..p....................g......pf..@............ ..0............................text............................... ..`.rdata....... ......................@..@.data... i.......(..................@....rsrc........@......................@..@.reloc...d...P...f..................@..B........................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerFQ\DAN_127.msi

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 936, Revision Number: {7CE79A54-E11F-4229-A93E-21F771890BDE}, Number of Words: 2, Subject: Windows, Author: OfTSPRPNPSST, Name of Creating Application: Windows, Template: ;2052, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	3602944
Entropy (8bit):	6.538115356090411
Encrypted:	false
SSDEEP:	49152:sRnlGFAvHZXm1+O0q2+cZfsZU80OO62wOR4UkrfH1OrEMBZX26PH2ca9G/uaJEif:MkFA/qStOwkR2uayisdSHiT
MD5:	1710CA6F5DF19A22D1567959DE401886
SHA1:	1C0788860A40E4AE60B0AFB8589C5B2083B2CCA2
SHA-256:	826AB605E90D51A715C05D91DD249958D56BE5B053B8B9BAB1F61480C506C3F1
SHA-512:	AE33B8131DB853B48C34877B977D47F701CF99DACA8FAADBDA703E97857AA1AC557D199CE3A1DC10E3115AFFD5603EB1E5468CD7D31A1B59745726ADE6870875
Malicious:	false
Preview:	......................>...................7...................................U...V...W...X...Y...Z...[...\...]...^...x...............................................6...............................................................................................................,...-...............................................................................................................................................................................................................................................p...............................A.../...:....................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-.......8...0...1...2...3...4...5...6...7.......9...;...N...<...=...>...?...@...D...B...C...J...E...F...G...H...I...L...K...M.......q...O...P...Q...R...S...T...............................................`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\WindowsInstallerFQ\DAN_1271.cab

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	Microsoft Cabinet archive data, many, 51185352 bytes, 122 files, at 0x44 +A "QKFJSGCGWGRQ" +A "uni_links_desktop_plugin.dll", flags 0x4, ID 1234, number 1, extra bytes 20 in head, 2678 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	51193192
Entropy (8bit):	7.999059623060062
Encrypted:	true
SSDEEP:	1572864:y/hb6GmIcUGtvclhGSjkcrABpYhpeWeiTj:Qheec1tvclsSjsBuhpeJuj
MD5:	E2EE5973CEEAEEC5837DE3C99D4933BD
SHA1:	58725C93C676FFFC44A59F74C8C7F9942A52B2FF
SHA-256:	8404BA9F3312B0D92BD64CFB92A7B3CCD2B2D4358A5F4BE6AC008ECB4416253C
SHA-512:	BA41BEB1AB9D7A8FC947584AD4F4EF371706E96C7C8FB856820F1CC1811F2BC7AA33BC891214684E885ECA0825A817692C5BCA6176D98DE3F93CC2456970AE01
Malicious:	false
Preview:	MSCF............D...........z...................................v.............sY.a .QKFJSGCGWGRQ...........[XRu .uni_links_desktop_plugin.dll..0..a.....[XRu .url_launcher_windows_plugin.dll...........[XRu .WindowInjection.dll..V........[XRu .window_manager_plugin.dll.....q.....[XRu .window_size_plugin.dll.....!. ...sY.a .TP453990d4df32.TPL...... ...UY.> .ovftool_open_source_licenses.log....... ...sY.a .TroPoxE_Plus.......!...fYMI .TroPoxB_Plus..6...k,...dY.. .TroPoxZ_Plus.....A....TE. .lockkrnl.dll.H....8K....L-. .MiniUI.dll.H....FY....D.. .mobileflux.dll.....D.[....U.. .NetDefender.dll.H'....a....D.. .NetDiagDll.dll..>..$.g....WKq .Netgm.dll.`$...Zl...eL. .NetmLogin.dll.Hs..l~t....D.. .NetmonEP.dll.H.....v....N.. .netmstart.dll.......y...3W.. .NetmTray.dll..l...T}...3W.. .NetmTray64.dll..........iV.~ .NetSpeed.dll.pb...`....3F.Z .NotifyDown.dll....$....KW9^ .np360SoftMgr.dll.H+...\|.....D.. .npaxlogin.dll.....T.....\TO^ .ntvbld.dll....4.....\TP^ .Ntvbld64.dll......=.....T.. .PD

C:\Program Files (x86)\WindowsInstallerFQ\holder0.aiph

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	data
Category:	dropped
Size (bytes):	51193192
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	C2AA948E11A480EC3B029E49C0F3A813
SHA1:	4C6D97B643290DF8CD6544E3A9845C796A1FA1C5
SHA-256:	6FD2C3388A9F7986E9D79C7C4747A0AD1800E3BC367060D49EA0C32C243DDD94
SHA-512:	C5118635086A6B595969E6A6900B7D032489B9F8FDEEBDA1D2197B29018AFA3B02B41EBDC21694A6BF07849A3DD831F339F1E05384F37B532252070288CAE049
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.150184159866505
Encrypted:	false
SSDEEP:	6:kKNEtL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:GiDnLNkPlE99SNxAhUe/3
MD5:	FC4A8DE2B31D790AE860AB4C9AD3875C
SHA1:	F6CEA6BE799E2C8BF431140014F5D8359D772BDF
SHA-256:	D97852CE3D4B50ECC7FDABC252ACD461912095ED5116DCFD09A1D521E13E4269
SHA-512:	45D7D5E3322874BCFD8CCB4AF063DD463C5CEEA7039BE6272A106C4B96963664DF2DC27457AF2A27DD013777007A3A07296B2A3D501B8C54C541C101A4B68C26
Malicious:	false
Preview:	p...... .........N=UE?..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\tracking.ini

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	27
Entropy (8bit):	4.088220835496803
Encrypted:	false
SSDEEP:	3:1EyEeBn:1BEYn
MD5:	4AE8A010782B10391BA0AF6F4DC3B667
SHA1:	48999DD7C62D642974049463C4418457572177D5
SHA-256:	C0B2445FCAA83FA4F12DCCEB286EAEB5D278E06DC27E549F49E1547B36A046D5
SHA-512:	96C1551461FDAFFDF8B9F37198FB2BC1CD18B0B27494E94705DD6A2AA1F4EA17C5014E0F2C54E6B436D796BED334FD6AD637D374804ED1815488D4801FC183E6
Malicious:	false
Preview:	[General]..Active = false..

C:\Users\user\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\{F052583D-7C4F-4520-862B-FF9C921967A6}.session

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13629
Entropy (8bit):	5.407495155353066
Encrypted:	false
SSDEEP:	384:LRioAPJDOUWgvjtM7UYr7+c6ejdwuOh3KYMtVFcfrw3DyklUC0R+:LRioAPJiUWgvZM7UYr7+c6ejdwj3KYMV
MD5:	67B836CC4437E332969E643571F96157
SHA1:	499B11ED4BE00D4C110FD42AB030A0C07C62DE5C
SHA-256:	97D75D222DB6DCB1883746682A352F9868CE8DB8AB571AAE11AF97CFD85BC414
SHA-512:	7868F5C13CDB5E5CB7CBF869915D4361EADF201BF3EADE31BFEC2014E4ABFF60CF19FD1D0629320D3D47B1A072DB95CD9F6E7BAB1BCDABE157ED64BDCC048BDE
Malicious:	false
Preview:	[Hit {72C13910-A9E0-4CAE-95B5-554879A79384}]..Queue Time = 0..Hit Type = lifecycle..Life control = start..Protocol Version = 3..Application ID = 6627be3e20a59ade4c1add8b..Application Version = 1.1.6..Client ID = 048EA5160EB1FE0DA0E752229B252351CF032B8B..Session ID = {F052583D-7C4F-4520-862B-FF9C921967A6}....[Hit {49C49E17-050E-47CD-BAB8-591097AA6E2B}]..Queue Time = 0..Hit Type = property..Label = VersionNT..Value = 1000..Protocol Version = 3..Application ID = 6627be3e20a59ade4c1add8b..Application Version = 1.1.6..Client ID = 048EA5160EB1FE0DA0E752229B252351CF032B8B..Session ID = {F052583D-7C4F-4520-862B-FF9C921967A6}....[Hit {E0B73398-52A4-4BD0-A20C-529FDAD07577}]..Queue Time = 0..Hit Type = property..Label = VersionNT64..Value = 1000..Protocol Version = 3..Application ID = 6627be3e20a59ade4c1add8b..Application Version = 1.1.6..Client ID = 048EA5160EB1FE0DA0E752229B252351CF032B8B..Session ID = {F052583D-7C4F-4520-862B-FF9C921967A6}....[Hit {9308C884-348C-4DC1-8C00-0117872E8373}]..Queue

C:\Users\user\AppData\Local\Temp\13072\....\Microsoft.TransCompositib.msi (copy)

Download File

Process:	C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	667648
Entropy (8bit):	6.655676024268379
Encrypted:	false
SSDEEP:	12288:G36HjCm6ltuRXQ/g+hVfW2LDzeLA5rJWutAWQSHOALXB:VCm6ltuRXKg+hVfWkDEA5tDuyX
MD5:	BA4ED2E6B25A8C9EDA3DA4CE85A5054D
SHA1:	C3B2EF12347E0C5206B4C3959FA96CD7F064F10C
SHA-256:	31370AB9ECAFEA8528D0C844C34B7721042C93A8E45278C4452B62ABAADE9182
SHA-512:	87C10EA2B82D79BD96CA453D808D937841A45CEE331E5914E5B9A7D6665BB41864D90E08E47F4000C1EEBC64F1E4035B010F545B2068B3604A7B8C87F1D30DBB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........xt..............a.......a..W....a.......l.......l.......l.......a..............l......l......l......l......Rich............PE..L....+.f...........!.....f................................................................@.....................................(.... .......................0...K...[..............................8[..@............................................text...cd.......f.................. ..`.rdata...Z.......\...j..............@..@.data....2..........................@....rsrc........ ......................@..@.reloc...K...0...L..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1732544537\....\Microsoft.TransCompositio.msi (copy)

Download File

Process:	C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	174304
Entropy (8bit):	6.858552596804119
Encrypted:	false
SSDEEP:	3072:Q0HJ5wo1/MJjozYJimE2BamDKigu/fgl1glfdjgBftJeCE5vLEnM7QrRz:/J5wUmhkmDKVuE1gQJeCERLG1F
MD5:	0D318144BD23BA1A72CC06FE19CB3F0C
SHA1:	91A270D8E872EA2A185309CA9CE5D9F08047809E
SHA-256:	60503684F39425C5505805A282EB010ECB8148BBF7EFE9BBA9CF33C507AF7F3A
SHA-512:	A3F3C7D84644B13868AC324947C2D678620E341E368B781D45F244A53F448D6B24BE7B50AC9908728DFBBB74214FCB46902137910E907F14F601518C0EFD215B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.A...A...A...,...H...,...;...,...Y...z...S...z...S...z...d...,...D...A...........C.......@...A...@.......@...RichA...........PE..L...V.]d.............................#............@.................................Z.....@.................................48..<....p..0............`...H...........*..T............................+..@...............$............................text............................... ..`.rdata...^.......`..................@..@.data........@.......2..............@....gfids.......`.......<..............@..@.rsrc...0....p.......>..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\25838\....\Microsoft.TransCompositia.msi (copy)

Download File

Process:	C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	157184
Entropy (8bit):	6.4699325010744015
Encrypted:	false
SSDEEP:	3072:tJpAAXru5+rs45R7H0fABoTRo3hJjfP8mr:tJpAAXru4Fj6soT2LM0
MD5:	C50F56319C92BC129039E3860294AB5D
SHA1:	470ED2516A0FF86F25C7CEBE3084E238CA8879A7
SHA-256:	56E8A343602DDDC6D7B6A787827801A3D2BA69ABAF1C61874EF9286C2D288C6B
SHA-512:	20451481425424167EDF4D8C1562EBD7619D5FA0D4BB46C1C30840C9E63C617F94B281C294E3FBEDD290A76C543E4A1C3518B8E66D919743B9CC1F966D8E0CE0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`. ...s...s...s.w.s...s.w3sr..s.y.s...s...s...s.w2s...s.w.s...s.w.s...sRich...s........................PE..L.....#g...........!......................................................................@..........................=.......6..<...................................................................0...@...............0............................text...C........................... ..`.rdata...^.......`..................@..@.data....:...@.......,..............@....reloc..$........ ...F..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6493546\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	6.561876036819077
Encrypted:	false
SSDEEP:	768:iRsOLyueUFANmFloKvQX29dQ0pkZloKvQX29dQ0pkfo3MbvM1kvdCr+y:iRsJgO4lCXy60AlCXy60vcbvM1idCv
MD5:	0252D997E8633929A793DA5CD9F1A078
SHA1:	1C266679F251E9A82E64C0E0E3B0EE41842417DB
SHA-256:	246EB43F8272FBE34A5F45C5F91D109DD38C3A2B6967DF47D9A88322449F767D
SHA-512:	9FA44873C27638465485A427EBE486D0E047BB143F32E89CCF9FC0D360030D10ADAAA10C75742ABC3035C5A1428C258E49E8FE83C162743CDEE01D2E5B9A63ED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Jo.TJo.TJo.T%.UTHo.T%.WTOo.T%.cTAo.T%.bTHo.TC.ZTOo.TJo.T.o.T%.fTNo.T%.RTKo.T%.TTKo.TRichJo.T........................PE..L......g...........!.....>...................P............................................@.............................].......P.......................................................................@............P..D............................text....=.......>.................. ..`.rdata..M....P.......B..............@..@.data...$...........................@....reloc..(...........................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6493578\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	7.484270190239562
Encrypted:	false
SSDEEP:	768:tUqX/E3rJA4ZX6xUrLGwk9xAlvcuHnYoq7MNC3Il:tUc/+vKGnax8ESY17WkI
MD5:	63F6D9FECB240388D69CB668CFE50C00
SHA1:	2B67BB8AA45A9D0383E76F15E631C1131B28BB1E
SHA-256:	678D6ED15F6150BFD5BA8E823CF877C32BB492E8557E107FAC77143DAD3724F1
SHA-512:	176B096493206D2DADB17D778E959855DEEF0EC8D5343C09790CA6C067A338ECE44138FA9081888CAA2228A041D2A8C71B085AD8FEFAFE479505F667F6D2B7E6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#;\.gZ2.gZ2.gZ2..F<.rZ2.Q\|8..Z2..Uo.bZ2.gZ3.7Z2.Q\|9.sZ2.gZ2.fZ2..E9.eZ2..E6.fZ2.RichgZ2.................PE..L.....lf...........!.............p..................................................................................0...l...........................................................................................................................UPX0.....p..............................UPX1.............v..................@....rsrc................z..............@......................................................................................................................................................................................................................................................................................................................................................................................................4.21.UPX!....

C:\Users\user\AppData\Local\Temp\6493609\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177
Entropy (8bit):	4.880763515526955
Encrypted:	false
SSDEEP:	3:FCB9RhFUOivy0JQlr0TGKS2e/1k8Ve53y2+FXUsKov13wetdQQqi5xQn:FwrFTZ0eJ4GVfeoFXUszv9wgCQPxQn
MD5:	EAB9552FB070D7C48B31FE6A7A9CB0B3
SHA1:	A8F7E04F0C10082A3A66A6D8AD3BF7815D51744B
SHA-256:	EDC57321D853B03CDFFC2F4021834B57BCCB4080D477F5499B01255B5CE8BCA3
SHA-512:	800D26529897047A7B584F3219CA56AF9ADE591949CE8F2504D25BDE4595515413454A597F9C3A5496D57C3EAB3D514B871021A3B709908002AFBADB68A1FC60
Malicious:	false
Preview:	[XLY]..P2=24c6269477f0.JFU..P5=e6ab90d5741a3329XSJ..P4=7c24ad187eeb.NUX..P7=5ccac7f27f4c789fFPK..P3=408dd7481cc3.KWR..P6=d90abf5032721ffaBCX..P0=DAN127..P1=e8a0d5af432b7e64DBD..

C:\Users\user\AppData\Local\Temp\6493640\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1390312
Entropy (8bit):	6.599443687044708
Encrypted:	false
SSDEEP:	24576:w4wwwwscgymwef8Z8Zzj6z1el68mUi1m/ONxdDDHNCU+3kvaBW7839l5Qafgb6L1:pwwwwscgymwefyEQ/U6/NnDDHNCTeaBf
MD5:	292575B19C7E7DB6F1DBC8E4D6FDFEDB
SHA1:	7DBCD6D0483ADB804ADE8B2D23748A3E69197A5B
SHA-256:	9036B502B65379D0FE2C3204D6954E2BB322427EDEEFAB85ECF8E98019CBC590
SHA-512:	D4AF90688D412BD497B8885E154EE428AF66119D62FAF73D90ADFFC3EEF086CF3A25B0380EC6FDC8A3D2F7C7048050EF57FCEA33229A615C5DCDA8B7022FA237
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0...0...0...9a.=...9c.I...9b.(...b......b.. ...b..&...9...1...9...7...0........4................1....o.1.....1...Rich0...........PE..L....x.c...........!.........~......x7...............................................~....@.........................P...\|......P....p.................P,..........0...............................P...@............................................text............................... ..`.rdata..............................@..@.data...0........4..................@....rsrc.......p......................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6494593\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	data
Category:	dropped
Size (bytes):	2713088
Entropy (8bit):	7.9358560764847
Encrypted:	false
SSDEEP:	49152:gCE0mvBnEwvJm7T8UyHNzeBBHKZlYU13/1wUqq7vf2h0Vw:gCZmvBEqUyHcclt/mUCOa
MD5:	C625FE50C8CBC877CBFAF1D5212F02C0
SHA1:	90763CBEB446C7638F80851E55AF9976285DC56C
SHA-256:	F8890DFA4609D9CB2CA685339468C5256356066CF91AB13C9A771A3B8A566D12
SHA-512:	898703B75D27A9EE5055965BE16D7DEFA482A4199D6C008E539A0102230743AD4540945B76E78804F4CFA99D3DE79B9584D91F6C74C3FF2E6B8F4CC09E7F472C
Malicious:	false
Preview:	...SLSSSOSSSPPSS.SSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS[SSSA..AS.J...R..................................FFE.SSSSSSSB.....t5..t5..t5..x5..t59..5..t5y.~5..t5...5..t59..5..t5..u5..t5...5..t5..t5..t5...5..t5..p5..t5......t5SSSSSSSSSSSSSSSS..SS.RLSd..SSSSSSSSsSA.DRISS.SSCSSS3.S.E.SS#.SSC.SSSSCSCSSSMSSOSSSSSSSOSSSSSSSS..SSOSSSSSSMSSSSSCSSCSSSSCSSCSSSSSSCSSSC..S.SSSSC.SCMSSSSSSSSSSSSSSSSSSSSSSSSSS...SGSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....SSSSS3.SSCSSSSSSSOSSSSSSSSSSSSSS.SSs....SSSSS.SS#.SS.SSOSSSSSSSSSSSSSS.SSs....SSSSSCSSSC.SSOSSS.SSSSSSSSSSSSS.SS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....S....FJKH

C:\Users\user\AppData\Local\Temp\6494625\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	333824
Entropy (8bit):	6.389952178495305
Encrypted:	false
SSDEEP:	6144:WyEhWbJNOcWd55OHSCw1ohITXVvrJGqdK2Dug6dGXLSuMAFi2TBfR:Wlu1IjOIohILJrc4Ezui2TdR
MD5:	EC9483F4B8C3910B09CAAB0F6CB7CD1B
SHA1:	9931AAA8E626DF273EE42F98E2FC91C2078FDC07
SHA-256:	4D9CAE6E2E52270150542084AF949D7B68300E378868165FF601378A38F7048F
SHA-512:	84B60FE3CD0EDE19933B37AE0EAEBA1F87174A21BC8086857E57C8729CEC88F9FEF4B50A2B870F55C858DD43B070FD22FFEC5CB6F4FD5B950D6451B05EB65565
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..S...........#................ .............$k................................. ........ .........................c.... .......`.......................p..\|$...........................P......................."..h............................text...T...........................`.P`.data...t...........................@.`..rdata..L.... ......................@.`@.eh_fram............................@.0@.bss..................................`..edata..c...........................@.0@.idata....... ......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc..\|$...p...&..................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6494656\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1063616
Entropy (8bit):	6.674869382282474
Encrypted:	false
SSDEEP:	24576:2ODivXdRxWmQOhfbV5l7kZLWfGPeu/PUw6WmARlXDMmH6PBzT/Cn+m4q:2OuvbfGZGGKJT/Cn+Fq
MD5:	4FF45827EC92E40935F9939142CD40DC
SHA1:	CAD74928F3387E6BF28C3625803706061E956B34
SHA-256:	012ED8D16E9F7586FE44C0AFFE5BEA6FF68F27231A6526D439643869A103E434
SHA-512:	A3DFE7976E5FFB4BA0C68E218C0924568D343E7937ABB50785107DE5E0ADC11AD58A86E02FABB455845FBE8E545E48B57A67EB647C664390ED521D255FF3BEFE
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...~/._.....................j...................@................................. ...................................{........3.......................@...........................................................................................text...0z.......\|.................. ..`.itext.............................. ..`.data...D...........................@....bss.....e...@.......0...................idata...3.......4...0..............@....edata..{............d..............@..@.reloc...............f..............@..B.rsrc................V..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\6494687\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	388808
Entropy (8bit):	6.5956896905460125
Encrypted:	false
SSDEEP:	6144:B9su6Bohl2JJmgk1G8M0uQoRkQsKwxBF6CaSIU9ILZxxB5ARUWvAX+E:BSohl2JJmgk1U3QMkQsTx3paSIUixGRI
MD5:	B8253F0DD523BC1E2480F11A9702411D
SHA1:	61A4C65EB5D4176B00A1FF73621521C1E60D28EA
SHA-256:	01CEE5C4A2E80CB3FDAD50E2009F51CA18C787BF486CE31321899CCCEDC72E0C
SHA-512:	4C578003E31F08E403F4290970BC900D9F42CAA57C5B4C0ACA035D92EDC9921BF4034FC216C9860DA69054B05F98DADE5F6E218AC4BEE991BC37A3EF572FE9A0
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...8..^..........................................@..........................P..........................................c....p...........N...............<.......g..................................................Ts..P............................text...T........................... ..`.itext.............................. ..`.data....).......*..................@....bss....<X...............................idata.......p......................@....edata..c...........................@..@.reloc...g.......h..................@..B.rsrc....N.......N...d..............@..@.............P......................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\6494718\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1165576
Entropy (8bit):	6.491752155251347
Encrypted:	false
SSDEEP:	24576:ptf4OLWmQQ3b6ZVtecP3Ufy/ilDqzybXIZ0xKHpWq0dGcz7msH0WQWmAdA7yJBzA:tLDlDgRGxKHpSJ28TU
MD5:	D75E14313FC8A0850F3190CE67509475
SHA1:	74474830BC0706E5C0A8B455A4E1B47D9F1DE741
SHA-256:	E5C711BDB99AB55EBD96B3636C7396566C98ACFFD03DF735A15F1E18936A718A
SHA-512:	A4260F1A9A77BC41FC54532BDBF51F831004767E08150BFF95374663930BBE4FCA81790AA4578C062674557A02A698EA798CFC00F2355F6B8FA71BF2915CBAAA
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......`..........................................@..........................0.......4...............................`..e....@..v........^...............A...p...Y...................................................C...............................text...x........................... ..`.itext.............................. ..`.data....".......$..................@....bss.....Y...............................idata..v....@......................@....edata..e....`......................@..@.reloc...Y...p...Z..................@..B.rsrc....^.......^...*..............@..@.............0......................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\New

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Category:	dropped
Size (bytes):	318
Entropy (8bit):	2.034441580055181
Encrypted:	false
SSDEEP:	3:PFErXllvlNl/AXll/lFl/Ft/HtAiotuZt/nZllBe+llBe+llBe+llBe+llBe+lll:k9ij1BjjjjjTtXGuwtOZBl
MD5:	C23CBF002D82192481B61ED7EC0890F4
SHA1:	DD373901C73760CA36907FF04691F5504FF00ABE
SHA-256:	4F92E804A11453382EBFF7FB0958879BAE88FE3366306911DEC9D811CD306EED
SHA-512:	5CC5AD0AE9F8808DEA013881E1661824BE94FB89736C3CB31221E85BE1F3A408D6E5951ACCD40EE34B3BAF76D8E9DD8820D61A26345C00CDDC0A884375EE1185
Malicious:	false
Preview:	..............(.......(....... ...........................................................................................................................................................................................................................................................................}..................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\Up

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Category:	dropped
Size (bytes):	318
Entropy (8bit):	2.0369361465218003
Encrypted:	false
SSDEEP:	3:PFErXllvlNl/AXll/lFl/Ft/HtAiotuZt/nreBB+eKemhlRhmeemfB+ll5evZ/Xy:k9ij1KBBhK9jwmfBuiKaq5n
MD5:	83730AC00391FB0F02F56FE2E4207A10
SHA1:	139FED8F0216132450E66BDA0FBBDC2A5BD333AF
SHA-256:	573E3260EED63604F24F6F10CE5294E25E22FDA9E5BFD9010134DE6E684BAB98
SHA-512:	E3DBE1956BB743FD68319517D1D993DDA316C12BBBBBBD6F582ECDD60C4FDE24CC4814C7AB36ED571F720349931EAC10B03E9C911BA0F4309B10604B2C56C6A9
Malicious:	false
Preview:	..............(.......(....... ...............................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\WHelp.dll

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39424
Entropy (8bit):	5.761692667947892
Encrypted:	false
SSDEEP:	384:aCjdYQ16MK6APCxrHjdbCN2wF1hwtl5HYsakk71KfEDHIanumItki7wM/foozOJs:aCCQq6nmNrh6pokkgfEDznOxXfooWs
MD5:	C2B7A27ED1C7D3C27BFE77AFA27DF236
SHA1:	BE2751E2E04D3C1DAA17952BFBD5304E9A5A7741
SHA-256:	91CA317876B50D35BF2B8957C5745A13B57620FDE5CE49BD5F7F3166C16DB0EE
SHA-512:	649B447058045B0311F458552DFA51CE0086275AA32FF8EF3C6E6E2C25D59B3CDDB67CCE5B51A4B5DF5B76A348C79CE78EC9B5FCAA44F6FE64D6F3AF9597C91F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.d.&u..&u..&u..I...3u..I...(u..I...eu../...!u..&u..hu..I...$u..I...'u..I...'u..Rich&u..........................PE..L.....g...........!.....N...V......5........`............................................@.............................P...L...P...................................................................0...@............`...............................text....L.......N.................. ..`.rdata......`...,...R..............@..@.data...@............~..............@....reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\blue.jpg

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 355x304, components 3
Category:	dropped
Size (bytes):	7379
Entropy (8bit):	7.675014430898698
Encrypted:	false
SSDEEP:	96:Zs7nc2Efd4WLNlTSGJG8J+F1sGaPEl1M5np44DE4wA2A+fHDeGWhzrd7yf8TJWpC:ZsA2DqTRUUQMT4LxjPWhzrNyiFI5Ip
MD5:	6F1B5342D1B781596A4FEC79112DCB0C
SHA1:	08BDEDC9F65FC3A5F6D13D3EF0502769ABE4BD05
SHA-256:	3986699B9B4BE2F8C1747A37E74943F78870623701F08C90CAA007B4DE17924C
SHA-512:	FAE8A651E1DAF872A24FAE87D477F286CAD599DC232A716DBBAD7F091236DA80C71C30B990B6E2F4FF7E06D4414876DB756B452272A9A3E4B3EC1BC32B9E30D5
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......U......Adobe.d.................................................................................................................................................0.c.......................................................................................!1AQ..aq..r....."2BR.S...b.....#3C.%...c$4TE..&..d.Ue...5F.......................!1Q.."A.R....B.a..............?...}.)I..k....[.W.........z.(..`...[.`..P.kC\|.U...V*.R..X.)5J...).\|.c)..[O.....S.k...wo$.9r......>e.l..8nH.o..}is...{.....8jH....Os..r7$r....F.s..rk]3....;.e...d..8..%...o.W.Y>rk]3......b...?..9..g...\|.........5..x9/w.~....u.....\|#.}..,.o4...&.........Q]....+).....tq..\...w....~0...r......T.......j..\|#..._1...y.}.........>d..<;.y.}..&.?W.......2.....%..E..&.....;...!.....yoW/po..W.hmt......#...v..........o7..R'Uv....O..~a..{..y.......m_....\|...t....}.........>..D......x.\|..6..~..a..>m..~w..oW..Hm'..L.8......vV...nG..w..s.[....3.....<BN..}.If...&..&......\|..s..c}..

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\cmdlinkarrow

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	2862
Entropy (8bit):	3.160430651939096
Encrypted:	false
SSDEEP:	48:QFFZ+f+zd+kHeNTM9/+Xz++++++++YWWS0i6I:QFFEw4Xc+D++++++++ypi9
MD5:	983358CE03817F1CA404BEFBE1E4D96A
SHA1:	75CE6CE80606BBB052DD35351ED95435892BAF8D
SHA-256:	7F0121322785C107BFDFE343E49F06C604C719BAFF849D07B6E099675D173961
SHA-512:	BDEE6E81A9C15AC23684C9F654D11CC0DB683774367401AA2C240D57751534B1E5A179FE4042286402B6030467DB82EEDBF0586C427FAA9B29BD5EF74B807F3E
Malicious:	false
Preview:	..............(...6...........h...^......... .h.......(....... .........................................................................................................................................................wv....."""""o.."""""o..www""......"/.....""......"/......r.........................?...........................................?......(....... ..................................................."..... .". .6.-.9.;.<.;.D.3.,...4...9...O.,.Q.$.M.2.S.:.\.1.U.$._.1.F.G.I.A.`.@.w.q...\|...q...{.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\complete.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.432735724336821
Encrypted:	false
SSDEEP:	192:lN3tnZnyRZF64hc28fwy+aXE25b6K0FHQHVd42oJ2zwZlaw484:lN37Yai8IaD5T0FHQHg29wZla04
MD5:	3EAFE3AE99BF33E9F59D970F21EBEF39
SHA1:	E9895CB920FDEB8907CE37D9666D4999A1DE5D2F
SHA-256:	5F6C78970EE7E3D668EB8A4ACB5D251C76599424A0B0372E7665527516D4C312
SHA-512:	8983717D464AC046A8A272276E90D3D1FD7900D2D89998FC332E420ECA4F01FCFBABB390667B4324C549D0655E62E181E3E7BEED514C5B9B67D0F8D480A9388D
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`..........................................................................................................................................wwww........................p..p........w...........p.w...p....x.....p.....pp........wx.............p....................q..............................................................................................wwww...............................................................................................................................o.....p.................o.....p..............................................................................wwww........................p.......................p......................pp.....p.................p......w.............q........ww`h....................wwp.........p..........wwwwp..................wwwwwwp.....p...wwww....wwwwwwww.gp..............wwwwwwwww...............wwwwwwxwwp..............wwwwwwx.ww..............wwwwwwx.wwp...........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\custom.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.4001074083138745
Encrypted:	false
SSDEEP:	192:lN3tnFnyRZF64BiTfwy+aXE25b6K0FHQHVd4RhE2zwZlaw484:lN3XYa5TIaD5T0FHQHgRfwZla04
MD5:	1B5701D7F753135C22CC1AE694FFAF4B
SHA1:	966BDEF4159022FCC8740B6EB75B8D7AC4212504
SHA-256:	AEBA695175ED96D3EDE9FE30E486DF59C64A5FD802C15CB67F55E03A0537CD13
SHA-512:	4069B6AC1E51703687E0C17EA83527A258FF0C4BB4DC8051C96E5F98A7902C3301B89A5D2B55872711F85F528B0FB9BAEAF94E93B49B0A48BB8912E06A204EAC
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`..........................................................................................................................................wwww........................p..p........w...........p.w...p....x.....p.....pp........wx.............p....................q..............................................................................................wwww...............................................................................................................................o.....p.................o.....p..............................................................................wwww........................p.......................p.......................p.....p.................p......w................p.....ww`h..............p.....wwp.........p.....p....wwwwp..............p...wwwwwwp.....p...wwww....wwwwwwww.gp..............wwwwwwwww...............wwwwwwxwwp..............wwwwwwx.ww..............wwwwwwx.wwp...........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\exclamation.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 2 icons, 48x48, 8 bits/pixel, 48x48, 32 bits/pixel
Category:	dropped
Size (bytes):	13430
Entropy (8bit):	4.339511276304085
Encrypted:	false
SSDEEP:	96:KYvlkFEXFYU2+yCvIFA13cJ/rrrrrpbEn5UnanjPRZfZy1wvI8:bVXuzd6IF0czwNPDZfI8
MD5:	93D722FA20A988A5C257A58BF155DC66
SHA1:	30C0D19F02CB39F8804DAFE6AF483A09C76E2338
SHA-256:	F587867EED0BEC33EF150F3A8525BDE9B6746C705543874E56653AA80EA53225
SHA-512:	BFB91739AE7432DD7D0A919F15B5B721E733675C3C2A4D5238C9955A6517DD4653042FA444F2D2627508908F6DA7DE0FBF22F37CF1A60476F59CBF254F62F736
Malicious:	false
Preview:	......00..........&...00.... ..%......(...0...`....................................-...<...I...L...P...S...S...T...G...@...K...V...W...Z...\...]..._...C..^...`...`...f...a...f..&e.."f..n..)v..3w..5v..2x..7\|..8}..<}..B}..._...e...k...a...m...p...t...r...z......5...M{..............,...0...+... ...,...<...?...<...:.......................................;.......-...!...-...................................................#...#...*...6...5...;...'.../...#...(...,...(...,...:...;...6...1...:...A...@...K...J...L...B...A...S...D...K...V...\...R...M...M...K...M...e...`...`...k...d...m...s...z...Y...e...}.......z...J...G...J...B...E...V..._...]...U...[...Y...Q...L...G...F...B...M...J...P...[...R...\...P...Z...b...i...e...b...l...f...u...~...b...k...g...m...c...s...z...5...<...C...J...N...T...Z...U...X...]...g...c...m...c...h...z...s...z...t...}...i...r...u...t...~.....................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\externalui.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.036354960673055
Encrypted:	false
SSDEEP:	192:q4lYOUfhBJ1gqASunI8FoQaaJ+nkt0p1b+v:q4leXXArnI8FoVa4nP0
MD5:	235E54EB7ACEA02DC322F4065498165D
SHA1:	AD825997EC58A33A164B471FE3BD4B7C74614D9A
SHA-256:	B294EDF73CC936610CC81BCA6B95D1C7D6091595EC074C6B334ECA45D2DC354F
SHA-512:	5AC20371FD09E6A1F8C134FB24C045C36D835544D04E681FB6A51ADFF12A6BF8225C53D865B601EA5452024ABE7C02204A759B317D7410CF59F66ADFBE089D5C
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`........................................................................................................................................www................p..........................h.....p.........................................................................................................................p.......................p............................wwwwp..................wwwwwp..................wwwwwp..................wwwwwp..............p....wwww.................................................................wwwwwwwp....p........p.............wp.....................wwwp......p....wwwwwwp..wwwww.w.w...............wwwwww..................wwwwwwwp.....x..........wwwwwxww.....x..........wwwwwx.wp....x..........wwwwww.ww....x..........wwwwww.ww....x..........wwwwwwxwww...x..........wwwwwwwwwp...x..........wwwwwwwwwp...x............wwwwwwpp...x.........wp.......xp...x........x..........p...x...............wq..p...x.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\fhjyy.exe

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175328
Entropy (8bit):	6.879935553739908
Encrypted:	false
SSDEEP:	3072:jnrQnzMYywmn3h1sp7/WvCnIukR4BbxKigu/fgl1glfdjgBftJeCEEzx4N7mcr5:XQnzXtr7tbxKVuE1gQJeCEMx4p
MD5:	BE4ED0D3AA0B2573927A046620106B13
SHA1:	0B81544CD5E66A36D90A033F60A0ECE1CD3506A8
SHA-256:	79BF3258E03FD1ACB395DC184FBE5496DFA4B3D6A3F9F4598C5DF13422CC600D
SHA-512:	BD4E0447C47EEA3D457B4C0E8264C1A315EE796CF29E721E9E6B7AB396802E3CCC633488F8BEEB8D2CF42A300367F76DEDDA74174C0B687FB8A328D197132753
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............d..d..d...g..d...a...d...`..d..g..d..`..d..a..d...e..d..e..d...a..d.....d.....d...f..d.Rich..d.........PE..L....]d............................S#............@.................................>.....@.................................d8..<....p...............d...H...........*..T...........................H+..@...............$............................text............................... ..`.rdata..._.......`..................@..@.data........@.......4..............@....gfids.. ....`.......>..............@..@.rsrc........p.......@..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\info

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors
Category:	dropped
Size (bytes):	1078
Entropy (8bit):	2.8642269548572474
Encrypted:	false
SSDEEP:	12:hEipI3VFpSyZ9I7imddddGDxxOxzma3ZmRgRtqVtipMLXwHqfM:hEigFpTz1xA6aJmRgwi6LgHcM
MD5:	554FF4C199562515D758C9ABFF5C2943
SHA1:	9E3BAB3A975E638EAD9E03731AE82FA1DBCD178C
SHA-256:	9AE4A96BF2A349667E844ACC1E2AC4F89361A6182268438F4D063DF3A6FC47BC
SHA-512:	E302EDF3DAB3A0E9EEB5AFA34E4910EE177099C017B42F86847CF972143C87E8C40BC47689A3C8845051EAB98258A392CCAF331F414C271A1B6B751F503CE221
Malicious:	false
Preview:	...... ..........&...........(.......(... ...@.........................................................................................................p..............wp...............p...............p...............p...............p..........ww...ww........wp....www..............wwp..............ww...............wp..............ww...............wp..............wp...............w...............wx..............w...............w...............w...............w...............w...............px..............p............................................................................................p......w.......w........wx....w...........wwwp.....................................?...............................................................................?................(....... .............................................................................................................................p.......w..x.....p.......p.......w.................................................w

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\info.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 6 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
Category:	dropped
Size (bytes):	22486
Entropy (8bit):	5.511908704029649
Encrypted:	false
SSDEEP:	192:0DT6aNn0CgAevbxezcSptuGH0BJ1cBYehJjbQypQ6X8rdb:/aNn0DAoN4c8HH031/QQ6XWZ
MD5:	FD535E63F539EACB3F11D03B52B39A80
SHA1:	A7F8C942E5672F2972C82210A38CC8861435F643
SHA-256:	0086BC01150989F553A0A4AE0E14926C6E247CEDDA312E1F946AE35D575742AB
SHA-512:	716EAB95B5535D54359D12C9786F5A53F9560126D2C48EB1A94DB5BD383363B43EA686AC421080564B54450DA35AF9CE3E11CECD485AAF27C0CEAEE7836F4518
Malicious:	false
Preview:	......00..........f... ......................h.......00.... ..%...... .... ......B........ .h...nS..(...0...`....................................B...C...D...F!..H#..I#..J%..L&..N)..Q+..S-..U/..V5..W1..Y3..Y4..[5..\7..]7..]9.._:.._<..c?..`9..c=..d>..d=..`@..eC..fB..gD..hA..iF..kF..lG..kN..kI..lJ..oK..nL..jC..lE..oG..qO..pH..rN..rM..tO..uO..sK..uM..wO..pT..sP..vW..w]..tQ..wT..yV..xQ..zQ..{U..zT..\|T..{Y..}Z..~Z..~X...\..}U..}d..[..^..^.._..W..Y..Y..[..]..\..]..]..].._..f..l..`..q..w..u..t..x..}..{...b..`..b..b..e..g..`..d..e..k..i..n..i..m..q..u..x.....z........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\lzmaextractor.dll

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16328
Entropy (8bit):	6.530762223829305
Encrypted:	false
SSDEEP:	384:POw0cwpdr9ee/PTG3eK4i/8E9VFL2UtCsDkm:POAwLge/PaeKeEdKTm
MD5:	F1F56D26D0244DC52C1932C72BC27D7C
SHA1:	58D42600E3B54227DF0A2C600D8783C1B7B282B0
SHA-256:	43E55A6CBE1AB609A23BA1A462BC688FB1CD4CDD5E6EDFB79031FA8F502E6DDC
SHA-512:	B94D886136016A832663D7F423D6CA9ABB4C1342930CE46B6B8F319AF7C96350C4DB421C79254EEF4A8431831F5CABE758E7C8B3E5FD36A6CE93405AC8334012
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.t9z..jz..jz..j...ku..jz..jJ..j...k...j...k{..j...j{..jz.j{..j...k{..jRichz..j........................PE..L...x..b.........."!... ............@........ ...............................`............@.........................P".......$.......@..h................#...P..\....!..p............................................ ..X............................text...)........................... ..`.rdata..X.... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc..\....P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\minbackground.jpg

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 760x100, components 3
Category:	dropped
Size (bytes):	15366
Entropy (8bit):	7.95557428882131
Encrypted:	false
SSDEEP:	384:ZsgYb2FNX3lLAvWkoFQVHunMJkaCxzpsEo9fDC79Vh4Vcj:ZsgYbuN3Gb/HunMJbWtl8rQ9ffj
MD5:	845B155C2F68096094B443873E5A6142
SHA1:	A1167CADC4ED424BFC9AABF61B3E0EDBE6FFC818
SHA-256:	70FFF5DC4ECCA73EF601BD78A67EAF0141079EBA11FC9659EC4C4A4AA5C78C9E
SHA-512:	60B9165D37600A5EB1563CA8C69579C2DEE8ECFAD8BF60580DEB7307607BDDE33BEBAA07C3E35D94366FDC4D403747049AA758D4096519836E11BF7CE0326040
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......U......Adobe.d.................................................................................................................................................d............................................................................................!1..AQ.aq."2.......B..Rr#3..b...CS$..s.%..T.....................!.1.Q.Aaq......"2..#...B.............?......=.u..[..7M.+v.p.H...6....:Y.........f.O...RK...)tH9...2D.....ZGI......P.QU..M....;1.W....\|J......\O......g.=W..n'......Y.7U.&..._.w..n..UW..k....Q...U^.6.Sa.w....U^..wSTy..L....W....y..)..z..qaq&.c.).gMR.X.&.c.)..C.......u.!....X....j..A..v...MF.D.h..Q....T.4.n..GC.f7H..S..,{.Lt.-..P.i0e./a..^I.&......~.u%d0...J..9..#....(~I.%d........&s].YB....)..,ah.H..b.sY.-..41.\|.4.o#Hm...L..U...x.h.[....vj.....Q.....]upp..Cn...Y2VA1@j8e..d.......n.N....[@.S..US&...$.{1FI0.x....s%i.!...W..,....cJ.......hI.``..P...n$.c..7....e..Q.]..4..I.%...cI..@..D\..iE...4..C..EV...v..&~OQ.a

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\remove.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	3.6742809399919576
Encrypted:	false
SSDEEP:	192:4cYE5eZRboMB6f5iR59urg5N+qdrzt2eYi:4cAshf5quryvdPwzi
MD5:	AA0A5F0280C98006741B6CB56C3A360E
SHA1:	AC820BBEC6D08545A4A4818DF9EB09B521BF2E40
SHA-256:	2AC61CEA48CCDB1751CB6B93BA90267508ED6AC900B2E2AC6EAD172C9B8958F2
SHA-512:	7646B3786039711FD60BD9C82A2CBAC51CAA75626CD1695F29EF4939637F60118F6B32B6B781EC57D6F478091C33DC886B2B6C3751B948CD0E916E617C52B254
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`...................................................................................................................................................w......................wwp....................w..w....................x..w...................w...wp..................w....p..................x....p..................x....w..................x....w..................x....w..................x.....p..........xp.....x.....p.......................w.......................w.........x........x....wp........xp.............p.......w.p.............w.......x...............w......w................wp.....w.................w....wx.................w....w..................wp..wx...................w..w....................wwwx....................wwx......................w............................................................................................x.....p.................x....wp................w......wp..............wx......ww..........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\repair.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.656471862600903
Encrypted:	false
SSDEEP:	192:+q2qe82nprAWkcWFW57oVht/k2VxomK0qHTk4TdrofvMxnVRYAn4vf:ej84ArgojFTVxoz0qHNTdr+vKVRYAIf
MD5:	4DBA3637F5FCEAADD2184BD8A0F0FB95
SHA1:	A858418C32F5D45F15AB01CAFC652B507DE2A42B
SHA-256:	C1AD1E78A112974326B44F75FE302723A4FC8AC1CCD96C9887403F6DDF8E607D
SHA-512:	DA105188273312DD1C79D90C2A1AE17ED584A70C14BCD662EAB3B7FC99D7A91B30957D965498E6FB397E01EA72ED3EA0AB8BDBB4313E68E8E45073B87E412E26
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`...............................................................................................................................................................wp...w............wx..ppw....ww..p.......w.....qx.......pp......w......q....x....p..................x....p................p.x....p..............p.x....p..............p.x....p..............p.x....p..............x.x....p................x....p...............w..x....p...............q..x....p.............p....w....p..................w....p..................w....p..........p.......w....p.......................p.................p..w..p....................w..p....................w..p................p...w..p................p...w..p...wp...........p.w.w..p...wv...........p.w.w..p..www............wx..p.p.wwwww.x....p........p.p.wwwwww.x..x.....w...p.p.wwwwwwwp.w........pww.p.wwwwwwwwwp..x..w..w...p.wwwwwww.ww...ww.x...p.p..wwwwww.wwp.....w..xp.p..wwwwww.www...........p

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\rtlothree_colors.jpg

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 760x17, components 3
Category:	dropped
Size (bytes):	3420
Entropy (8bit):	7.841479572759416
Encrypted:	false
SSDEEP:	96:Q6PKp1qGfXtGjelIs3Qj/y6+/yzyQguDYfE10JeOWMm+1Q:Q6PKpsetGsZQj/j+4jKE11OW+1Q
MD5:	A45540685353D14EB9B2344F556F672B
SHA1:	C540395FAFD4D23A5614B5A692080D3B07DEBCAB
SHA-256:	CE18FC834CEA0215B8BD6EB1C66586B4904FC7FCE758F6CBB1E9EB6FC004F338
SHA-512:	69DAFCD7BDCDF72E352EDFC67DF2C58FDEA22A6779702FB00670B90619DD0D673B8FB74E7047F7CB807AACEC08533A128DC437AFAB054C9FCB911D7C2779FCF3
Malicious:	false
Preview:	......Exif..II*.................Ducky.......U......Adobe.d...........................................................................................................................................................................................................................................!1.AQ.aq.."2.3.......B.#.R..r4........................!1AQ..a..."2...B............?.....}=...5....6..9....u]A@1....G.x.f.~...]i...VpKw....+[f.....q...i.4.M.;Kz..}=.-.....7B...............?...W..?C.........R........K...5...+JU,............^..Oik......dL..".x.q/ ..m.l.k.Z.e..j.L..=..&...K._Px.@h.w..X..[zV...}mk.ZL.....3-c. ....2...... .^...z............Q..E.A..d..h.......\...}6uV.3.....t...!.~.f......l.....J^z.G~.&...e....A.c.$...]PG.(hjF.S^+.].k~...<.[t..Qt2:.d...-..c\.e..y1M...m.....'.{.ei...`d....k...1....2.O.CA..&.'.>O..[...........i.M...>X..B..F..=.s.-...<.......N...6....[Z.943.f....NMr<E.W%I.ro..#..ro.....nj..6......b.F...k..U.B-bu.=.b..Bi........e<...U

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\three_colors.jpg

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 760x505, components 3
Category:	dropped
Size (bytes):	26619
Entropy (8bit):	7.547741155491426
Encrypted:	false
SSDEEP:	768:Zsra5o/C+tKDDPW4I++xCsuOlApLTEDjeEImcF:jaQD6DVCsBSpL0eEIFF
MD5:	718CAFA7E04A8D4D98116BCB4C377D7F
SHA1:	38A1EAC1E72997FFA9FB01BDE2540B18F046A3F5
SHA-256:	FBE48BA8AF8CC23A66906A1E94AC10D86CE91B86A18531CE1C96D6061387C2B5
SHA-512:	0FECEB6C7AC536B985198C63008668424DA51E628656706DE30E472DAEA49380F5D25187A268E8BF2E3740AAB6A8ED1171EC4E2C6A69699BAB7DB5B619CB36EB
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......U......Adobe.d.............................................................................................................................................................................................................................................!1..AQ.aq"....2....BR#....3..b...r..$...CS.....c....vX4.f'G8.......................!Q.1.A...aS..q.."2RC..B...3............?....um.\|:....o..H....e..W'...e."......X.o^.9{.<.sY.........nk;7.....K.S.W....;...$..3Sk..6w[._...k..Y....n......t...Gk....^.k..t...Sg..U..,...v.Y..lw7p....M...v{....<O...^.d{[..0.?{5..I......>y...#..]m$.ztz.)6..z.z.'-K.=:.m.O....W...X&.Ez.8.+q....u..b.=...].m..>.5...8?...k.....(...p.r.=.[H6...6...M.aG....h....\|.I^m.ee9.....e../ccf)-*.....}.LjQP.....m..Y.aW.5+...y.[...k.y..-......:.......p....v..{..m.6.:..bt..-..1JR^..7.\6.CmbR..8.es....&.O......"...sle}].{tU../...iVg)]. ..&Gm.,0.GM.....Kp.km.q..M.g....j.....C.[.DK...U..8BQk....Te...v......a.EJ..

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\typical.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	4.926016576393048
Encrypted:	false
SSDEEP:	192:entnoFoTahmFxRYq7mE25b6K0FHQHVd4oXb2zwNf3i4ij:enWuPFxt785T0FHQHgo2wNf3oj
MD5:	EB3F9054BB5F95ED6B10EC4E16A026BE
SHA1:	35760271A03029996BDA26D5D596CFCC465E3EA9
SHA-256:	E330FA8030AA0465B02880133ADDBA0A8C6011B511F6968B413BF45516F7275E
SHA-512:	B0A96DA5514A9B8E9FA182A294694299388A854245AEC01E835B1108D568F9F1158917D9792BC852568EC56C2ED5E54F9E630E02D1EC79A281E2B28A67167A51
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`.........................................................................................................................................................................p........w.............w...p....x.....p...............wx....................................................................................................................................................................................................................................................................o.....p.................o.....p................................................................................................................................................................p........................w......................ww`h....................wwp.........p..........wwwwp..................wwwwwwp.....p...........wwwwwwww.gp..............wwwwwwwww...............wwwwwwxwwp..............wwwwwwx.ww..............wwwwwwx.wwp...........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\white.jpg

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 493x312, components 3
Category:	dropped
Size (bytes):	1232
Entropy (8bit):	1.290282383283862
Encrypted:	false
SSDEEP:	3:nSullBbsRllAqp/y4FKKn5bbeWfa5QpUolHmBkDt0+EtZtE//Wmst18n:3llxqQ8AfQRGSDt0RZty/Wmsw
MD5:	57D130DDF327FCC5DA636A6AB4D7C112
SHA1:	D674F332D4F79C70D4A97BFD9E504A8F3A2C26B6
SHA-256:	990EAB9FAAAE9F78201EF00A72F7B59773EED2B2FC9EC72250C67F376EE0500F
SHA-512:	E2F2141973CD9B7B52347EBCC89E89FDDEAA5B9721011C2CD7B2F2EAE434EF0F10D02537EB0F1AD6276FA182147AE935277EF9BBE31960EE2D82437C0741D39D
Malicious:	false
Preview:	......JFIF.....d.d......Ducky..............Adobe.d.............).)A&&AB///BG?>>?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG..))4&4?((?G?5?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG......8...."..........K.....................................................................................?..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_2488\whitesmall.jpg

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 446x92, components 3
Category:	dropped
Size (bytes):	554
Entropy (8bit):	2.356721207995078
Encrypted:	false
SSDEEP:	3:nSullBbsRllAqp/y4FKKn5bbeWfa5QpUolG5PkDt0+EtZtE//WmstN8n:3llxqQ8AfQRG5cDt0RZty/WmsY
MD5:	4429F170056663EFD1486395E8EB0AF6
SHA1:	AE9B01A44C8EE5AE7146F0523E512EE32DC284AD
SHA-256:	FFE2980D90152EF603555A735B7CBA1917C99BB67061B44D6AC6F12E6384BDD9
SHA-512:	719F4E55944502F7D472F362DD0D1D09649FBAEC0515701C9C84BBB3F32B06CC29E4A4C55022BC034CBC68C9C151A90018A926D1A08B4D5048F117950E9135E9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky..............Adobe.d.............).)A&&AB///BG?>>?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG..))4&4?((?G?5?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG......\...."..........K.....................................................................................?................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\INAF03F.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	823240
Entropy (8bit):	6.404576447300874
Encrypted:	false
SSDEEP:	24576:rTaRpuaJXUUxsdScfjP3UtMMnNfXnUCCAs0+D:rG/uaJEisdScfbUiANfXnUCCAs0+D
MD5:	2E25B7DC66FC65D92C998D6FB1D09EF6
SHA1:	719CC9C0BBE12F040E169984851E3ABEA03D9CF8
SHA-256:	A01FB6763B11BA0CBF9B26FC8D45E933C2A6AD313BC9B12ED41AC67BAF2AA8C2
SHA-512:	7D4AF029A01CE60FC0787599C031C0DBFF7069311832A5587F003EA68EF739B22C8B01832E00801B0D17C12983C4D0E7877CDE58DE371886CFB6BE5B490F4C33
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$....................4.....4..H..........................4.....4.....4................................F..........Rich...................PE..L...q..b.........."!... .$...X...............@...........................................@.................................`........................l...#......@...h...p...............................@............@...............................text....".......$.................. ..`.rdata......@.......(..............@..@.data...............................@....rsrc................t..............@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI85B4.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI85E4.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI8E2.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	823240
Entropy (8bit):	6.404576447300874
Encrypted:	false
SSDEEP:	24576:rTaRpuaJXUUxsdScfjP3UtMMnNfXnUCCAs0+D:rG/uaJEisdScfbUiANfXnUCCAs0+D
MD5:	2E25B7DC66FC65D92C998D6FB1D09EF6
SHA1:	719CC9C0BBE12F040E169984851E3ABEA03D9CF8
SHA-256:	A01FB6763B11BA0CBF9B26FC8D45E933C2A6AD313BC9B12ED41AC67BAF2AA8C2
SHA-512:	7D4AF029A01CE60FC0787599C031C0DBFF7069311832A5587F003EA68EF739B22C8B01832E00801B0D17C12983C4D0E7877CDE58DE371886CFB6BE5B490F4C33
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$....................4.....4..H..........................4.....4.....4................................F..........Rich...................PE..L...q..b.........."!... .$...X...............@...........................................@.................................`........................l...#......@...h...p...............................@............@...............................text....".......$.................. ..`.rdata......@.......(..............@..@.data...............................@....rsrc................t..............@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF13B.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF1D8.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	949704
Entropy (8bit):	6.466154972117666
Encrypted:	false
SSDEEP:	24576:sIwVz9EMURaglxM62wOR4H0kXiOfWo1OrEMBZX26PH2caU:n0OO62wOR4UkrfH1OrEMBZX26PH2caU
MD5:	8C98FC0407681EAC7FD69EA06DBF29EA
SHA1:	109C8E1BCF375F6FDCFA5B00F02E092E0678595B
SHA-256:	B4C7B684DDCEEC5D4A809D8A7F4B8D2CF87E5B866E0D83F389018F423295EC4E
SHA-512:	0A24D27B7982F314047977D4D219F53D7F4CBEDA9A2E72E4D328604E1FA183BFA670F0391CC70A5888E5C0747177B7AE5A1298E8F884FD8FD8515EA2FF9683D7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^.5.?.f.?.f.?.feM.g.?.feM.g.?.f.E.g.?.f.E.g.?.f.E.g.?.f.G.g.?.feM.g.?.feM.g.?.f.?.f.>.f.E.g.?.f.E.g.?.f.EAf.?.f.?)f.?.f.E.g.?.fRich.?.f................PE..L.....b.........."!... ............~...............................................k2....@......................... ...t............................Z...#......T....L..p...................@M.......L..@............................................text............................... ..`.rdata..D...........................@..@.data...............................@....rsrc................X..............@..@.reloc..T............^..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIFD04.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIFD44.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIFD74.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIFDC3.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIFE60.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	823240
Entropy (8bit):	6.404576447300874
Encrypted:	false
SSDEEP:	24576:rTaRpuaJXUUxsdScfjP3UtMMnNfXnUCCAs0+D:rG/uaJEisdScfbUiANfXnUCCAs0+D
MD5:	2E25B7DC66FC65D92C998D6FB1D09EF6
SHA1:	719CC9C0BBE12F040E169984851E3ABEA03D9CF8
SHA-256:	A01FB6763B11BA0CBF9B26FC8D45E933C2A6AD313BC9B12ED41AC67BAF2AA8C2
SHA-512:	7D4AF029A01CE60FC0787599C031C0DBFF7069311832A5587F003EA68EF739B22C8B01832E00801B0D17C12983C4D0E7877CDE58DE371886CFB6BE5B490F4C33
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$....................4.....4..H..........................4.....4.....4................................F..........Rich...................PE..L...q..b.........."!... .$...X...............@...........................................@.................................`........................l...#......@...h...p...............................@............@...............................text....".......$.................. ..`.rdata......@.......(..............@..@.data...............................@....rsrc................t..............@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIFEAF.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	949704
Entropy (8bit):	6.466154972117666
Encrypted:	false
SSDEEP:	24576:sIwVz9EMURaglxM62wOR4H0kXiOfWo1OrEMBZX26PH2caU:n0OO62wOR4UkrfH1OrEMBZX26PH2caU
MD5:	8C98FC0407681EAC7FD69EA06DBF29EA
SHA1:	109C8E1BCF375F6FDCFA5B00F02E092E0678595B
SHA-256:	B4C7B684DDCEEC5D4A809D8A7F4B8D2CF87E5B866E0D83F389018F423295EC4E
SHA-512:	0A24D27B7982F314047977D4D219F53D7F4CBEDA9A2E72E4D328604E1FA183BFA670F0391CC70A5888E5C0747177B7AE5A1298E8F884FD8FD8515EA2FF9683D7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^.5.?.f.?.f.?.feM.g.?.feM.g.?.f.E.g.?.f.E.g.?.f.E.g.?.f.G.g.?.feM.g.?.feM.g.?.f.?.f.>.f.E.g.?.f.E.g.?.f.EAf.?.f.?)f.?.f.E.g.?.fRich.?.f................PE..L.....b.........."!... ............~...............................................k2....@......................... ...t............................Z...#......T....L..p...................@M.......L..@............................................text............................... ..`.rdata..D...........................@..@.data...............................@....rsrc................X..............@..@.reloc..T............^..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shi7D41.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4509696
Entropy (8bit):	6.100941182830929
Encrypted:	false
SSDEEP:	49152:jm+XAVAMPLfOyim8iTRxYUOQSfLTZZZ2y38lb7Cjn3mboy4+MT7ujWx/Tl0ng48e:CzVAwiKTOpfLTDQyaNoy787ujWx/TlR
MD5:	F6153E803F1533042AC7E6988237C2C3
SHA1:	DDA81BB8BC8CC14877C9CB9B7C664DEFD81EBB4F
SHA-256:	F42A771D310C762C05A5BE3DE0CFDB9BEC28D3DFCCAEF800C901F551A0DF30ED
SHA-512:	7AE76A4CB58A9929C09B1D6376073268622C74B1E3F0C346AFA7A7829E2EF136CCF091F58CCA28BFE83C665573C23D9DB6AF51A44275DA0CC2CF8C1306ADDBAC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._.._.._..V.X.=..K..S..K..X..K..W.._.....K..^..K..-..K..D..K.4.^..K..^..Rich_..........................PE..L....+.X...........!.....dA.........P.3.......A....c.........................@E.......E...@A.........................i@.K&..L.A.......B.H.....................D..-......T....................O...... .................A.H....C@......................text.....@.......@................. ..`.wpp_sf.......@.......@............. ..`.data....6....A......hA.............@....idata...1....A..2...nA.............@..@.didat..4.....B.......A.............@....rsrc...H.....B.......A.............@..@.reloc...-....D.......C.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shi7DCF.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83128
Entropy (8bit):	6.654653670108596
Encrypted:	false
SSDEEP:	1536:0jIdYoF2CwmzOVStYMAuNWrmaTk++ouMOczT0ud4x41xmPS:0jRoFZwmr+bDk/MOcv0G4sxm
MD5:	125B0F6BF378358E4F9C837FF6682D94
SHA1:	8715BEB626E0F4BD79A14819CC0F90B81A2E58AD
SHA-256:	E99EAB3C75989B519F7F828373042701329ACBD8CEADF4F3FF390F346AC76193
SHA-512:	B63BB6BFDA70D42472868B5A1D3951CF9B2E00A7FADB08C1F599151A1801A19F5A75CFC3ACE94C952CFD284EB261C7D6F11BE0EBBCAA701B75036D3A6B442DB2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.T...:...:...:.....&.:...9...:...;...:...;...:...:...:...4...:...?...:......:...>...:......:...8...:.Rich..:.................PE..L...Y.............!.........H.......n..............................................;.....@A........................P........B.......`............... ...$...p..........T............................................@...............................text.../........................... ..`.data....!..........................@....idata..H....@......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shi8A15.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4509696
Entropy (8bit):	6.100941182830929
Encrypted:	false
SSDEEP:	49152:jm+XAVAMPLfOyim8iTRxYUOQSfLTZZZ2y38lb7Cjn3mboy4+MT7ujWx/Tl0ng48e:CzVAwiKTOpfLTDQyaNoy787ujWx/TlR
MD5:	F6153E803F1533042AC7E6988237C2C3
SHA1:	DDA81BB8BC8CC14877C9CB9B7C664DEFD81EBB4F
SHA-256:	F42A771D310C762C05A5BE3DE0CFDB9BEC28D3DFCCAEF800C901F551A0DF30ED
SHA-512:	7AE76A4CB58A9929C09B1D6376073268622C74B1E3F0C346AFA7A7829E2EF136CCF091F58CCA28BFE83C665573C23D9DB6AF51A44275DA0CC2CF8C1306ADDBAC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._.._.._..V.X.=..K..S..K..X..K..W.._.....K..^..K..-..K..D..K.4.^..K..^..Rich_..........................PE..L....+.X...........!.....dA.........P.3.......A....c.........................@E.......E...@A.........................i@.K&..L.A.......B.H.....................D..-......T....................O...... .................A.H....C@......................text.....@.......@................. ..`.wpp_sf.......@.......@............. ..`.data....6....A......hA.............@....idata...1....A..2...nA.............@..@.didat..4.....B.......A.............@....rsrc...H.....B.......A.............@..@.reloc...-....D.......C.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shi8AA2.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83128
Entropy (8bit):	6.654653670108596
Encrypted:	false
SSDEEP:	1536:0jIdYoF2CwmzOVStYMAuNWrmaTk++ouMOczT0ud4x41xmPS:0jRoFZwmr+bDk/MOcv0G4sxm
MD5:	125B0F6BF378358E4F9C837FF6682D94
SHA1:	8715BEB626E0F4BD79A14819CC0F90B81A2E58AD
SHA-256:	E99EAB3C75989B519F7F828373042701329ACBD8CEADF4F3FF390F346AC76193
SHA-512:	B63BB6BFDA70D42472868B5A1D3951CF9B2E00A7FADB08C1F599151A1801A19F5A75CFC3ACE94C952CFD284EB261C7D6F11BE0EBBCAA701B75036D3A6B442DB2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.T...:...:...:.....&.:...9...:...;...:...;...:...:...:...4...:...?...:......:...>...:......:...8...:.Rich..:.................PE..L...Y.............!.........H.......n..............................................;.....@A........................P........B.......`............... ...$...p..........T............................................@...............................text.../........................... ..`.data....!..........................@....idata..H....@......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shi9BD5.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5038592
Entropy (8bit):	6.043058205786219
Encrypted:	false
SSDEEP:	49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
MD5:	11F7419009AF2874C4B0E4505D185D79
SHA1:	451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
SHA-256:	AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
SHA-512:	1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L......N.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shiF07E.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5038592
Entropy (8bit):	6.043058205786219
Encrypted:	false
SSDEEP:	49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
MD5:	11F7419009AF2874C4B0E4505D185D79
SHA1:	451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
SHA-256:	AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
SHA-512:	1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L......N.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\7z.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1390312
Entropy (8bit):	6.599443687044708
Encrypted:	false
SSDEEP:	24576:w4wwwwscgymwef8Z8Zzj6z1el68mUi1m/ONxdDDHNCU+3kvaBW7839l5Qafgb6L1:pwwwwscgymwefyEQ/U6/NnDDHNCTeaBf
MD5:	292575B19C7E7DB6F1DBC8E4D6FDFEDB
SHA1:	7DBCD6D0483ADB804ADE8B2D23748A3E69197A5B
SHA-256:	9036B502B65379D0FE2C3204D6954E2BB322427EDEEFAB85ECF8E98019CBC590
SHA-512:	D4AF90688D412BD497B8885E154EE428AF66119D62FAF73D90ADFFC3EEF086CF3A25B0380EC6FDC8A3D2F7C7048050EF57FCEA33229A615C5DCDA8B7022FA237
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0...0...0...9a.=...9c.I...9b.(...b......b.. ...b..&...9...1...9...7...0........4................1....o.1.....1...Rich0...........PE..L....x.c...........!.........~......x7...............................................~....@.........................P...\|......P....p.................P,..........0...............................P...@............................................text............................... ..`.rdata..............................@..@.data...0........4..................@....rsrc.......p......................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\APKwait.bat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.231009444816111
Encrypted:	false
SSDEEP:	3:mKDDGMLCyLuVFOZh9n:hSKfLuVFOZz
MD5:	326F18673467B34662A43E1B7588C82D
SHA1:	A9E584530B851E014BB475FEBE51474D7E41278E
SHA-256:	4693C9628F2CFC8C789225B984CCEA576D665D6792B3CA265EF0B5D27127CAF2
SHA-512:	56B39C93DE447F73BB94F6A0EECA1E20B318CDA3CC5B5ABE14BCB0C8E6F0A066AF98D8C6DDF42A1E4B57E82747142663FAA5554E5F941E2B90C38D4C105ABC9F
Malicious:	false
Preview:	@echo off..ping -n 10 127.1 >nul..

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\APXhttp.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57504
Entropy (8bit):	6.908600489842891
Encrypted:	false
SSDEEP:	1536:5wQ0j2HOip0EdcP2dWDWoviK2SVb41Pxc73LPxA:5VOqd+vi3Sb0xcDTx
MD5:	02948F19A0488CED88F4806C959EF24F
SHA1:	D47C1439309BEF82C1CA0A623D1CBC70C259B935
SHA-256:	712B2845697459CCDF6E71BAE7FF3B423254A91EB5C85B02551B2AD2A4112EE3
SHA-512:	681182CBB8E55C0008F4D2B6141B507F51C98050F014A66D256A5252E24F8DD2AC8559D71F0F01953830DBBF840F07C57A7E520274180B5AE35329D447AA8675
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L..-.-.-..X.-.U].-..X.-.Ub..-..X...-..X...-..X.-..\.-.-..-..X...-..X.-..X...-..X.-.Rich.-.................PE..L.....tc...........!.....R...:......@........p............................................@A................................l...........H................R..............T...........................p...@............p..h............................text...MQ.......R.................. ..`.rdata...$...p...&...V..............@..@.data................\|..............@....rsrc...H............~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\APXmodule-2.0.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	37024
Entropy (8bit):	7.054557610794306
Encrypted:	false
SSDEEP:	768:dBdwySZ+f1RGV4NhzM8EJPxm5Yi3fPxWEf:dLtf1c4b41Pxo73fPx
MD5:	F6C740A06CF69CB38527B746C1B5C90D
SHA1:	6EE733F791DE76AE9B6EDA05F4514BBAC3D17749
SHA-256:	29B7F57469745537CABAAB229BFB9FC2084CC7BEF14EEFE734C2C3A6EBF02F48
SHA-512:	01FBCAB3ED927082F60F96E0EA6647540F333FD2CB85E6E108D5FD0FAF358C809098B2CC0F8C50CB8BEA37FA81AADF31D21DF3F043B91E71F5D330E1407086A2
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........gZ........................................................t......%..............t.......t.......t...............t.......Rich............................PE..L...K..a...........!......... .......!.......0............................................@A.........................8..L....9.......`..8............>...R...p..l....3..p...........................(4..@............0...............................text...d........................... ..`.rdata.......0....... ..............@..@.data........P.......2..............@....rsrc...8....`.......4..............@..@.reloc..l....p.......:..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\ATellPhon

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	2.091917186688699
Encrypted:	false
SSDEEP:	3:WlWUqn:idqn
MD5:	EAD3D4CBA62CAD943DCA9FA88139D258
SHA1:	244E3C37AB41854F5B221653AC42CF26A4FAA97D
SHA-256:	74228703D2D0DCF060D50F1046EDB9D7273D901E50B728AFD50A4D42BE752674
SHA-512:	7ED4C73369A9E1C7CABABD6BB9E04674FC6E1D0C7FB40F46A129B94BFF895F9C65413A4875BBCEC91F4DDDC9B3CF7FBB344CDC87CC9E636DC6843775204F413B
Malicious:	false
Preview:	MZ..............

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Agent

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.761658988442702
Encrypted:	false
SSDEEP:	384:ovAw66vILDbNRhbHeJh8+oXBjxJd5IyYQGSbdkDjkoebjDISVjNW8SCW0:ovAOQbSEln5IyYpamDjobj8ShSA
MD5:	A5DD94434C702493D4577E966134B303
SHA1:	6BFAEB811189C41521802A11E0836237CD169395
SHA-256:	A26F4219815C297C705060B77595EF76E35E9E2BEDBEB5AFB3357CDC5BA2717F
SHA-512:	C5A44A9D526C2D494FCDCD765BAF7A765E53838F53A65DF1D1CE4114FCB1186296A8FAEBEE4BD0A39A41C9E96AA3B3484E07D86FBD117BE7915610EB4EF5CF77
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.q.u...u...u.......t...u...X.....B.~.....A.t.....@.s.....E.t...Richu...................PE..L....R.H.....................h...............0.......................................b..........................................x....@...d..........................................................8...@...H...\|....................................text...j........................... ..`.data...8....0......................@....rsrc....d...@...f..................@..@l..H8.....HC.....HP......HZ......Hd......Ho...........msvcrt.dll.KERNEL32.dll.NTDLL.DLL.GDI32.dll.USER32.dll.IMAGEHLP.dll.....................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\BBC.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	710888
Entropy (8bit):	6.630506217753263
Encrypted:	false
SSDEEP:	12288:6BMGnPEAEuRNz2HuiEJe0z6h5KEuEVv4D1wEM50+OD2evinKqcQUuWnI8:6BMGnPEAEyXiEw0xXD2evincvFnn
MD5:	FAE7D0A530279838C8A5731B086A081B
SHA1:	6EE61EA6E44BC43A9ED78B0D92F0DBE2C91FC48B
SHA-256:	EEA393BC31AE7A7DA3DBA99A60D8C3FFCCBC5B9063CC2A70111DE5A6C7113439
SHA-512:	E75C8592137EDD3B74B6D8388A446D5D2739559B707C9F3DB0C78E5C30312F9FCCD9BBB727B7334114E8EDCBB2418BDC3B4C00A3A634AF339C9D4156C47314B4
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........f..............U.......U..B....U....................................................c.......c.......c.......c.......c.......Rich............................PE..L.....]d.................n...8......dB............@.......................................@.....................................d.......................P,.......g..pL..T............................L..@...............(............................text...Hl.......n.................. ..`.rdata...............r..............@..@.data...4R...0......................@....rsrc................:..............@..@.reloc...g.......h...B..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Blend.visualelementsmanifest.xml

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	310
Entropy (8bit):	5.218991813797138
Encrypted:	false
SSDEEP:	6:ejHyaVic4subiKFNFWod/OjpFFHDhkQwY7HmXXKmJpkQwYEn0gCYEnP9FN:eF8iK9WW/OjrF4CA/cX0vXDN
MD5:	B3D5B8ADD818034C991FE15C13E0B055
SHA1:	3FBFBECC2C10DE459586B3B39D2F7CB45289C8B1
SHA-256:	79F8A190196CC5B79B99A07991A34B2E5AA25989FC22121B6C17B80F4772801E
SHA-512:	3C3E233072D9F4F94DDF2AF992339F43755DE9BC4F136BC6CC2EB1255B55C97D86495B8AF415C6880D62D8904D9E2EE61B427CA13FAB08492D4341F1D2E86E0D
Malicious:	false
Preview:	<Application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <VisualElements.. BackgroundColor="#2D2D30".. ShowNameOnSquare150x150Logo="on".. ForegroundText="light".. Square150x150Logo="Assets\Blend.150x150.png".. Square70x70Logo="Assets\Blend.70x70.png" />..</Application>..

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Browser_1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	3.827554659468926
Encrypted:	false
SSDEEP:	3:Ol/QfkTsfIedYRXY:OlTT2dYRI
MD5:	F1B791B8D42F4D4B5794E254F7A86BD1
SHA1:	20B839C9257D51F28C7814C99922DBCD1A1EE248
SHA-256:	174423E75513994F0205EB2D874583D791C17A391B1DD97FBCE3CAD7E7FCAE61
SHA-512:	924CA93F18CB19C2F138E9DCFA21C0E90473EC2FFBAA3AC208A26ED9944FB0FCAEDFCCAC7138A5A825EED3B4FB033653BEE4BC2F79CD9D5084156A0D9D685407
Malicious:	false
Preview:	{491EB955-8A31-4381-BA1F-FDA4C60415A4}

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Bseziof

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	129008
Entropy (8bit):	7.827316426792684
Encrypted:	false
SSDEEP:	3072:vRZzFCwH6WrKxTtcZaUMueR2ZGCApbu7n31bsj9y:pZBC66WrKDcMxR24rpbu71g
MD5:	D76420DC56BE74361FF5053D87A752A7
SHA1:	E4E95C6D322FA5007F045F969A507A79DBA24A18
SHA-256:	CAA76B91F5ED0D10ADD3F757B7412822795013547AB286906D9F3740C0501A32
SHA-512:	C96654CB012F883037DC11478256779A4859C1A8D158D53430CE83040BAA327F0B060D52A6B8C7832F6497D3F7FABEF47EB4E33C841CBB90EA5373D7263398CB
Malicious:	false
Preview:	........@...............................................!..L.!This program cannot be run in DOS mode....$........\..I=.I=.I=.2!.H=..2..K=..!.K=.&".K=..".K=..2..R=.I=..=.....=.I=.H=..".J=.RichI=.........PE..L.....*g............................0.............@.................................................................................................................................................................................................UPX0....................................UPX1................................@...UPX2................................@..............................................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.....D;..t.f8k..$...

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\DataTransform.ini

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Generic INItialization configuration [Userddress]
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.67841607960707
Encrypted:	false
SSDEEP:	6:OZPixNiKRSVWTQlY2LXmwPxhb4eR8iiLrAmXOtAvHPzT3U6g:OZaRRXQNLXmwPxhb4e7iLkmXOtqL72
MD5:	5DB5802855390316509312EA98913E3F
SHA1:	941E2FB957A5160AAD5BCBB69D4D8EEB1E679679
SHA-256:	16BA11467408450A06C599D7AFC8D3FF383EF6FC06E0FAF028CC71DCF71EB980
SHA-512:	B048090B41CE724D3F09BA82B70606F553658990F007BDB93BE41D0178DA81B210956D815EDE31319C35E86EF74CC5B0DCA69F113D066B16745DE6B7583C3E98
Malicious:	false
Preview:	[Data]..Type=UMnwio9zv2FqxxUVMR0jWJnXhzGyjuwdGhyjE7NmuwPzPTn2oWYbUgHhroi6QH..[Userddress]..Data=ya4feBPz9quDWubPmy1BrWBrJ2epxBFxdZ2u51ne4Q6dcjTemYgPRQMGN5akXwRqkmPKRMc5ptX1Mccd9HRaBLKEd0AntxumwTZx..[DataTransform_CreateZlibCompressor]..Dictionary_Rekey=A.exe..[ctrl]..ctr=SearchRun.exe..[Desktop]..Desktop=rar.exe

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\EduWebContainer.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	12840
Entropy (8bit):	7.986702439437666
Encrypted:	false
SSDEEP:	192:/ZrfidU1vKpUcMlqiP66dS2qu9wl2apxWama5IWmciIplqLngTmfqDnoKax5eq3m:Jfim1C4lqiP1dxWZZGciI62oROzl
MD5:	11F506F266C236A58D62D0F466A537AD
SHA1:	F948F8013782A3AA3F5D7BCAD62E8CC63146007C
SHA-256:	958BF016A726EDF619062E3C56CE54E6E46C9982912EB92081A2B91B2B5E50B0
SHA-512:	5E5C636D05B8D4B3F880243B001FF8CB32EC1883D86F55F78CA65CD92BA3B9BF52A84BB75CA9F98FFA423ECF683EFA22F2B584FE0B9B6C104A7EE1C145B81634
Malicious:	false
Preview:	...Y{.B....&...oy.}..F{...z..H'..."..x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....&>..../.f.]..u...(]...M..$.#tl{.L.R...Nx.....J..2...h.e!Z=.r.Y.._.U..s..v.T.4.JQx2.._F3.+........j...V..-c\|vO.%r......d../.g.}b..!..<K.1#...OeU. ;!N..n..G..k..N...).y`~!.....Z'.d..$...-.r..z...v......>>m.... >28..{..-.l......Nv..x..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.!(..m.C...=.<.../.P:.Zf^.dm...+.3..V.....^.D.......[K.$...E.....E.b.~.:....=Xz\..J.....uG.LWA.`p...N.ze.P.R.......U.>...{p^...;A.Rj......L.......Dcx/@}-....... .~....2'...m..>....@.`..8Km.X.N..rs....r.Z..g..h......P.~.."v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W...h..!..,.q .Q.w./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	174304
Entropy (8bit):	6.858552596804119
Encrypted:	false
SSDEEP:	3072:Q0HJ5wo1/MJjozYJimE2BamDKigu/fgl1glfdjgBftJeCE5vLEnM7QrRz:/J5wUmhkmDKVuE1gQJeCERLG1F
MD5:	0D318144BD23BA1A72CC06FE19CB3F0C
SHA1:	91A270D8E872EA2A185309CA9CE5D9F08047809E
SHA-256:	60503684F39425C5505805A282EB010ECB8148BBF7EFE9BBA9CF33C507AF7F3A
SHA-512:	A3F3C7D84644B13868AC324947C2D678620E341E368B781D45F244A53F448D6B24BE7B50AC9908728DFBBB74214FCB46902137910E907F14F601518C0EFD215B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.A...A...A...,...H...,...;...,...Y...z...S...z...S...z...d...,...D...A...........C.......@...A...@.......@...RichA...........PE..L...V.]d.............................#............@.................................Z.....@.................................48..<....p..0............`...H...........*..T............................+..@...............$............................text............................... ..`.rdata...^.......`..................@..@.data........@.......2..............@....gfids.......`.......<..............@..@.rsrc...0....p.......>..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\CIM_ResourceAllocationSettingData.xsd

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (342), with CRLF, CR line terminators
Category:	dropped
Size (bytes):	8108
Entropy (8bit):	4.965236708426262
Encrypted:	false
SSDEEP:	192:MuZUkwsSwZhuV3wM3DwuMu93wv3Dwui4Cya:MuZUkwsSwZhuV3wM3DwuMu93wv3Dwui/
MD5:	A77B71F6E5FE1F50065AC8A15796AFEB
SHA1:	80A83A247FFD47529419873B32E02852B75D47AF
SHA-256:	D02D5181E13AA96B67AB75F51C03AB1F1286F7A28FD92ACA3021E4E694A4E2E8
SHA-512:	E5502B347C545C4460ABDA78242B238D83AB4645F0495D933B4C419CB4872520915E13C8A6F5137B260B000C690145A8139A7FF47286BC9875531F74167B50A8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>... Generated by WBEM Solutions, Inc. SDKPro 3.0.0-->...<xs:schema xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:class="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData">...<xs:import namespace="http://schemas.dmtf.org/wbem/wscim/1/common" schemaLocation="common.xsd"/>...<xs:element name="ResourceType" nillable="true">...<xs:complexType>...<xs:simpleContent>...<xs:restriction base="cim:cimAnySimpleType">...<xs:simpleType>...<xs:union>...<xs:simpleType>...<xs:restriction base="xs:unsignedShort">...<xs:enumeration value="1"/>...<xs:enumeration value="2"/>...<xs:enumeration value="3"/>...<xs:enumeration value="4"/>...<xs:enumeration value="5"/>...<xs:enumeration value="6"/>...<xs:enumeration value="7"/>...<xs:enumeration val

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\CIM_VirtualSystemSettingData.xsd

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (332), with CRLF, CR line terminators
Category:	dropped
Size (bytes):	5951
Entropy (8bit):	4.95379352101584
Encrypted:	false
SSDEEP:	96:IHpusmyEYtpusmyEcpusmyEf6dEvrgeUKMvLm0n/:4usm0zusm+usmLtVUKmLma
MD5:	8737313A1CD47D1BD415F4CD7C8D5A35
SHA1:	C3FE8ED373DD8807DC56B8ACD807A01163BA1945
SHA-256:	190C096159A5286655707E1141EEFFCE86484AC48DE4F54CBA4CD44C59868CDB
SHA-512:	C3090FC492DC1C875715B1A82906F7466CA63AE5BDFAB0A7730DBEDAAF622ED7FC5471D9F036813D423C33CDB4CC80BA9A8AFCC8387E365FDB7148B84BF2BB8B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>... Generated by WBEM Solutions, Inc. SDKPro 3.0.0-->...<xs:schema xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:class="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData">...<xs:import namespace="http://schemas.dmtf.org/wbem/wscim/1/common" schemaLocation="common.xsd"/>...<xs:element name="VirtualSystemIdentifier" nillable="true" type="cim:cimString"/>...<xs:element name="VirtualSystemType" nillable="true" type="cim:cimString"/>...<xs:element name="Notes" nillable="true" type="cim:cimString"/>...<xs:element name="CreationTime" nillable="true" type="cim:cimDateTime"/>...<xs:element name="ConfigurationID" nillable="true" type="cim:cimString"/>...<xs:element name="ConfigurationDataRoot" nillable="true" type="cim:cimString"/>...<xs:elem

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\DrawContent\DrawContentNoname.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144872
Entropy (8bit):	6.1033991888043255
Encrypted:	false
SSDEEP:	3072:Poib/ncfh8z2geq5CpLFuAzpXDGX12HBt:zb/6RpugpY2HBt
MD5:	D0C679D73048A8AF8C5F483BDBCAF0A2
SHA1:	6AFEBA5B8C5A390B2A487590A5EE7E10ABFEFE6F
SHA-256:	952451312864D1CF98C137EF6B5048F325325CC1237B1D1DB26819839ED7FC27
SHA-512:	BCFF13C8FD3B01AA5F8BA54D91ACE7E74EF5A370808B517471271FE39318938DECAFE5A40D26A94D46D3DBB2E5EB152209828269EC86B210B04C3C13B13DA23F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.I.Fz..Fz..Fz.+...Fz.+...Fz.+...Fz...~..Fz...y..Fz......Fz..>...Fz..F{..Fz../s..Fz../...Fz..F...Fz../x..Fz.Rich.Fz.........................PE..L...N.;^.....................<....................@.......................... ............@.................................T...P....@..................PC..............p...........................0...@............................................text............................... ..`.rdata...\.......^..................@..@.data...L.... ......................@....rsrc........@......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\LICENSE.3rd

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	6264
Entropy (8bit):	4.246298126375936
Encrypted:	false
SSDEEP:	3:Pf3v3vP3X3P3PPnHnPXvHf/H3PnXnPfnPHnvfP//PHffH3H/v3PnfHXP3vP/P3Pr:b
MD5:	DDDAB64301999870824A2CC0E358689B
SHA1:	664263BF0641B55AF72EFBB6A9AB91AC77673D54
SHA-256:	DAAA8FC859B10444E218800FC15E2E7560EBF59E269BB58DD8D82C9305F73C6E
SHA-512:	DABA1DC82031056430E0150DAD18B43BB3D4A6AFD67E802BC7F867D274E1221F5BB9C12EA3213148FB6114FB79559C86E141C75D828ADC11F7C4372E70072827
Malicious:	false
Preview:	"z.rz.....r.b...z..bz..bJ.rjRjR*..B.2zbbz.Jr:..z2.....j.....Jr.b."".Jr..BJ....z"....."J....JjR...z2..r..z2..BJ...z2.....J..:z..r".....B...j..z2..B.bJ.r...bz..jRjR"J....J.j..J.bJ.....jRjR..J..r.....R..Z..JZ.z.B.R..Z..JZ.zr"ZJjR.z..J:B..B.J.....j......R..Z..JZ.zrjRjR.BJ...z".j.......".Jr..zj.Jb".2z.j.Jr..r.......z..".J.r..B.jR.z....2Jb..j......"J...J...".....r..j.r....z.J"Jr:.J..J.jRrz...zb".2z....z2J...J.Bz....B....Bz.....J..r..zr.r.b..r"jR..z.J"Jr:..B....BJ..rz.J...r"..B....Bz...r.j.J..Jr.b.""rjRjR.BJ..2Jb.J....z.J"".....J....J.B.rz.....".z..Jj.bJ"......r..rjR.B....Bz.........rz.bJ..JbJ...J2.J.........r..".j.:..z..z..z...z..jR.zj......B...z..r.J.:..2.*b..z."zr:..B...b.j...z...J.rjR.....z2...:.rjRjRjR..B.2zbbz.Jr:..z2.....j.....Jr.b."".Jr..BJ....z".....".JbJ.jR...z2..r..z2..BJ...z2.....J..:z..r".....B...j..z2..B.bJ.r...bz..jRjR.z..J:B..B.J.....j....b.".JbJ..".bz....jB..r:.B...:j.Jbr.zjb....*bJ..r.:j

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\LICENSE.libcodecs

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	311
Entropy (8bit):	5.363090655038483
Encrypted:	false
SSDEEP:	3:EGLzVYRFoUgLhHx0iFolaXM+MA3GtfX2SMOFrNNRJhl//bB9bPL9RbtBnbPZrVTF:EGLzWF65x0mq3kJO9NX
MD5:	433000AA79D90F93C87E11F86A786F67
SHA1:	A1B8B8F69884A4CE9BB433D96ACBED3337C5AE5E
SHA-256:	08E569EEABC5D4082F4A59142F22534FF57F12F991CD4E1A36811511799EF109
SHA-512:	DB752A2D65D8F276D6225A7C478EB1674EE3B0829CA57272A54D55C1C9E25A9E9DDD93699E41D6CF53E36313C8DDF4C0C034EDAC765139124620F0E5FFA99E8D
Malicious:	false
Preview:	libcodecs is part of the "Huorong eXtendible Stream Scan user" project copyright by Beijing Huorong Network Technology Co., ..6...&,:8 648..,...4&4<.46.."64....4..4.$.. 2...4.pbT.f4..4..p4"4.<&.^.:&,8.f,84".4..fp^f......V.4.2.&&.. ..84.8 64. 2.&,:8 648..,.." .. ".p,.n.:..........0,...:.8 $..<.6...&,:8 648...

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\LICENSE.libdt

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.406360206907183
Encrypted:	false
SSDEEP:	3:EBjMWEXRFoUgLhHx0iFolaXM+MA3GtfX2SMOFrFjJ//bB9bPL9RbtXhbZrVTl/9z:EJuF65x0mq3kJO9/
MD5:	5E48AE384DD6874C64E8129FAA0F4D1F
SHA1:	9A7A273EC1E97FA80304A51A5874E2C40E68D993
SHA-256:	4CA63968FCBE57FE9A9079DBEA85375B6129ABFF45CFB42E24A7F1DDF044943A
SHA-512:	20552DEBAAACF783BB128EB2A619125507921E9E3971EE43EA9613F681FBFD3BA711CD774E1DB9EDD7B56C36D1181DD42D8BB73C0AAE0CA3BEFA20E0B482BC17
Malicious:	false
Preview:	libdt is part of the "Huorong eXtendible Stream Scan user" project copyright by Beijing Huorong Network Technology Co., Ltd.....:6..,...4&4<.46.."64....4..4.$.. 2...4.pbT.p4"4.<&.^.:&,8.f,84".4...4.., ".......V.4.2.&&.. ..84.8 64. 2.&,:6..,.." .. ".p,.n.:..........0,...:.8 $..<.6....",8 ."..

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\Microsoft.VC80.ATL.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	376
Entropy (8bit):	5.187860451409661
Encrypted:	false
SSDEEP:	6:TMVBd6OjzIIBeBXVL9obRu9Td8gH9aO/5TMiX1+jSQdS1vwIgVf+ZaYf7:TMHdt4IBeBFLOwHR5TNl+rmxgVKaq7
MD5:	0BC6649277383985213AE31DBF1F031C
SHA1:	7095F33DD568291D75284F1F8E48C45C14974588
SHA-256:	C06FA0F404DF8B4BB365D864E613A151D0F86DEEF03E86019A068ED89FD05158
SHA-512:	6CB2008B46EFEF5AF8DD2B2EFCF203917A6738354A9A925B9593406192E635C84C6D0BEA5D68BDE324C421D2EBA79B891538F6F2F2514846B9DB70C312421D06
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ipaip1.exe"/>.</assembly>.

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\Microsoft.VC80.CRT.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	314
Entropy (8bit):	5.140999301390513
Encrypted:	false
SSDEEP:	6:JiMVBd6OjzPbRu9Td8gH9bZELrbvm/53SMiX6+hPABdS1FggVfgk5Z:MMHdtlwHHJ53SNK+hPIRgVR5Z
MD5:	710C54C37D7EC902A5D3CDD5A4CF6AB5
SHA1:	9E291D80A8707C81E644354A1E378AECA295D4C7
SHA-256:	EF893CB48C0EBE25465FBC05C055A42554452139B4EC78E25EC43237D0B53F80
SHA-512:	4D2EC03FF54A3BF129FB762FC64A910D0E104CD826ACD4AB84ED191E6CC6A0FEC3627E494C44D91B09FEBA5539AD7725F18158755D6B0016A50DE9D29891C7E5
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>.</assembly>

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\common.xsd

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	6812
Entropy (8bit):	4.737569607251046
Encrypted:	false
SSDEEP:	192:z6H9K9r24/jtVOuVG/PCGHhWrrIafb7fL5qlz+DLSQ7LXOgF:VNtLz/Y3xB6rPPlyz+Dt
MD5:	D7216C4C115C30D3DC996F339C2197E2
SHA1:	9C90B140316FFB6AF090BD80DF40EA744D555B11
SHA-256:	946C1E2C50EA753E2CF3F40CB4A83C319E0D5693C3B017AD3F9811792319D2EE
SHA-512:	9A0F133B8517B86A29AAA0F541573842A4B76D6DE30C1167D4EEB2F08D0568CE94ABC81341049BFA328D85DFDC8D8B74177B9A896107C2438168EA4EA5B47FC6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8" ?>.... DMTF Document number: DSP8004 -->.. Status: Final -->.. Copyright . 2007 Distributed Management Task Force, Inc. (DMTF). All rights reserved. -->....<xs:schema targetNamespace="http://schemas.dmtf.org/wbem/wscim/1/common".. xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common".. xmlns:xs="http://www.w3.org/2001/XMLSchema".. elementFormDefault="qualified">.... The following are runtime attribute definitions -->.. <xs:attribute name="Key" type="xs:boolean"/> .... <xs:attribute name="Version" type="xs:string"/> ...... The following section defines the extended WS-CIM datatypes -->.. <xs:complexType name="cimDateTime">.. <xs:choice>.. <xs:element name="CIM_DateTime" type="xs:string" nillable="true"/>.. <xs:element name="Interval" type="xs:duration"/>.. <xs:element name="Date" type="xs:date" />.. <xs:element name="Time" type="xs:time" />.. <xs:el

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\hi.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	8544
Entropy (8bit):	4.277108053686666
Encrypted:	false
SSDEEP:	192:WvI+bMk4g+7rdT2sc4EtGXQgcWh8bvPgLIjJQ9tkTjIkja4tEDIzqIrpKaF13aSy:Wv9oq6rdT2T4EtGXdF8jPgLIjJut2Ik0
MD5:	E34E94531BAF8957EBDFB5ECCDC52635
SHA1:	D7139BDF34F6F167456014D4D5E16CFDFCC18214
SHA-256:	5AF2CC87FE9FA69DA65C990070EE17AF3F612E3883621BD2474161BB508E454F
SHA-512:	CF3F4BCF0F5DC35BFC77594FD8AD4E9C6BF32291DAE2298C84B3A465EDB4B75851C0A58F39BB6828EA69E31293E5A4DA5DAA29F4B3F31306F37941491992FC58
Malicious:	false
Preview:	..........N.....N.....N.....Nr....N.....N.....N.....N.....N.....N.....N.....N.....N"....ND....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N1....Nb....N.....N.....N.....N4....N`....N.....N.....N.....N.....N.....N.....N.....N=....NI....NU....Nd....Nv....N.....N.....N.....N.....N.....N.....N/....N>....Nw....N.....N.....N.....N.....N.....N.....N'....NX....Na....Nm....N.....N.....N.....N.....N.....O.....O&....OI....O~....O.....O.....O.....O.....O^....O.....O.....O.....OI....O~....O.....O.....O.....O4....Ov....O.....O.....O.....O+....Og....O.....O.....O.....Oy....O.....O.....OV....O.... O....!O...."O....#O)...$O2...%OA...&OS...'O_...(Ox...)O....*O....+O5...,O....-O.....O..../O....0O....1O"...2O....3O....4O]...5O....6O....7O....8O....9O&...:O....;O....<OB...=O....>O....?O....@Oc...AO....BOo...COY...DO6...EO....FO%...GOD...HOk...IO....JO....KO. ..LO' ..MO6 ..NOO ..OOq ..PO. ..QO. ..RO.!..SO.!....`!............... .......

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\hr.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4256
Entropy (8bit):	5.476332948782519
Encrypted:	false
SSDEEP:	48:nizQz4KzjHCKvMzSBvdI0s4TkqZfDhPhbdAQv7Dg3M3Y2UUzgJJC+Mo1tMoIJcAO:i8z4KPnM+JdLsY5xDhYrhRjaBVI7vr
MD5:	7CD82242FDDA155F0DC4C830A73225C4
SHA1:	436A156C8016B96B83B11931FF9562F29D805977
SHA-256:	0096FD57392462D010E9B4DDDA4D021A8B5E5BA78FF097958C1E7A00EC175A2B
SHA-512:	2C5133E3673D8470AF6067AF2E5B7D2150B71D3D87379CD94574F72E3CA2B251C08C7F7F530F705CB2EDD8D96263BA9A205346B5704238FC748180235C6809EE
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N ....N&....N.....N6....NE....NU....Nd....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....NF....Ng....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N3....NA....NG....NR....NV....Nc....Ng....Ny....N\|....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....O$....O,....O9....OZ....Oj....O{....O.....O.....O.....O.....O.....O.....O!....O.....OO....OS....O]....O{....O.....O.....O.....O.....O.....O.....O3....OO....Og....O.....O.....O.....O.....O.... O)...!O5..."O@...#OF...$OL...%OS...&OY...'O_...(Ou...)O....*O....+O....,O....-OZ....O..../O....0O....1OV...2O....3O....4O....5O....6O....7Oj...8Ow...9O....:O....;O....<O....=O....>O....?O....@O8...AO....BO....CO....DOe...EO....FO....GO....HO....IO....JO....KO....LO....MO(...NO0...OO7...POR...QOj...ROr...SO}.........DetaljiSpremiOvaj je indeks mogu.e pretra.ivati. Unesite kl

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\hu.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4734
Entropy (8bit):	5.650888808404625
Encrypted:	false
SSDEEP:	96:+AA8bFIK4pwdJj/JqLn5yEnxSabw7rMVrCtZcqRcU+EFUkozbFFJOHVOrS:FAmkp4JjJqLnoxscZcqRcnEmko/FPO13
MD5:	8C5F95F081F6A23A2D058562A24224FC
SHA1:	0D8E3138654B66998341B1B4D07CB6E0CCF56DA3
SHA-256:	2288098F91E90D5F5583A42ACDB4D278A8438656A190EBC57FCC034FA0110054
SHA-512:	4D4A183A07B4014848DD5B50F520BA43ACDB37C8A2E280E32CC080A6FCDE8EE5D758CD0ED71A104E6FFDF3566BAE08A1141D666E0951344D98F802C9381875B0
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N2....NF....N\....Nt....N\|....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....NL....Np....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N+....N/....N5....N=....NS....Nc....Nj....Nz....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N$....N9....OD....OS....O]....O{....O.....O.....O.....O.....O.....O.....O.....O,....OI....Ob....O.....O.....O.....O.....O.....O.....O.....O.....O.....OL....Oh....O.....O.....O.....O.....O.....O....OH... Oe...!O\|..."O....#O....$O....%O....&O....'O....(O....)O....O....+O+...,Oy...-O.....O..../O3...0Op...1O....2O....3OP...4O....5O....6O....7OH...8Oh...9O....:O....;O....<O....=OE...>Ok...?O....@O....AO....BO[...CO....DO....EOt...FO}...GO....HO....IO....JO....KO....LO....MO....NO....OO....PO....QO=...ROF...SOQ.....~...R.szletekMent.sEz egy kereshet. index. .rjon be keres.si

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\lco.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	7.307434278749024
Encrypted:	false
SSDEEP:	384:azbge2/99IpWUFyCKaMgXGT/bl55oqyfvN:azb619IpWUFyQiB55aH
MD5:	E057AA4A56A9A2A628A8053F25A27D7D
SHA1:	D839E5258BBDB871C746C2CEF52E336487535C47
SHA-256:	2519081ECA56FADCF3B62E7CB22E55A1F839B9055E9F1E404FC28145D149E913
SHA-512:	D968AA76B1483A14B7D829C755A99C7AD09163D18DA6806F23B3A33664292F16A4695B596B0D2BE619A3B6DC909CFCB8CB7FF236641D1CC012E4F438364945E7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.P_=.>.=.>.=.>.R.5.<.>...0.0.>.R.4.'.>...c.>.>.=.?...>.i...<.>.Rich=.>.........PE..L......@.................0.......p................@.............................................................................t...................................................................................................................UPX0.....p..............................UPX1.....0.......,..................@...UPX2.................0..............@..............................................................................................................................................................................................................................................................................................................................................................................................................................1.20.UPX!....

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\li.dat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.3431390622295662
Encrypted:	false
SSDEEP:	3:dU6mWhRE4Qm5In:vmWhlQ6In
MD5:	233B4AAF620B36D5569FFB334806A663
SHA1:	99E4C2ED4447B3CA2772F11374E7EC22DF06A04B
SHA-256:	C0F5633F8058E6CF0FEF5CE6AB91438663A1AE2670CB49350E095D8F667C9870
SHA-512:	24F4006DA19AE7B10408250AB326DB4EABE6E782BECCE130C0F25D2D0E43E738624CFD490BFAC0A8A6BD6E164C01FB76CD69BC050AD0BBF3052A854A516B0170
Malicious:	false
Preview:	47AE4CA89C38F4D75F115CF41887F878

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\livehis.dat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\package.json

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (766), with no line terminators
Category:	dropped
Size (bytes):	766
Entropy (8bit):	4.058458203323675
Encrypted:	false
SSDEEP:	3:Hf3xVxLvT5X9dz7bvfdz7JvV7zVBtD33pRXhXDhRZDR7z9fjdzp93xh/Td7f11tx:v
MD5:	5E41AD36487EAB944983A14C9C124D93
SHA1:	B8B098B88CBFF2F64589ABDBE7FBEFCA7C99FE3C
SHA-256:	26C6BCF0EFF67807AEB9F2F407D06DF653B99724AFAD9C9A9B8129DB7D8C3FAE
SHA-512:	F876BD1E49BB0C0B0660E14DD2D95C75F2124AFDE00D095674E53D0440B7BA7B89BC1A2576A9FE755B5C727E5808DB1C8A127CE4E4B2C124257412B76A200FD2
Malicious:	false
Preview:	....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\rpi.dat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	972
Entropy (8bit):	5.7488500702321135
Encrypted:	false
SSDEEP:	3:Fjjlnn5tllNTFllxXxjX/DNZH1/HnDD/trvDlL5TrjJrdbXZVtX5L3dlj1b1hX7x:r
MD5:	6513F31AB6F308B0B8802FA04C450122
SHA1:	AD3D14C5F78B5C2F2C4DAE06A486156A7B4126E9
SHA-256:	1445C8422A8FF14D8414300B819CBF2340A03A64158FCF7A3CCF76FDDB10DCA2
SHA-512:	CFB2754253E71B48EB6D69BA93641D06C0608C38FFFDCE2F5E54CED002997C9821299BADF26D95B2D84A41F13CA96A4F9D1C5E38D52DB2934AEF64C988844D98
Malicious:	false
Preview:	....0...............b.\.`.\.`.\.b.`.`.b..............................................8.......................................................................\.........................................................................................................................X.4(.~x.x.b...P.....Jt....f......VD....H.V.Z..~v.8.&h.x.x...F`....J.P\|.2.P....h....F..j...h\|......~r.0..:...DD....>.B`2..x.FP......H.4.P.............x.....P....... .........6j4......X4H.z..D.x.b.....Nt...l\pn44.@.n.........&......t2. VP.tx6.4..F..h.^..v.^..6.L.....n..\|0@.R..P..x.J...(..lj.....&n..~.dV....td.B.....F..2:~...l..X\..0.`.....<.&.....@.N... t.z...Pr..Z..t..L.h...L..t..:.$..<.vx~..$>....L.xb.xJ......L&v..v4x.p.."B.@n.6....,.(V.x.R>64.....v...~...J.d..&......\JH.t..V...".0..n.TPd..,0......0.2.r.\|.....:....2n...v..6...P..D....$.....8.&r.Fh(.d6.....J.n....$"...Xz<.2B~.z..H.....BV.X..\,.2.j...`..h@...j......8X((.b..6(B.@D..b...6j..l&0T.<.(.T..

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\slist.dat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	2356
Entropy (8bit):	3.7394907365919403
Encrypted:	false
SSDEEP:	3:nFrrxzj79bNZbHNbZdT9LbdHr/bfblpbdXzbrbrVd9P7XF5V3Rbb/NjbdbF9X1TH:R
MD5:	3CEEBAAA7FC6344B0274AB9274DEEED7
SHA1:	38832454403400441F9824C2265256A650C947ED
SHA-256:	F526024533673E6F167903F21978017EC712566E9EA1DD249671F119719F8DE9
SHA-512:	3E63A0F5764A59E77E5B0C4680DCCB33D1D52B4E622F84762D9949B736A6BDAB416BC72F3D2501BA90D46414186EC2C42677D1528E7186128D96082C32CB00D2
Malicious:	false
Preview:	..$.......................r.r.\|...........z...r.x.......x.....\|.....\|...x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F.....6.<...4.F...V.\|...........8.<.:.............................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F...<.2.4.$. .".F.......V...<.....4...4..........H.\(X(N......$.........x...\|.z...r...x.r.........v.......x.z.....t.x...z...........x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F.....6.<...4.F...V.\|.\|.....v...8.<.:.............................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F...<.2.4.$. .".F.......V...<.....4...4..........H.\(X(N......$.........v.......\|.\|...............z...\|.....t.......................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F.....6.<...4.F...V.\|.t.r.......8.<.:.............................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F...<.2.4.$. .".F.......V...<.....4...4..........H.\(X(N..

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\version

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	F1D3FF8443297732862DF21DC4E57262
SHA1:	9069CA78E7450A285173431B3E52C5C25299E473
SHA-256:	DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119
SHA-512:	EC2D57691D9B2D40182AC565032054B7D784BA96B18BCB5BE0BB4E70E3FB041EFF582C8AF66EE50256539F2181D7F9E53627C0189DA7E75A4D5EF10EA93B20B3
Malicious:	false
Preview:	....

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\HoursBroker\xml.xsd

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	9123
Entropy (8bit):	4.770624688403829
Encrypted:	false
SSDEEP:	192:FavQwyIregmSPwTy2k/3EeEQ6xGbd81PyCmD0DE:UvQwytg1425vE5bPEADE
MD5:	9FE2776E8A9D4BCFEE812A69F37DDABD
SHA1:	6264C527A996806B0C439F17C56B2E96DBF0FA82
SHA-256:	0BCA167A1B2FAABF9F2BB59A7C55C09B25C71974DB4D6125F91A14B7071F5E9C
SHA-512:	89D00A7602FC47858A0B0ADC81CDF4F63CBA0728EDA0B9824EA9DCC09B39A596A61034DA5001377444D6B6E07B454028DF528E722F5D2D268A50B296E2990259
Malicious:	false
Preview:	<?xml version='1.0'?>..<?xml-stylesheet href="../2008/09/xsd.xsl" type="text/xsl"?>..<xs:schema targetNamespace="http://www.w3.org/XML/1998/namespace" .. xmlns:xs="http://www.w3.org/2001/XMLSchema" .. xmlns ="http://www.w3.org/1999/xhtml".. xml:lang="en">.... <xs:annotation>.. <xs:documentation>.. <div>.. <h1>About the XML namespace</h1>.... <div class="bodytext">.. <p>.. This schema document describes the XML namespace, in a form.. suitable for import by other schema documents... </p>.. <p>.. See <a href="http://www.w3.org/XML/1998/namespace.html">.. http://www.w3.org/XML/1998/namespace.html</a> and.. <a href="http://www.w3.org/TR/REC-xml">.. http://www.w3.org/TR/REC-xml</a> for information .. about this namespace... </p>.. <p>.. Note that local names in this namespace are intended to be.. defined only by the World Wide Web Consortium or its subgroups... The names currently defined in this namespace ar

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\KwCommonUI.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1020288
Entropy (8bit):	6.392670889032173
Encrypted:	false
SSDEEP:	24576:m25q2rSATcolN/NKEM7GYNzOgcW6tAhc7rgnFEwXXfe5V2:m25q2rPlN/NKEhYNzOgcW6tAhy6EwXXb
MD5:	C87054BA4A83C6CA19977C446A722A7C
SHA1:	5743B16BC6D600E27B66D13CC04208BAE2A9A880
SHA-256:	6CB166C1895FC7DF5235658E3963C82200BBE5E71005FDB4F8744657A7F49B09
SHA-512:	87449A5FEF2B2B77198E0D946452F8E05B8F2B7ABAE239EDB2B848BD5E3F7A332A208DE71CAC7912D788CD1C47F80FA2BE9ED61DE2F8EA378E610A1DC0C46A9A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c..('.`{'.`{'.`{s.Q{%.`{.V.{!.`{...{&.`{...{".`{...{+.`{'.a{.`{.V.{2.`{.V.{&.`{...{4.`{...{f.`{...{&.`{9..{&.`{...{&.`{Rich'.`{................PE..L....,WT...........!.....<...8......c........P......................................`...............................p...30...t..T....................x..............._...............................................P..P............................text...-;.......<.................. ..`.rdata.......P.......@..............@..@.data...@...........................@....rsrc...............................@..@.reloc..r...........................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\KwLayoutMgr.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	287616
Entropy (8bit):	6.429805120462574
Encrypted:	false
SSDEEP:	6144:54s5ND8mRd6PUep7GdwmT+8b/IgcyIFoWIBOtBp2HsoM:5D5ND8mRd6PUep7GwmT+c/hOIg2Mp
MD5:	F260AF60120ECE46C499BADA5B4277AD
SHA1:	F1790AAC72B10A4BD4D88E9A143B96BE996197AC
SHA-256:	D52D01E382EA39D005F7AD2F3C13DA45B4DE4779608E08A9FB1AD5630D122043
SHA-512:	19FA19716965E0034AD57B0CE15BFF54DEC67D3C7E73408ACEC2E642E82DE4AC1E0C42E19CA58C494A1F95014980FDBDC9D904701F2CB421C993B9660F3C5C89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............@...@...@...@...@{.C@...@.@@...@.V@...@.Q@...@.F@...@...@...@._@...@.G@...@.A@...@.D@...@Rich...@................PE..L....,WT...........!.....B...................`......................................X.....@.........................@................0...............J.......@...2...d..................................@............`...............................text...T@.......B.................. ..`.rdata..#....`.......F..............@..@.data...\...........................@....rsrc........0......................@..@.reloc..tD...@...F..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\KwLib.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	306048
Entropy (8bit):	6.678408876122077
Encrypted:	false
SSDEEP:	6144:YxgkPaSM1AoCbO0PSyTws4H9pAKz6QRWO2TBdHRrtYOttYO7l:YDPaUBKODmH9pdXRWO2TR/
MD5:	2E63EA70505847A7DB340F5004FDDE71
SHA1:	A4DA7AFF18A9A747490633F5490959BAF75658B7
SHA-256:	87AAB5BBBD2360C819B4E58BB0667693147764BA39FCDCBD3549ECA1D57355E3
SHA-512:	7DF80C017E2F5D1E40CB41795F40E82025B5ED188BD5AF4C812D24F9E8C77438C259417E8592C4D528D37DA495815A057623CCFA67DF35B27980847DBA91AEF5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........L.}...}...}.../D..}....S..}..M2V..}....U..}....C..}....D..}......}......}...}...\|....J..}....R..}....Q..}..Rich.}..................PE..L.....4T...........!......................... ......................................&.....@.............................Fk..p...................................L....%..................................@............ ..\|............................text............................... ..`.rdata..F@... ...B..................@..@.data...(....p.......N..............@....rsrc................T..............@..@.reloc..f8.......:...X..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\KwLogSvr.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73088
Entropy (8bit):	6.419370395015747
Encrypted:	false
SSDEEP:	1536:OD24dyONDcOUOM498ldXs2xnQ+xcLP0OK2LBaNwF:X4kOO498laIQ+xcoOK2LBaNwF
MD5:	15F1FEC47E3AC4A2AE67BDE110CA698C
SHA1:	84EA58DEA72D9FE5B36ED64BEF2C19A43DF90EC1
SHA-256:	003D0E9F37639687CD72F8499743F88B54388A81E4322260280A70C0E601AE21
SHA-512:	C42E8F04FBFCE139D8365CC69CC161469FBB5443A2ACD9CCBBC584F85B04ABE2DFDDCAD1D53ECFB2AB54EBF004F5F10B730A2E677BBABFAD56400BEA7371AEEC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P.r.1.!.1.!.1.!%~@!.1.!.IC!.1.!.IU!.1.!...!.1.!.IE!.1.!.1.!>1.!.IR!.1.!.ID!.1.!.IG!.1.!Rich.1.!........................PE..L....,WT...........!.........V..............................................@..........................................B............ .......................0..........................................@............................................text............................... ..`.rdata...<.......>..................@..@.data...4...........................@...ConfigVe............................@....rsrc........ ......................@..@.reloc..:....0......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Lastnama

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:I:I
MD5:	C2AEE86157B4A40B78132F1E71A9E6F1
SHA1:	162CDC2A8B567050EAE25592EEEDAF33464A7A76
SHA-256:	46DB1CA7F3598C26C3E6C8D99E3ED95D2B1C76DB040B8F8CD29AF723EE086077
SHA-512:	784CC010C961A58B42984A4EC538D299AB92C01CB95171C220FD26C473491F839FD032960DC148C866DA45411D4ACB93188F0F7857F6F2C09DDF3E9FF50248DB
Malicious:	false
Preview:	892

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Lastname

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:U:U
MD5:	43FA7F58B7EAC7AC872209342E62E8F1
SHA1:	F022DA4E40566305C0C8F39FD8F4B83DD5368834
SHA-256:	96BB293AAA330EF307EE004448B92B75FFDC25ADE2831ED23FC60FFA97FFFB7F
SHA-512:	64B5514668BDBE6ABE7F86ABD790005F46D593D8E3EFB785C87DD8BA9035B8BC5FC72001DA81883391B690A5191057062EE711401C3E95C1935A3D3FFED138FE
Malicious:	false
Preview:	816

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Lastnymc

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:kQn:kQn
MD5:	82F2B308C3B01637C607CE05F52A2FED
SHA1:	75D2A5A3C528920D00425F29099EED114B9134E0
SHA-256:	5C3E9040008C91509E2D28E5308034B677D4E2CC0B386863D4883BDB747EBA1C
SHA-512:	91CCE11EEDA35FD527AC3DDBB930281FCB14AF0EE46412D7A389B59AEA3F8D56F3D46E2EC3BE167406AC4D8FBBD4F7C1246C8F1E30384FDC913703A48D36E4BD
Malicious:	false
Preview:	725

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Lost

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	14
Entropy (8bit):	2.8962915290459277
Encrypted:	false
SSDEEP:	3:ceROon:ceoon
MD5:	ED448BE0DA6329AA44A4B0C9B74A87D4
SHA1:	97EBD28C7A40DB56814BEDAD8B869B2BB8D3F00A
SHA-256:	5502EC5E01AC01F4ED2F6E1991B73DF9894568458A396A97AF06DD2965C63C1F
SHA-512:	5C4435346F31AC75FBE426CCE8F878B52A14AC1B060191C7D713EEA57DE2E22D93F83D49FA3C5E07A4BCF5BAE89C7C804930D364587C36390B8ABDD659F15E34
Malicious:	false
Preview:	(*,4()"4.)4++"

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\LostHe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	2.197159723424149
Encrypted:	false
SSDEEP:	3:1Z:1Z
MD5:	0D7C1D8AE080978B8436817C87C11684
SHA1:	C83087520942084476EF74151BF451A0557993DE
SHA-256:	53D24F3BC80C44785C7645F347A17942B607CAA451FC2337F458EA0A73F920AD
SHA-512:	8605C26C90441DFC7DEE0C5816DF5DDCEF42D4A02DE7D819936A60C10A57191AD67F0B95F23FE8CE085EF5F156FBBC57303B44A995AB13B2B8CC941AAB73FEFE
Malicious:	false
Preview:	.cf......

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\LostP

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.9219280948873623
Encrypted:	false
SSDEEP:	3:mn:m
MD5:	BC3A47AE14C1EE186861D38F665DB38E
SHA1:	5990206CD8DAFCBB07948322395490DEBD04F9CF
SHA-256:	54BCF265FBF2D10346018F48C6BDFE3B663955739079006E2D6AF6720F44756E
SHA-512:	505A7A420FD3D539300B1E074F1717C2FC221BAEC5A94F6DD968C30751D54F21F2E81276A7F35A033E9FCEE3F1F80149746540974208E111AB1AA505EBEE6546
Malicious:	false
Preview:	,)/,#

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\LostPHe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	0.9182958340544896
Encrypted:	false
SSDEEP:	3:tH:1
MD5:	E62595EE98B585153DAC87CE1AB69C3C
SHA1:	40B904FD8852297DAEAEB426B1BCA46FD2454AA3
SHA-256:	38760EABB666E8E61EE628A17C4090CC50728E095FF24218119D51BD22475363
SHA-512:	84387A560C74CD17A3E1D618181BD7734CACDB1D7B5A52EDF20FBB27C4FEFE25BD4F839C12E842C61CCD57308FD6A6B3987DC237ACCD213B9818D751C3990C10
Malicious:	false
Preview:	aab

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\LostPShe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	0.9182958340544896
Encrypted:	false
SSDEEP:	3:tH:1
MD5:	E62595EE98B585153DAC87CE1AB69C3C
SHA1:	40B904FD8852297DAEAEB426B1BCA46FD2454AA3
SHA-256:	38760EABB666E8E61EE628A17C4090CC50728E095FF24218119D51BD22475363
SHA-512:	84387A560C74CD17A3E1D618181BD7734CACDB1D7B5A52EDF20FBB27C4FEFE25BD4F839C12E842C61CCD57308FD6A6B3987DC237ACCD213B9818D751C3990C10
Malicious:	false
Preview:	aab

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\LostShe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	3.0269868333592873
Encrypted:	false
SSDEEP:	3:q1vC:q1vC
MD5:	213802ED7972AEAFE6237FA1453F1FD0
SHA1:	794A4B01CD429D110180DAA19204A098C42F11E6
SHA-256:	398380CF3867FE7C45A44E02C5542299346B631E627DB931B1FB4C8BE82C58E7
SHA-512:	FE6CFC85A06969389B3AE345C566AFEE7F55F011425070B9AD6342F474266A440EFBA98EA8181DF1AE24A3C617E6CF2A3C916740198F3FEB1B70B5B403A537CA
Malicious:	false
Preview:	af.cbe.a`..`g

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\MemDefrag.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	67184
Entropy (8bit):	6.560571950422605
Encrypted:	false
SSDEEP:	768:mE8Ush0dMK0vVZdisbH8iBRq8aZ+LhN3r22t19zS4Kye8pOxbGew2MSPDGjENAMb:mE8tSiKlqcHFChNbj19znKy92bGjwx9
MD5:	D9E742CB7C33C378602A144904756845
SHA1:	6E9C521A8E657FC8B46312AD79C1C7CE08C10766
SHA-256:	29626F619DB47C528EB910C15CDF2D139B512024331DAC91E7C562DF4FF297D8
SHA-512:	4474909CEE6BEA404918A0D9650D72F766A0FB27A5BB7A0BAD04BBD6F6F05EBEC11BEAE9080B4BD9E7A55A8614517B7A7F1DCF49F68308E51AEDACB2FDAC164F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.x.)...)...)... ..%....K.+...{..."...{...-...{...1...{...-....[..(....[.."...)..................(.......(.......(...Rich)...........................PE..L....3.d...........!.........T......g{....................................................@.........................@...X...............................p2..........D...p...............................@............................................text............................... ..`.rdata...<.......>..................@..@.data...<...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.Bcl.AsyncInterfaces.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64960
Entropy (8bit):	6.573463392054397
Encrypted:	false
SSDEEP:	1536:mbT78So0kats7efpLfvQcl/h5GDwVwZtyA+7XXxDp:mT8Syaq7SBQ35+b/
MD5:	644F4DF789E7B1CC9DE8FCAE8A9B7035
SHA1:	DA389C035C18342DAC47D82333E6F6A9D54E067E
SHA-256:	D2A5F4C9A8DE1FFA1482277889D71738F220DDBD287A279FA11CF2EB4FC1F0E8
SHA-512:	5B49BC385D6460F60FE5D598FCA27E68378A2D7752FA0A9ED7956A1B16B1CCF22EF6300AA8A36AD284047B7D8C4A2654EFFECA845BEC24D21BC9E727A7F39349
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.F8..(k..(k..(k..)j..(k...j..(k..)j..(k...k..(kH.)j..(k..)k..(kH.-j..(kH.,j..(kH.+j..(k.-j..(k.,j..(k.*j..(kRich..(k........................PE..L.....%e.....................N......@\|............@.................................H+....@.................................`...@........................)......P...d...T...............................@...............H............................text............................... ..`.rdata..@:.......<..................@..@.data...............................@....reloc..P...........................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.VC80.ATL.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	438
Entropy (8bit):	5.302102385514918
Encrypted:	false
SSDEEP:	12:TMHdt4IBeBFLOwHR5TNl+rmxgVKaGNLzIZ:2dtFEDCwHTTNl+rkgkJNLzc
MD5:	1CCB36CF4D7744F2A2449710032573F8
SHA1:	22C61BCDFB941EB6AA0829F8FECAA7B716895BF4
SHA-256:	8DC44CBA880E8E7A0776981FAC21094F905750C02890CBADC5059D1049D357EB
SHA-512:	53C6595A29C4636E4FDD800A48DEBF299DBFAC16396C217165BCB9D2E1B431982A1E3D5C8EA7850C178A6F6DA599DDF862DC7F64F29884EC0633A879B5B9C6B3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ATL80.dll" hash="6d7ce37b5753aa3f8b6c2c8170011b000bbed2e9" hashalg="SHA1"/>.</assembly>.

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.VC80.CRT.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (504)
Category:	dropped
Size (bytes):	1829
Entropy (8bit):	5.362806750573066
Encrypted:	false
SSDEEP:	48:3rpK+higVB09kkK0hpzxU09kkKqYhzQC09kkK0FFz9:7pthNXkHndUXk8hNXkFjh
MD5:	12B6A5638A4D54F6E613CAFD04BC1C0D
SHA1:	0BD3E9F83883B00DEA8DC95112C8BBD74A14EDEF
SHA-256:	3B55C9DA463C5F6BBBD1E73398FABDC30998BC525F4FE6E586BE711E660BC800
SHA-512:	15272B53972D70C089C9EBF554DE7DD1BC4707EF2FA8D526E7022FC21C8A74AD039387FB4BB53835D0B4443227CB1AD1C1D2CFCB1D205C2729F13BD1FAF9B008
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>. <file name="msvcr80.dll" hash="0a38b652c9d03caab803c6b2505fa301e345bab2" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>TM0VvywbHVQayIOw9CSX6M7WpaM=</dsig:DigestValue></asmv2:hash></file>. <file name="msvcp80.dll" hash="678bf3da5d1987bb88fd47c4801ecb41f51366ef" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xml

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1506), with CRLF line terminators
Category:	dropped
Size (bytes):	1860
Entropy (8bit):	5.392371898016726
Encrypted:	false
SSDEEP:	48:3SlK+vU6g49Pd09kkKKMzEAZ09kkKxrzVHNw09kkK3zY:Clt8CtdXks5ZXk8pNwXkK8
MD5:	53213FC8C2CB0D6F77CA6CBD40FFF22C
SHA1:	D8BA81ED6586825835B76E9D566077466EE41A85
SHA-256:	03D0776812368478CE60E8160EC3C6938782DB1832F5CB53B7842E5840F9DBC5
SHA-512:	E3CED32A2EABFD0028EC16E62687573D86C0112B2B1D965F1F9D0BB5557CEF5FDF5233E87FE73BE621A52AFFE4CE53BEDF958558AA899646FA390F4541CF11EB
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.30729.4148" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="msvcr90.dll" hashalg="SHA1" hash="98e8006e0a4542e69f1a3555b927758bd76ca07d"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>+CXED+6HzJlSphyMNOn27ujadC0=</dsig:DigestValue></asmv2:hash></file> <file name="msvcp90.dll" hashalg="SHA1" hash="3aec3be680024a46813dee891a753bd58b3f3b12"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:d

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.VC90.CRT\msvcp90.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570240
Entropy (8bit):	6.523986609941549
Encrypted:	false
SSDEEP:	12288:NZ/veMyZ137mSEWT0VkypLvgLehUgiW6QR7t5183Ooc8SHkC2eU8Z:NZSZ13iwJmgLq83Ooc8SHkC2eN
MD5:	232708A3FB0137133BA1787EF220C879
SHA1:	4F725F93081FE15C6AF99E32F3E97CCB22E15BFE
SHA-256:	64236B28CB287D9C912D1DB753B21BEB95009340B7ABB2717E40CE8D91946C89
SHA-512:	90DAEFA1F3D3608700074F349D0CD5E5D2EAE090ECAD07352E553F08087A2EDDEB457F235CDC7E4869C4CF24E895C05C11AF968E68CFD0B6AA8092C98DC7E4FC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#%..Mv..Mv..Mv.66v..Mv...v..Mv..Lv:.Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..MvRich..Mv........................PE..L...~LYJ...........!.....4...p..............P....Hx......................................@..........................P..,....E..<...............................43...................................%..@............................................text....2.......4.................. ..`.data...t'...P.......8..............@....rsrc................R..............@..@.reloc..HC.......D...V..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.VC90.CRT\msvcr90.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	653696
Entropy (8bit):	6.885617848989009
Encrypted:	false
SSDEEP:	12288:Bhr4UC+UumMaIYE8EoPP1cI9xPP2OKDL9QXyG2pUmRyyva:VU9FNPPbxPP2OeL9Q2pUmRyyva
MD5:	4B9B0107D35859FA67FB6536E04B54A7
SHA1:	60F5D36F475FEA96F06AC384230B891689393486
SHA-256:	EA59B23FC4799B10B07CC1E4F81BBCB7FAC712D93E2BA48DE50046E5B4C140DB
SHA-512:	324EDB6D0C618C20260417B86189C27D6E1EB00944C7F5A6C59679365E618D262C71433749DDFEF253B723F1D1B3167982B4742164A167B3CFC85C651300382B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L...yLYJ...........!.....\..........@-.......p....Rx.........................0............@..............................\|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2003), with CRLF line terminators
Category:	dropped
Size (bytes):	2357
Entropy (8bit):	5.378158011805663
Encrypted:	false
SSDEEP:	48:3SlK++U6g4A09kkKNzx09kkKJpzSgd909kkKzZuzl09kkKTzY:CltFCAXkgNXkKGgd9XkxZXke8
MD5:	0323AF0C3E694D85650AE55AA27EEFB3
SHA1:	672079C9564B4EC16EFB24DC80DE3EBEAF2A9F27
SHA-256:	1FED2074AB9F90D9FCCC5A49B6AA42C917674C2B5C7B1BB93FB67B0E0C944818
SHA-512:	5DF2D8B07B3ED0CAE3536C09AECA714B56EB75BC76668447C45917E890F5D22EF14B6059BD5782FD06D075A8497BC39A89F809E413C637405AE9BE4193C66FE1
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC90.MFC" version="9.0.30729.4148" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="mfc90.dll" hashalg="SHA1" hash="ec50bf1691888076202d5831599ac75ba0d35977"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>WuUqeI7Lf0+bhIfTm0T6Pv1L13g=</dsig:DigestValue></asmv2:hash></file> <file name="mfc90u.dll" hashalg="SHA1" hash="c752d2a42c0b82d2145cebcda60c7e5a43245cf4"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft.VC90.MFC\mfc90.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3765632
Entropy (8bit):	7.006945366952565
Encrypted:	false
SSDEEP:	98304:dOPkcHVGUQywT84a5IY9IViQ0zMzlp7toNTbPXQlk3glLsFLOAkGkzdnEVEFoKGA:WkcHVMTlBp0TrwlLsFLOyEFoKGD8
MD5:	225F7A12F61B3276D12310F457822D7A
SHA1:	F05B2DFE12D946606DDF0CD7E8A15027D75718AF
SHA-256:	3CED269344FD6AC7A3872D3DA39364397193C650A497702A0849C9543601A42E
SHA-512:	EF09DBC3FF0C6F1B229B4FCFD371A05E5570FDEB296D0F051F1AFD7C2F2567CEF86E47A3DA1B6D3B4AF116D9AC9F7508C36BAC065120F4519BC960AB0475349F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y...y...y.......y.!.Z...y.......y.....y.....y.....y.......y.......y.......y...x.c.y....0.y.....y.....y.....y.Rich..y.................PE..L...ImYJ...........!......%..(........!.......%...^x..........................9.......9...@...........................$.....,.$......`&..l...........\9.......6.\.... ..................................@....................q$......................text.....%.......%................. ..`.data.........%.......%.............@....rsrc....l...`&..n....&.............@..@.reloc..F.....6......r6.............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Microsoft_VC90_CRT_manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	2.9968027726780173
Encrypted:	false
SSDEEP:	3:HSu+QvdSG/cn:+SQqc
MD5:	6E17DDA977CBC993A9308145693BFE90
SHA1:	D964351BEE8764DE9CBCA186B7D1F526EB6361DB
SHA-256:	615707952EB080E6824699C73F1D914C2278E103CEA452CF4111063DD274458C
SHA-512:	3A1A40DBE7FF5911B3D42DF7C8A74470869CE3F75612A19A73256C799F2A1DD472607F3C89DAD5060AEC1FA953BDFED90A481A4413D2999D122B7AB1D8F7DA77
Malicious:	false
Preview:	577F7F777C753E756875FCD3D7619

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\N0vaDesktop.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5972392
Entropy (8bit):	6.868183225292118
Encrypted:	false
SSDEEP:	98304:ygUifEmDR4lEtsaowOSiL5f5aLbunw8Y6+15cmCSrw0sn/DVpFLOAkGkzdnEVom5:gifXD+Ktu75fu11CSrw0c7nFLOyomFHj
MD5:	06808B78BCC668E76A1F3B9589B985F2
SHA1:	07349BD4A98F70C0870802FCE91CE4F15DCB48AD
SHA-256:	4E560A33A3585F5F6DDD4674E8D8098B977BA3AE320ACDC4ABAC33B89CE17C97
SHA-512:	CED48BD909ACC1B4012A8FC56C8EE76CB0716611B9448465E8DE1670444C04E3B602D7F5A3AF66527EDF760DD10EAA12C68511CF1154B9B8A349D8D443B99EE7
Malicious:	false
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........B.{G#.(G#.(G#.("E.)o#.(..(F#.(.}.)D#.("E.)F#.(.z.)D#.("E.)C#.(\|}.)Y#.(\|}.)`#.(\|}.).".("E.)v#.("E.).#.("E.){#.(.}.)B#.(G#.(. .(.}.)M#.(.}.).#.(.}%(F#.(G#M(F#.(.}.)F#.(RichG#.(........PE..L......g.................Z1...).......'......p1...@...........................[.......[...@.................................@.<.X.....?..y............Z..U...0X.@y...a7.T...................tb7......b7.@............p1.\|............................text....X1......Z1................. ..`.rdata..2....p1......^1.............@..@.data...X[...`<......N<.............@....gfids........=.......=.............@..@.giats........?.......>.............@..@.tls..........?.......>.............@..._RDATA..0.....?.......>.............@..@.rsrc....y....?..z....>.............@..@.reloc..@y...0X..z...RW.............@..B................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\NULL.bin

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	125376
Entropy (8bit):	7.998479503470445
Encrypted:	true
SSDEEP:	3072:FI6dBzpxvuZ9UIQrNJ6DKxOssBCI4sB74xoGhFo4Z1J21:m6zzYsBMcsBCpO6Py
MD5:	0C21E337569640A73AF44474F44CB9F7
SHA1:	82C3C1C2602250441C1B18200F7FBDC2B6443352
SHA-256:	BC58641B4F43BE40016044046321F77DD153F0BFCE6E4E9D765711838DB13ECA
SHA-512:	7D19FBF9E907E468C34813B0E1E4F2880762573C9EFE678C36C5CA254890A4B0A008DE72E824345C3FBB838C7BAE3E3D991D46CFAF0FAA73BE89EA88DB2E3C76
Malicious:	false
Preview:	...:w.C...k....r....F...g{>..K....3==...6C..l.../.H..L.\|,..#.c....../I.....>........2.....(SH..Z..uJ...t..#Ov..p...XJ..E..8.t.....0d.Ew.DR...lZF..i0..v5.....y/......g...Z=.Z\|.)4.o.n.....i.g0..T.Z.......i...-.F&....{.'..E....G./....M....L....U..?....Ei'..\|.)..J,XnL...<..A......1..D.%I.CA.....#.-;z...g....U$.{.t.$\...$.+./...\|.@.5.0d.H..D.Ga..Tod....\{...Mj.\.....}..:.............StlE=.....~..3......;....I.@I.<...<..;....Y...u...P.....F.1p.^.y...f....P././}.....P.b/.J....?n.^"....S.1.}.JT...rS^t..5..X..["rL.<....$..K]`-)aq. ..1$.X..]... .9....k......v.../!....Vu.m.W.9G...us,3.....i.}..2.O8.t....j..mi..~..~'H&.....)......f..%...h.....i.f..0+.8.;....r&Y\..TO.E...!..n...t.h...KZ..K.L.i.h.,.;bm...`sS.~..\O.i.v!o.,..G.'...:=.Fn.x.b.E^r...j}.<.b.}....V..`M.Y\|;j,=....g.*..g....).Cw.eC.K...C...8nMc....P..[PP..Ghq..n.#..6j;.V..z..L.}..^.k.A......R....M.=}.bN\ty.3..c\|z.\./-E..^.P6..`9.8&xH.y..&...$.6...t........V..EZ.Cf...x...1oH>Y.....+..

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\NVIDIA_GeForce_Experience_json

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.0657682899193968
Encrypted:	false
SSDEEP:	3:4j46giWEcn:046BWEc
MD5:	23A56B3DBA64589852CD17E11CA111EF
SHA1:	FD6568661FC88695B76489727FB59734B2152427
SHA-256:	0415B8232791D3345042C516C9AF6F4FCACCFAD5D794FDAF1A15F0B34C77C3D1
SHA-512:	29837A72F9C7858C2DA38C2D69C64E98A531CDBF46D8EC7E92F608F917D93619AAC6B38DDD792FCDD8F654B51C7F6D6518F3CA120E7502AE8AFB979FEA015C59
Malicious:	false
Preview:	7C79727375763E747C7CFCD3D7619

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\NetDevenvSpeed.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	667648
Entropy (8bit):	6.655676024268379
Encrypted:	false
SSDEEP:	12288:G36HjCm6ltuRXQ/g+hVfW2LDzeLA5rJWutAWQSHOALXB:VCm6ltuRXKg+hVfWkDEA5tDuyX
MD5:	BA4ED2E6B25A8C9EDA3DA4CE85A5054D
SHA1:	C3B2EF12347E0C5206B4C3959FA96CD7F064F10C
SHA-256:	31370AB9ECAFEA8528D0C844C34B7721042C93A8E45278C4452B62ABAADE9182
SHA-512:	87C10EA2B82D79BD96CA453D808D937841A45CEE331E5914E5B9A7D6665BB41864D90E08E47F4000C1EEBC64F1E4035B010F545B2068B3604A7B8C87F1D30DBB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........xt..............a.......a..W....a.......l.......l.......l.......a..............l......l......l......l......Rich............PE..L....+.f...........!.....f................................................................@.....................................(.... .......................0...K...[..............................8[..@............................................text...cd.......f.................. ..`.rdata...Z.......\...j..............@..@.data....2..........................@....rsrc........ ......................@..@.reloc...K...0...L..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\NetSpeedLog

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	330752
Entropy (8bit):	6.2804656669920975
Encrypted:	false
SSDEEP:	3072:x9LbnjzIPOmRM0KQfU9JwjvD2xCovPVZHuEi+e15HiEGPGqQiblLYEaZ4OYlYXoK:b928/BvNZ8NHd7ibGYuG9/31P+HvujI
MD5:	CAD63BBE69DF55CFD51AFA2F5D657FEF
SHA1:	1DB6EE562FAB40318A827E6986FD609E67A91ADD
SHA-256:	CBD94FE47BE31249C84A8874E901C2389C2E5111F53541099C0B5948DD499731
SHA-512:	C75B6B314743929528D699888A5066DED1CDE8C1EA0262CF92D6411FDA52AB2E7F932F0DE0E663B268746EE40876FB7ECE289B9DC41C020C868064C7FDEBE0FD
Malicious:	false
Preview:	..D.................................................................`..........................................................#...@...@...@.......@..$(...@..>...@..B6..3@..B6..@..B6...@..$(...@..$(..<@...@...C..B6...@..B6...@..B6...@.....@................................Lj.........4........@.........T........d.....................................................................$......P.........`....................T.....................................................d..(............................\....SF.......@...........................n...d...h...\|..............................Z..........................`.......................................T...............................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Ntvbld64.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	MS-DOS executable PE32+ executable (DLL) (native) x86-64, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	42976
Entropy (8bit):	6.2171815555231875
Encrypted:	false
SSDEEP:	768:iHfqCaczo/ZinYCOd9L9KyhaM7JubDGpZRKjKj9MPgkU7:8fqT/ZWY/L9l7JheMJ
MD5:	671F95CAB2B5CF121125413F250F5275
SHA1:	73D99D09A3D8978A5C6DB43CEC85FB43B03B7A26
SHA-256:	728A1FCDEDCA6DBD8FDDDE3F33CD64DD99853C26EF5B10D3FEF0D76D0480964B
SHA-512:	4AF690AF838CEB026636931AEDE3852EAE6D83881149EF4C28CC1DD032C3F7F6A64B30171C2524512FACD40496DAB305523D20637B44EFBF0D5805D0FAD1FFCB
Malicious:	false
Preview:	MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!.........`......................................................................Rich....................PE..d.....a.........." .....H...".................p..........................................@.........................................pV.......S..(.......h....p.......h..H?...........................................................................................text....F.......H.................. ..`.data........`.......N..............@...

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\OTGContainer.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5972392
Entropy (8bit):	6.868183225292118
Encrypted:	false
SSDEEP:	98304:ygUifEmDR4lEtsaowOSiL5f5aLbunw8Y6+15cmCSrw0sn/DVpFLOAkGkzdnEVom5:gifXD+Ktu75fu11CSrw0c7nFLOyomFHj
MD5:	06808B78BCC668E76A1F3B9589B985F2
SHA1:	07349BD4A98F70C0870802FCE91CE4F15DCB48AD
SHA-256:	4E560A33A3585F5F6DDD4674E8D8098B977BA3AE320ACDC4ABAC33B89CE17C97
SHA-512:	CED48BD909ACC1B4012A8FC56C8EE76CB0716611B9448465E8DE1670444C04E3B602D7F5A3AF66527EDF760DD10EAA12C68511CF1154B9B8A349D8D443B99EE7
Malicious:	false
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........B.{G#.(G#.(G#.("E.)o#.(..(F#.(.}.)D#.("E.)F#.(.z.)D#.("E.)C#.(\|}.)Y#.(\|}.)`#.(\|}.).".("E.)v#.("E.).#.("E.){#.(.}.)B#.(G#.(. .(.}.)M#.(.}.).#.(.}%(F#.(G#M(F#.(.}.)F#.(RichG#.(........PE..L......g.................Z1...).......'......p1...@...........................[.......[...@.................................@.<.X.....?..y............Z..U...0X.@y...a7.T...................tb7......b7.@............p1.\|............................text....X1......Z1................. ..`.rdata..2....p1......^1.............@..@.data...X[...`<......N<.............@....gfids........=.......=.............@..@.giats........?.......>.............@..@.tls..........?.......>.............@..._RDATA..0.....?.......>.............@..@.rsrc....y....?..z....>.............@..@.reloc..@y...0X..z...RW.............@..B................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\plugins\Microsoft.VC80.ATL.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	376
Entropy (8bit):	5.187860451409661
Encrypted:	false
SSDEEP:	6:TMVBd6OjzIIBeBXVL9obRu9Td8gH9aO/5TMiX1+jSQdS1vwIgVf+ZaYf7:TMHdt4IBeBFLOwHR5TNl+rmxgVKaq7
MD5:	0BC6649277383985213AE31DBF1F031C
SHA1:	7095F33DD568291D75284F1F8E48C45C14974588
SHA-256:	C06FA0F404DF8B4BB365D864E613A151D0F86DEEF03E86019A068ED89FD05158
SHA-512:	6CB2008B46EFEF5AF8DD2B2EFCF203917A6738354A9A925B9593406192E635C84C6D0BEA5D68BDE324C421D2EBA79B891538F6F2F2514846B9DB70C312421D06
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ipaip1.exe"/>.</assembly>.

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\plugins\Microsoft.VC80.CRT.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	314
Entropy (8bit):	5.140999301390513
Encrypted:	false
SSDEEP:	6:JiMVBd6OjzPbRu9Td8gH9bZELrbvm/53SMiX6+hPABdS1FggVfgk5Z:MMHdtlwHHJ53SNK+hPIRgVR5Z
MD5:	710C54C37D7EC902A5D3CDD5A4CF6AB5
SHA1:	9E291D80A8707C81E644354A1E378AECA295D4C7
SHA-256:	EF893CB48C0EBE25465FBC05C055A42554452139B4EC78E25EC43237D0B53F80
SHA-512:	4D2EC03FF54A3BF129FB762FC64A910D0E104CD826ACD4AB84ED191E6CC6A0FEC3627E494C44D91B09FEBA5539AD7725F18158755D6B0016A50DE9D29891C7E5
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>.</assembly>

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\plugins\am.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	6669
Entropy (8bit):	4.733830185137714
Encrypted:	false
SSDEEP:	192:4c2LQ563O84ggqSdqfD6JngOvFfkxFfdpj8IY8YS3dRp79S7EO:pIEiKT5hTvWx11Y8YShhS7EO
MD5:	748E5EA71A607EA89B219AFC97052259
SHA1:	8677307E553474320A2616EABBC5534F42D100BC
SHA-256:	E481BA3734925C59839FDB29E5FB171F0DF0640A48D4C61C9CAA9F475D2ADE89
SHA-512:	49F78793C75A70502E43A138F762940149F536BB494473B1672A1E0E0C7BE2AA72337B3524EB0E4D5F0B60203711D87958FAB88F1404476BF779967350B00364
Malicious:	false
Preview:	..........N.....N.....N.....N9....NB....NH....NN....NT....N]....Ni....Nu....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N(....N.....N:....NO....N_....Nu....N.....N.....N.....N.....N.....NK....Nk....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....N,....N9....N[....Nd....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....ND....NJ....NV....N\|....N.....N.....N.....N.....O.....O.....O.....O1....OD....OQ....OZ....O.....O.....O.....O.....O?....Ou....O.....O.....O.....O.....O+....O\....O.....O.....O.....O.....O2....OX....O.....O.....O.....O.....OG....O.....O.... O....!O...."O!...#O0...$O6...%OE...&OQ...'OZ...(Oo...)O....O....+O)...,O....-O.....OZ.../O....0O....1O....2O....3O6...4Ow...5O....6O....7O....8O....9O....:OI...;Oo...<O....=O....>OE...?O{...@O....AO+...BO....CO3...DO....EO....FO....GO....HO....IO....JO....KO....LO....MO...NO@...OOL...PO....QO....RO....SO...................... .... ....

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\plugins\ar.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	6252
Entropy (8bit):	4.765802565676888
Encrypted:	false
SSDEEP:	192:8q+c4RnQTyZHZo/zjH26bojOpyuT/j8I8hi8v8hqCPC5/P5zn:8jYo5oLjH26EjOp/Mn
MD5:	1F9D7E57FE35D3A35FE49E6E2BAC8707
SHA1:	E6C4BCC56AE5742E7B825F489BF33B491970ABE6
SHA-256:	7522EF5C3E10BF279E777054D858955F1B9F63A39CCB408364C413E6E3D49A04
SHA-512:	489C79155C5E84702B58072E8A44C123D8F0C3F226A5073EAE343506A76D0E378418557DD29CEF8283425A46A248132CCB1F78E13C867829E399CB6EF17769F2
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N&....N,....N2....N8....NB....NL....NV....Nk....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N)....N:....NO....N]....N.....N.....N.....N.....N.....N$....N=....ND....NW....Nc....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N$....N7....N?....NX....N\....Nw....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....N0....NA....NV....O`....Os....O.....O.....O.....O.....O.....O)....ON....O.....O.....O.....O.....O(....Ol....Ov....O.....O.....O.....O.....O.....O2....OY....O.....O.....O.....O.....OS....Ox....O.....O.....O.... OK...!Od..."Ow...#O....$O....%O....&O....'O....(O....)O....*O....+Oz...,O....-OC....O..../O....0O<...1O....2O:...3O}...4O....5O....6O....7O....8O....9O....:O/...;ON...<O....=O....>O....?O+...@Oc...AO....BO8...CO....DOS...EO....FO....GO....HO....IOC...JO\...KOm...LO....MO....NO....OO....PO....QO....RO0...SO:.....l.................. ..... .. ... ....

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\plugins\bg.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	7220
Entropy (8bit):	4.592203217648416
Encrypted:	false
SSDEEP:	96:eOu4nxWcR1emdX4DRkw0UzNAHSZwIQshZrlLBXWeOwg6lz737RC:HScRkB6WmSZRhZiePlzz70
MD5:	6E09177086163D64ED7AB890D70CFDF3
SHA1:	87B7FCA47DA5BAE28C7182A221E923588EBEADF8
SHA-256:	B0E8F4379AA7B1CF11C196354C6C0212558B1E5BA20332A34F30B5263D4B1EA9
SHA-512:	48191FBA9308E58CE482193CAB4DEA032A37136D6F1D1132B45D0894B18EA3B5BE330BBF9FA61CF2C5BC711B371D53430554BAF103CEC027E6026E5F27A292C5
Malicious:	false
Preview:	..........N.....N.....N.....NI....N]....Ne....Nk....Nu....N.....N.....N.....N.....N.....N.....N.....N.....N!....N.....N;....NH....NU....NY....N]....Ne....Nw....N.....N.....N.....N.....N.....N9....N.....N.....N.....N.....N.....N ....N4....NZ....N.....N.....N.....N.....N.....N.....N.....N.....N<....Nd....Nt....N.....N.....N.....N.....N.....N.....N@....NL....Ny....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N:....OH....Oj....O.....O.....O.....O.....O#....OB....Oc....O.....O.....O.....OS....O.....O.....O.....O.....O.....O:....On....O.....O.....O.....Oq....O.....O.....O.....OD....Oe....O.....O.....O:... O....!O...."O....#O....$O....%O....&O....'O....(O....)OP...*Ot...+O....,O....-OO....O..../O....0O`...1O....2O4...3O....4O....5O"...6Od...7O....8O#...9OR...:O....;O....<O-...=Oi...>O....?O....@O....AOy...BO....COw...DO....EOw...FO....GO....HO....IO....JO....KO....LO+...MO9...NOC...OOU...PO....QO....RO....SO......4........................ .... .....

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\plugins\vd.ico

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	25214
Entropy (8bit):	4.526069485099958
Encrypted:	false
SSDEEP:	384:eLpEC0qWDnDjVSV/+/CB1+n2GHOMmM5H6:1C+Sp1QdHOc5H6
MD5:	9946B791C261BA0A4CCF6E46F7B54546
SHA1:	3082E44F89AB9CD5ED1705F0470A33D1279D2A67
SHA-256:	62729E6D23D8DD347ECCB5B9D292A089ECA582694082EB8F1DDF55E9AE18B0C0
SHA-512:	A2C11556486E5F1B417F61ABCDA1BB3B064CD29515DDD0CF94985E24043D2F1483E74938711290A3FD681157F2559ED719B30B367481D81B41E01676E84DC03C
Malicious:	false
Preview:	......00......h....... ......................(.......00.............. ......................h...^"..00.... ..%...'.. .... .....nM........ .h....^..(...0...`.........................................................................................................................................................................................................................................................................wwwwwwwwwwwwwwwwwwww....................................................wwwwwwwwwwwwwwwwwwwwx...................................................wwwwwwwwwwwwwwwwwwwwx...wwwwwwwwwwwwwwwwwwwwx...ppppppppppppppppppppx...........................................w.w.....................ww.p....................ww.p....................w.w.........DDDDDDD@...............tDDDDDDDG................GwwwwwtO................GwwwwwtO................G....wtDDDDDO...........`....wtdDDDDO...........@....p.GwwwtO...........`....p.gwwwtO...........@....p.G....O...........`....p.`....o.......

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\plugins\version

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	F1D3FF8443297732862DF21DC4E57262
SHA1:	9069CA78E7450A285173431B3E52C5C25299E473
SHA-256:	DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119
SHA-512:	EC2D57691D9B2D40182AC565032054B7D784BA96B18BCB5BE0BB4E70E3FB041EFF582C8AF66EE50256539F2181D7F9E53627C0189DA7E75A4D5EF10EA93B20B3
Malicious:	false
Preview:	....

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\themes\ca.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4447
Entropy (8bit):	5.418213783438325
Encrypted:	false
SSDEEP:	96:cqGYHvAfKA/nFGBlyL5tTIYOBcZbISSZrJz94IvXqUQEQ6TH3Hzniv7:cQgrnwPyVCYOCZ8BZrJz94IvXqUQEQ4I
MD5:	DA44E0F806463B7F0D3FA8C93A4E50DE
SHA1:	DAE138775B448187C099EB4C6EEE463E4CD47E84
SHA-256:	FF4CBCFEBE833E21C37A02C04257FDB2369E42E3BE18DCF75335333A06EA789B
SHA-512:	9E8BD23F668BF312817592445C9E2BFC2CFDCC2BEF47DDFE711C750409CEE5855F2E9AFD96DA4F3F4B5E7C92A8C4C675AF45389A40C3033F73453971BD358C3D
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N!....N+....N9....NJ....Nb....Nl....Nu....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....NC....NY....No....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N;....NI....NW....N^....Nq....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....O-....O2....OK....Or....O.....O.....O.....O.....O.....O.....O.....O'....OC....O`....O.....O.....O.....O.....O.....O.....O.....O.....O/....Oa....Ow....O.....O.....O.....O.....O9....O[....Oy... O....!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O+...,O....-O.....O..../O?...0O~...1O....2O....3OB...4Od...5O....6O....7O....8O....9O....:OY...;Oo...<O....=O....>O....?O....@O....AOW...BO....CO....DO(...EOu...FO....GO....HO....IO....JO....KO....LO....MO....NO....OO....PO....QO)...RO1...SO;....._...DetallsDesa.s un .ndex on es poden realitzar cerques. Intro

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\themes\cs.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4278
Entropy (8bit):	5.761351246793285
Encrypted:	false
SSDEEP:	96:0CLGsy4GgACuoiU4CJeDof8QQgWu6/K3eVeRl2c0cLeI:lLTy42oiJQwof8Qcu6y3WWr
MD5:	E160C8912A6E73BD4CD2544A9F3C3974
SHA1:	E46EF68F3113BD36D40635C76452445F7D359F39
SHA-256:	C01E38999FE2C1F98B5429BD550AE8A9F15F10D09D41EFFF8F3C7F4F1F66209C
SHA-512:	7CB2E47F945705DFD0030B28BD62709361DFD17AA925C68A85B34DDEE0584307C2FA918EC4B1443C2181578AFC6CD64878AADE25A469CDB2F0C45237682F35A0
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N'....N0....N=....NK....N[....Nn....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....NG....N_....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N7....N@....NP....NU....Nd....Nk....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....O.....O%....O/....OL....O[....Ol....Op....O.....O.....O.....O.....O.....O.....O+....OU....OY....O^....Ot....O.....O.....O.....O.....O.....O.....O.....O:....OO....Ow....O.....O.....O.....O.... O....!O0..."O;...#OA...$OH...%OO...&OU...'OX...(Of...)O....O....+O....,O....-O....OW.../O....0O....1O....2O2...3O\...4O~...5O....6O....7O....8O6...9OQ...:O....;O....<O....=O....>O....?O(...@Oc...AO....BO....CO0...DO~...EO....FO....GO....HO....IO....JO#...KO*...LO6...MO?...NOI...OOR...POp...QO....RO....SO..........PodrobnostiUlo.itToto je prohled.vateln. index. Zadejte hl

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\themes\da.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	3875
Entropy (8bit):	5.465278759668329
Encrypted:	false
SSDEEP:	96:znbLo2urHRFWbiEP15P4q7GL8cyScTs3DhDU/EZ87s:3/udeiy5P4q7i8cySes3tw/Ed
MD5:	25A5E506C8A0C64D9B9E08AAAC9626E6
SHA1:	82F8D1E8CE364694F03C5133604F72C2608B8924
SHA-256:	229DA0D16A7FA0BFFD67B78F2F76734C7EA2129A15CE95DA9422775B4E9835CE
SHA-512:	33F86B51BE09DCFEC6B9064E5906EC782C5AF9DFCC727A2A7E4BFE5FF6908AF115E5937EC7CF2BEDF103FFA1A941D340D2C0F2E13F8447FCDE1CD649E9A936BA
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N+....NF....NN....NV....N^....Nf....Nn....Nv....Nx....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N....N:....NA....NG....NR....Nb....Nu....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N1....N7....N>....NJ....NS....NV....N[....Ng....Nj....No....N}....N.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O:....O`....Oo....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O$....OD....OU....On....O.....O.....O.....O.... O....!O...."O#...#O+...$O1...%O9...&O<...'O?...(OI...)Od...Os...+O....,O....-O.....OQ.../Oq...0O....1O....2O....3OC...4Ol...5O....6O....7O....8O....9O/...:OZ...;Og...<O....=O....>O....?O....@O....AO2...BOm...CO....DO....EO[...FOg...GOk...HOv...IO....JO....KO....LO....MO....NO....OO....PO....QO....RO....SO......#...DetaljerGemDer kan s.ges i dette indeks. Indtast s.ge-n.gl

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\themes\isolinux.bin

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	isolinux Loader (version 3.82)
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	7.08359030184487
Encrypted:	false
SSDEEP:	384:Gh5TvIzjLaWhV12sPtZK7zVi8vnKnjPlVzjzmtInQt//:Gh5DI/LfnC7zQ8z02//
MD5:	7EC434DAFE56FBFBBD9F609A8E51ADF1
SHA1:	31EB96F0B7EEB6D3972D735F20C18A4DEB425942
SHA-256:	E9A4817AB449A50364B0DD33425BDC596D222C1792A460831F87487439385E32
SHA-512:	454920BCCD663FA585E1954A320616BAD5061EB03886E284284796F9D3A2079D3ED019AD9AF6E381CF647CF27ED0EA8C098C6399479B2091BD49B472728C13F6
Malicious:	false
Preview:	..w\|.............8...Wa......................xpY....)....)Z_.f1.f1...\|s.fXf[.f..).f...).@....D....<...&.)....)1....{.W..........6.)f..f..)......6.)...f1..@\|...f.f....f.>.)...)..).!.f1..f....)....)...(...8...F.>.)<.u...K...)..).........)8..)....f.>.\|.u'f..)f!.t.f..........f.G......f.(.f..\|f..\|f-....f...f..)f.....f.....)f..\|f@.@...1...).Q........f...)f.>.)&f.f..fIt.!.u..........f9>.\|t.........O..........\|.............f.L.f..}.......1.W..}...._..Gq..f..}f..t(f.L.."&f.E..f;..}t.f.L...K...)..)..r......`..K..)....~.ar....U....p..M.8..)u.....A....).....)8.t...8.t.J...s....)...r..!.......3............\......PV.3....^...X....f.f`..1...faf..U............F.......]......&.)f1.f....f...f...)f...)...U...f......fRfP.SWj...f`...)....B...fa.d.r.]f..f...)......!.u..f`1....).{.fa....):.]..f1.f...f...)...fRfPUSf..6.)f..>.)f..1..f...I.).9.v......A......)......f`...far.f......[..]fXfZf..).u..Mu...H.u...;.H.v...H..(.\..D.f.D.U;.J.v...J..l.V...).B...^]f..D.

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\themes\ovf-vmware.xsd

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4056
Entropy (8bit):	4.424470799098464
Encrypted:	false
SSDEEP:	24:2dd8puSF899zzcmOlkkXsxPxPxSlptWeWOy/EpgbJMxPxSa7cRtaDeH0iBD88Epc:cd2VF+kXsolPWeWONgPRRtWeHGsUgcBg
MD5:	9392A998B91E7C12F20FE8ED0D7C7610
SHA1:	19C90803DB690AF45D7E6F8F8B1C7BD41F71A2CA
SHA-256:	662B3AB8423F4E5B05061B88CCA8A134A50799D6DE0CEC8977F46749A89E0FBE
SHA-512:	EA15C2FCAB591A384265EE726925CE3D07BB2E8DE79BDA7A6F203A54FBA2441FAABA4EA6925242B2D84DE76299CB99B2DB8B62149F405F86BD2C58609BE605A1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.. .. Copyright 2008 VMware, Inc. All rights reserved..... Remark: The OVF Specification 1.0 Annex D defines a set of relaxations on how .. this XML Schema 1.0 definition is to be interpreted...-->..<xs:schema targetNamespace="http://www.vmware.com/schema/ovf".. xmlns:vmw="http://www.vmware.com/schema/ovf".. xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1".. xmlns:xs="http://www.w3.org/2001/XMLSchema" .. attributeFormDefault="qualified".. elementFormDefault="qualified">.... Include and import sections -->.. <xs:import namespace="http://schemas.dmtf.org/ovf/envelope/1".. schemaLocation="../DMTF/dsp8027.xsd"/>.... <xs:element name="IpAssignmentSection" type="vmw:IpAssignmentSection_Type".. substitutionGroup="ovf:Section">.. <xs:annotation>.. <xs:documentation>Element substitutable for Section since.. IpAssignmentSection_Type is a derivation of Section_Type..

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\themes\ovfenv-vmware.xsd

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2951
Entropy (8bit):	4.309681188440056
Encrypted:	false
SSDEEP:	24:2dX8QSF899Szc42+lkkXsxWCGRPxSHnSEIHkyspXuKEpsZEpgcBg:cXEFckXsQeHnSEIHkysNEsUgcBg
MD5:	FB0DFD7CE4E12DBC2CEDD5CEA0FAE216
SHA1:	FA8FCB791F89F0CF170C58AF74626BCE6F9DAC9B
SHA-256:	7AB54BD0D58AE49A735FF551E260DCDE51CE28CF591580BCC150C4F15641C39E
SHA-512:	250B1290349D8D10A609E027DD3EA3CDF21BB40A7457FCE94294327DD92EFC957628AE735D44498328489A741209C09C7B0C7CA8822251B2D30A17121A74A549
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.. .. Copyright 2008 VMware, Inc. All rights reserved..... Remark: The OVF Specification 1.0 Annex D defines a set of relaxations on how .. the this XML Schema 1.0 definition is to be interpreted...-->..<xs:schema targetNamespace="http://www.vmware.com/schema/ovfenv".. xmlns:vmwenv="http://www.vmware.com/schema/ovfenv".. xmlns:ovfenv="http://schemas.dmtf.org/ovf/environment/1".. xmlns:xs="http://www.w3.org/2001/XMLSchema" .. attributeFormDefault="qualified".. elementFormDefault="qualified">.... Include and import sections -->.. <xs:import namespace="http://schemas.dmtf.org/ovf/environment/1".. schemaLocation="../DMTF/dsp8027.xsd"/>.... <xs:element name="EthernetAdapterSection" type="vmwenv:EthernetAdapterSection_Type".. substitutionGroup="ovfenv:Section">.. <xs:annotation>.. <xs:documentation>Element substitutable for Section since.. EthernetAdapter_Type is a de

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\themes\sample.flp

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	DOS/MBR boot sector; partition 1 : ID=0xda, active, start-CHS (0x0,0,1), end-CHS (0x0,1,18), startsector 0, 36 sectors
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	6.703256936166348
Encrypted:	false
SSDEEP:	192:YaPUesFIxeyrsMBe1MlsBc0GLGEiyXYmWhFdrNkv:baIFrXaMlsBmLG/mcdJkv
MD5:	1F4E9B9C3E5AF1359BC440FA99573F8B
SHA1:	0A710D1776F0687170B7D547C1D70354D6BBA548
SHA-256:	9FA0E91FF06B33614AEE00BBBBE5D4104D153B8933650D44F9A2B9D07B60E9B6
SHA-512:	38B9E7FD9C7EDC8EC89E3811C5E8D09A22E42CB9C734FE0C4AE7A4E8E60C063AE965BC6FF61AC398D5B8D8D9EAB0D6E40EDF82BC953F82542DC2890E06BBAADB
Malicious:	false
Preview:	.:\|..............OQ..............T .......METALKIT . err!..1....... ...}..$..r%.(\|...B...}..}..s.......}...}..(..s..4\|............h}. .f...."..\|..f........(...=.}..........}...$.....}....5.}...u....}...=.}......\|........f. ......\|..... .f....".1.....W\|............t............... ....."..3.....f...............1...:........f.(................./.h}..........................................@./.h........(......................................$...................................................U.U..V.....S.......@..A...Q...........Q...............f.Q.f.Q..Q..Q.B....Q.u$.Q..A..B.. .Q.u..Q..A..B.. .Q.u.1......t..E.f..f.E.f.A.....@[^].U1...WVS.........f.U.U.....$f9].u.f.E.f9E.u.f.E.U.f...E.B........'.....u...[^_]...U..S.....Y..........I..........................................A...!.[].U..V..S..........A...........A...............f................D......f.[^].U..].U...1.t0.............. ....f1...... ...P.Bf..`h.@...@...X..@.\|$...@.t$(..@......@...a..@.

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Optimizat\vmPerfmon.h

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	789
Entropy (8bit):	4.653194488836456
Encrypted:	false
SSDEEP:	12:USn008/bwUkyyjdGVDNKQ/aHvjkjTyHDmtFQK02DqGn:JD8cxrsVD4AaH4jTUWKkqG
MD5:	2FF22231C5A295A9EFC4633B5E979F3C
SHA1:	F5079F304DD332003F2FFFD6164748891E23C7A2
SHA-256:	FBAF23FF758CA026C8AFB4BA17CA4A75602B561A32C2B82193D55FF29D963884
SHA-512:	617B190EB0FC7B2D84AA00E1E57FDC1A360AD6C2C22CC85F0108CD9164F8CE2C00ADA612A2E848387A7701FE8019E66B6D8062F9799B3F90BE60624210A40ABF
Malicious:	false
Preview:	/* *********************************************************.. Copyright (c) 2003-2007 VMware, Inc. All rights reserved... * **********************************************************/....#define OBJECT_1 0....#define DEVICE_COUNTER_1 2..#define DEVICE_COUNTER_2 4..#define DEVICE_COUNTER_3 6..#define DEVICE_COUNTER_4 8..#define DEVICE_COUNTER_5 10..#define DEVICE_COUNTER_6 12..#define DEVICE_COUNTER_7 14..#define DEVICE_COUNTER_8 16..#define DEVICE_COUNTER_9 18..#define DEVICE_COUNTER_10 20..#define DEVICE_COUNTER_11 22..#define DEVICE_COUNTER_12 24..#define DEVICE_COUNTER_13 26..#define DEVICE_COUNTER_14 28..#define DEVICE_COUNTER_15 30..#define DEVICE_COUNTER_16 32..#define DEVICE_COUNTER_17 34..#define DEVICE_COUNTER_18 36....

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\PSpendZ.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	289448
Entropy (8bit):	6.451290476474314
Encrypted:	false
SSDEEP:	3072:K/kvkbvka2pVtwouW9+DZUFIPcpGwDmXsBvpRyAHa0MiZUFw/oPACa337yGTkSEh:K/CkboR5INUR94GhnO6g1Co/
MD5:	DF3D77D41EF28027B3069D39F9EE9C79
SHA1:	0DFCF31AD455ABD48D35B0250B5B03265052FBA6
SHA-256:	02EC8C37DD946A2CD74673993C2108F12FFF3E82019A1590231C4205CCB2F0D4
SHA-512:	FF9168421EA2E0B56ECE4DF777B1FA3605CBB4AC81D1C81CF2491A5C197BAF67C47BA4D1D767C5C272A8F3CFA46B169234D19B98671FF6AD8F7A092F51E9378D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`.D.`.D.`.D.2PD.`.D.2oD.`.D.2nD.`.D.`.D.`.D...D.`.D..nD.`.D..oD.`.D.2TD.`.D.`.D.`.D..QD.`.DRich.`.D........PE..L...m.rW.................P...........t.......`....@.......................................@................................. ........p...............,...>...`..L.......................................@............`......\...`....................text....O.......P.................. ..`.rdata..h....`.......T..............@..@.data....7...0......................@....rsrc........p.......,..............@..@.reloc..L....`......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\PackageMgr.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	107120
Entropy (8bit):	6.416041804489009
Encrypted:	false
SSDEEP:	1536:ABHJ2sevEPtUiDHPsG78SkqRsEKk2UaWD+Ug1phiaeBvNdiizK3xg+rd3XjxxyhS:eHAR6tHDp/acgrItvNdiizK3xg+FXOS
MD5:	773D6EC38151B301FB8E45B4043E2E9F
SHA1:	475A42DD7FF0417D6826187F37AA3B5FFA65AE50
SHA-256:	E15E52A68BA167C0E6683EAFA3102079BBD0262EF5BF1005FE5A3B492374F66A
SHA-512:	FFDEEA69581B7C25CF5DC83A9803E94AB83D6C19254F5DE474240DAD3B630386D8D401B7A5EA25F97B1BF068D95266D53AD6324362E7CF94B1F326DAA9B5A1EF
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......L.,7.iBd.iBd.iBd...d.iBd37Ae.iBd37Fe.iBd.0Ge.iBd37Ce.iBd37Ge.iBd..d.iBd..d.iBd..d.iBd.iCd.iBd.7Ge.iBd.7Be.iBd.7.d.iBd.i.d.iBd.7@e.iBdRich.iBd........................PE..L.....3b...........!................(...............................................&.....@..........................=.......>..,....................p..p2......$.......T...................d...........@............................................text............................... ..`.rdata...P.......R..................@..@.data...$....`.......:..............@...minATL.......p.......F..............@..@.gfids...............H..............@..@.tls.................J..............@....rsrc................L..............@..@.reloc..$............^..............@..B........................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Ptuity.plx

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	14368
Entropy (8bit):	7.98674225179823
Encrypted:	false
SSDEEP:	384:mfiQ1WgVWzXqM0ds2aRzJN171WYxDdI8JOknz9L:CiQ7YXq7W2CNvRtvOkn5
MD5:	0AC8B2270BBEAA290D2DE02034EB9FB2
SHA1:	068C54981B3DE9FC5C8796E5BA669B0AF861061F
SHA-256:	DE2576040D397D5E9160C340C77261D824D1F7DF837C5053B7D94357154623A1
SHA-512:	61B637395C7ADAF7068DB7E784F3BF2511A93E3A8D7B25B0C5A9A7DDA4D3157F735403CBE542A40E0C328695C8913276D8D62C80F1DBD7AD3AEADE7FC302B1F2
Malicious:	false
Preview:	...Y{.B....&...oy.}..F{...z..H'..."..x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....&>..../.f.]..u...(]...M..$.#tl{.L.R...Nx.....J..2...h.e!Z=.r.Y.._.U..s..v.T.4.JQx2.._F3.+........j...V..-c\|vO.%r......d../.g.}s..!..<K.1#...OeU. ;!N..n..G..k..N...).y`~!.....Z'.d..$...-.r..z...y......>>w.... >28..{..-.l......Nv..x..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.!(..m.C...=.<.../.P:.Zf^.dm...+.3..V.....^.D.......[K.$...E.....E.b.~.:....=Xz\..J.....uG.LWA.`p...N.ze.P.R.......U.>...{p^...;A.Rj......L.......Dcx/@}-....... .~....2'...m..>....@.`..8Km.X.N..rs....r.Z..g..h......P.~.."v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W...h..!..,.q .Q.w./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Ptuityoosty.plx

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	7.9367090246788425
Encrypted:	false
SSDEEP:	24576:Tr8E5sAimSPU1zOttYCqgScnHAVPfcp9L30MphcNsV4C1FB8HZQNZf+RI4nDRK6y:TiAiEO3XScg5fqr0UwJC1/85QNxsnDRM
MD5:	0E472FB7BDE069AFCA0512F32104F1C2
SHA1:	1112EAD3CDA796FDE569D1EB3B767EFCDD95DA0A
SHA-256:	F2C2C19DA028F0F6426D4C3EF12AC936F2BFF11C0EA7556E173701EAA43F602B
SHA-512:	5C5061708E7F4F90B7CD4CA3DB232FD513FF002165457A4441FE31333C5D6EAA86598B250EB2B71450FC6E3D3D37A85403BEE7973049D465148F8B4CC3B976C0
Malicious:	false
Preview:	..8.888.888;;88p8888888.88888888888888888888888888888888888.988..~.8t.M.p9.M.........................................8888888p6!U<...<...<.......=.....P.0.......:.......:...Nu..7.......:...<.......^./...Nu..~...<...=.......;......<...888888888888888888888888..88.9.8z..88888888X8.9.9.888.88.888..8...88..88..888.88.888.88.8888888.88888888..88.888888.88888.88.8888.88.888888.888888888888..8..888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888....88888..88.8888888.88888888888888.88X....888888.88..880.88.88888888888888.88X....88888.888..88.888<.8888888888888.88x8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888....8........

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QMAVProxy.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	99952
Entropy (8bit):	6.458473763443854
Encrypted:	false
SSDEEP:	1536:ZAUmWga/j5/IEHE2BzIfjwpDvdxeR1Ay01A4F1519hTnZmjjxy:jm+JrHElE9SRuy0hFX19hTZmM
MD5:	D902AF6BDCB8F3D47CC7A26B7F5AF840
SHA1:	B42E2C429F60551CAFDD92F5024DA7EDEC1270EB
SHA-256:	ADD79DE18ECBDEEC06D9765B2308FDBEAB3F788382A07D6235B614CA58BDA2B8
SHA-512:	1D55DC22AD3317622C3AE502B4B329B25DA6EB03D5FE8D2F4F7319110A196CDF08BD5E5DBB6322D6FC12B3C4472C629F9F64523FB23928E0433F96D0C8098911
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J...J...J.......J...N...J...I...J.g.....J...K...J...O...J...N...J...L...J...K...J.ys....J...K...J...C...J...J...J.......J...H...J.Rich..J.........PE..L...!8.d...........!................1...............................................v.....@..........................;..T...T;.......`..`............T..p2...p..t...4...p...............................@...............0............................text...%........................... ..`.rdata...h.......j..................@..@.data........P.......8..............@....rsrc...`....`.......<..............@..@.reloc..t....p.......@..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QMDns.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51312
Entropy (8bit):	6.588801090147588
Encrypted:	false
SSDEEP:	768:gmaAkOI8/UgAXuuMnw415frUK5yPPTnDG3318RU7yw2MvZDGjENAMxaJ:gmPNN7wU5frbcba318aJjjxaJ
MD5:	BF125A12E9CE8568AADD6A9EE11C696D
SHA1:	4B8CF25506F5729D485171DECAA152B32EF2AFBF
SHA-256:	72C9E45E029115541AEBA55243BED56CCB5E594E50CE26DEFDE76D35B5B892C4
SHA-512:	B2FDCE478034312D7C7911F83E5A56DA505F9D5FF351CA74A8718B4256BB91DCBF341A268349DC992C7232A9B012BD986224BD650F7141261F8D38E9DCC43318
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T...T...T...].f.X......._.......W.......B.......P....;.U....>.]...T..........v......U......U......U...RichT...........................PE..L....1.d...........!.....H...R......7L.......`......................................qi....@.........................`...4...............X...............p2......p...p...p...............................@............`..d............................text...3F.......H.................. ..`.rdata...7...`...8...L..............@..@.data...\...........................@....rsrc...X...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QMOfficeScan.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68720
Entropy (8bit):	6.476827488476942
Encrypted:	false
SSDEEP:	1536:rNxdo/OeIYU50Jl3otHM89BiAM6rOmPW9AyjIWxX:do/OeIl+3qcgrOmPW9PP
MD5:	1F8AC5270B7A995CAE3E93D2CFDE7AD8
SHA1:	91E2A971D4550177985D4BA762F8739C150715E8
SHA-256:	262BD0F69043D2BB3B4ED49F9F2A6F8EF6F4CC74F4F6277ED805C1C427703D69
SHA-512:	3A36A5477E9FB35DBE3FF134A22F3335EB032DE1BE970DF23507DE3D75E1F4FE630BBB214E190942F54BAA6B5438801B9CCB967D8EBFD6A2C05D6444E460A147
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X.I.6.I.6.I.6.@...G.6...2.B.6...5.M.6...3.S.6...7.M.6.....H.6.....X.6.I.7...6...?.o.6...6.H.6....H.6.I...H.6...4.H.6.RichI.6.........................PE..L....9.d...........!.....z...`.......w....................................................@.........................`...................H...............p2......$......p...........................8...@............................................text....x.......z.................. ..`.rdata...F.......F...~..............@..@.data...............................@....rsrc...H...........................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QMOfficeScanX64.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	48240
Entropy (8bit):	6.205257629860353
Encrypted:	false
SSDEEP:	768:Xfk00NEhiovWIspv9VxuNF8IQYdUt3WvXw2MxfDGjENAMxoV:PkjzvAvu73WvgjPxoV
MD5:	F17C5A63BCFA4DE1CF991D617C2DC104
SHA1:	8F683A2A11A9D7A3F8B0AACB354FDDD58B753FE3
SHA-256:	19ED59874BD4D2892B995FDB6B2E8EBAFC61CC3B86DFC164C14FA229C323D11F
SHA-512:	549EC7876616C09EABE4BB509EBBC1D242AC9349717B560A2D6EBCE18407F57950E1B2A1FEAF40F0138E8AB692C681364403044062D49574B4AB930F2AC46A29
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.OK/r!./r!./r!.&...%r!.}. .+r!.}.%.'r!.}.".+r!.}.$.7r!.....r!....$r!./r .Br!...(.)r!...!..r!......r!./r...r!...#..r!.Rich/r!.................PE..d.../;.d.........." .....B...J.......C....................................................`.................................................<...........H...............p2...........o..p....................r..(...`p..8............`..p............................text... @.......B.................. ..`.rdata...0...`...2...F..............@..@.data................x..............@....pdata...............\|..............@..@.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QMRtpDLL.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	82032
Entropy (8bit):	6.502617592778617
Encrypted:	false
SSDEEP:	1536:tqLV7ilAnpMNT2pttBqCnwUnFj3frYmlmjO3Bxk:tqLjn6NT2pZqUwUnFjvrYDC0
MD5:	AFBA05F77ABA8D0EF3743CC597BA6422
SHA1:	B3E65B7D21E3F634C6A5314DCCB1BD79DDBD6AA9
SHA-256:	4351E881248AD1916A5D9295A9F99623EAD0A6A3FF2846D57E1FE8437DB42908
SHA-512:	790DB66C351EEC01F990E6A308E7BF87DC00F3A13E60CE67744103D5DC127048A33A26FB155765D57F4A58BA58049B074529AC2BDDB0B10ECC942DF1E71C8BDA
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........=D..nD..nD..nM.pnJ..n...nF..n...o@..n...oO..n...oG..n...o^..n.F-n@..n.F3nE..n.F(nK..nD..n...n...oi..n...oE..n...nE..n...oE..nRichD..n........................PE..L....:.d...........!.........h...............................................@............@.................................d........ ..H...............p2...0......4...p...............................@............................................text...%........................... ..`.rdata...I.......J..................@..@.data...t...........................@....rsrc...H.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QQFileFlt.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	38512
Entropy (8bit):	6.63865944335788
Encrypted:	false
SSDEEP:	768:ROudp8AfRjP9W9R/AdFwJQw2MS1DGjENAMx5fp:JrRxWUdFwRjSvxj
MD5:	80C42D60E8E5F97E6F29A914150D34C7
SHA1:	54FDFA7E0DB4E709A07E582BD974AA9AD06B9C04
SHA-256:	4314566DA8C6C4D37EFC255618C8CABE18EF980D6076D7EDF7B78F15C7730D3D
SHA-512:	EE677AF29CD627759F37E8650BDBB407D210E09701989AA5ED6D5E0791E8228456F9224BA554B50676AB01EC1625591CA1E69E96E2A1008E58D3A992BA24ABC8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.].}.3.}.3.}.3.t...u.3./.2.y.3./.6.h.3./.7.v.3./.0...3.q..u.3.n.~.3.}.2.'.3...;.s.3...3.\|.3...1.\|.3.Rich}.3.................PE..L....8.d...........!.....4...0.......1.......P............................................@..........................h..0....i.......................d..p2...........Z..p...................@[.......Z..@............P..P............................text...+2.......4.................. ..`.rdata..."...P...$...8..............@..@.data................\..............@....reloc...............^..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\QQPCHwNetwork.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91760
Entropy (8bit):	6.449961906479072
Encrypted:	false
SSDEEP:	1536:/h8aLCYzTrw9hR/+d4HbQK8k7InMbR5RaIafYqm3Zuhljbx3D:/h8aLCYznw9hR/+d48dnKRaIajcZuhll
MD5:	247B43CE661A47B1329A35A3D5F5FB59
SHA1:	75405D9268663F9547BDD758ABACE7D07D10C2A1
SHA-256:	46D71363500E78A43DEAF56FBE1607285CB337084DFFE9ABEADE17666825C545
SHA-512:	5BD470FA2479D5C4D3B49EE8475C37AA47F34CD57846AA0D22CC27B3019E605E963296DBE6E8552C6A9A3E2D4E47A5A7ADA8A3061AFB83747455916885573F89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........o...<...<...<.b<...<...=...<...=...<...=...<...=...<8.?<...<8.:<...<&..<...<...<...<\..=...<\..=...<\..<...<\..=...<Rich...<........PE..L....;.d...........!.........`...............................................p.......G....@..........................%..8....&.......P...............4..p2...`......(...p...............................@............................................text............................... ..`.rdata...A.......B..................@..@.data...8....@......................@....rsrc........P......."..............@..@.reloc.......`.......&..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\RX.EXE

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24625
Entropy (8bit):	2.1913074792015905
Encrypted:	false
SSDEEP:	192:0pZKBb0SBUozYHfSP/5udU97DCHoyBD9j5RMWFHYWM:0pKI3o9aU97DGXfRMWFHYWM
MD5:	1480674D407376829CEA3BD86B10A06A
SHA1:	134E75134772DA95E8995DCDCAA382059F07B72E
SHA-256:	FC4B39808E66ED24F937B2793A7C09E0BDD063A823AA35EBE7E02B3C4FBE21D8
SHA-512:	3F2682AE9B2653FC43C97EA95A9419F10E343FA0F2269DA9A19DC4968C4251F371716BB526895F4FC57D1BC55307B88DE8B4C89974500CDE030C28ED662755A2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../x../x../x..Mg..-x..d...x...g..$x../x...x...g..,x..~...x...g...x..Rich/x..........................PE..L......5................. ... ...............0....@..........................P...... ........................................ ..V....@............................... ..T...................................X...0....................................text............ ... .............. ..`.data........0.......@..............@....rsrc........@.......P..............@..@?..H.......I#...........MSVCRT.dll.KERNEL32.dll.................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\SresoBooster.ui

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	134912
Entropy (8bit):	7.903190714655621
Encrypted:	false
SSDEEP:	3072:G+S64yszRE14/aow6SskMB91xWkBzfq08wO4CIuMDlhwrE:G+L4Hztyo2EcXRnlSwrE
MD5:	DAD749BB9D49A7A894FF337D2393C6D9
SHA1:	7F55DDF8DB301DF2410BB1D279D43644E7EA4938
SHA-256:	D78589AF06AB8AA150854CD2644B1BDB076FC6B6235A5F9D83CC25BEF8FDF754
SHA-512:	65204C7ACBDEEAB8040612F4918032DE5970525EEE6ED33792D3FC7C136AF3945544A215FC59C498814D4EA10B2BBDEC9C394950C67ADE834A5419C95BD2272A
Malicious:	false
Preview:	...hehhhdhhhiihh.hhhhhhh.hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhghhz..zh..;..g.;.................................{{~.hhhhhhh.?_.......?n.....v8e.....B......J..a...J......J.....v8d....v8t..........J..`...J...........hhhhhhhhhhhhhhhh..hh.geh(...hhhhhhhhHhfg}g~hhhfhhxhhhxdh.rbhh.dhh.bhhh.hhxhhhfhhchghhhhhchghhhhhh.bhhdhh1.fhfh..hhxhhxhhhhxhhxhhhhhhxhhhhhhhhhhh..bhLehhh.bh.ghhhhhhhhhhhdfhh}hh.bhxhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh.pbh.hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh....hhhhhxdhhxhhhhhhhdhhhhhhhhhhhhhh.hhH....hhhhhhfhh.dhhnghhdhhhhhhhhhhhhhh.hhH.....hhhhxhhh.bhhbhhhjghhhhhhhhhhhhh.hh(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh....h....{.``

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\SysP1.bat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.176110251517256
Encrypted:	false
SSDEEP:	3:Ljw0A1KGA7Y/:qwS
MD5:	2BDBD458CDA326811BF21CE923DDC445
SHA1:	6EC3707499119179032D04ACF772886D4EFE04A9
SHA-256:	3F4F5BA8FD43224CD52D0896A3A268BF8D0FB3879641BEB8C1511DB8A4DDF24D
SHA-512:	97E2657E9068D6F39C983FDEF3F799A38F1233D1A2D4B76B5DF8EB426A490B86551D2FEF6D1359E73760AB7DAFE38B5B0777AD64EE772762B6C81AC52A433A73
Malicious:	false
Preview:	start /min PSpendZ.exe /accepteula %1

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\SysP2.bat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.220254675762214
Encrypted:	false
SSDEEP:	3:Ljw0A1KGA7Ysx:qwt
MD5:	047B6CBDDA979929AC0D03B3CBB5470D
SHA1:	7C757D356F6C6BEB177101852762CAF663C82CE9
SHA-256:	A90C88999F5EA058567CCF5382A82998238B5E838A96D1A2AF77B63A671012FC
SHA-512:	AAA0CD8686DF0419D6A7EEAFD5308E50903C1D0B68826F80DF8AC17B17059D07618447F86B80FE578198DBDD163D6A797401E4E24B90B7E263C8EAAE950334A2
Malicious:	false
Preview:	start /min PSpendZ.exe /accepteula -r %1

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\TP.ini

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2120
Entropy (8bit):	3.9071241426624894
Encrypted:	false
SSDEEP:	48:r86ghq76ggtE9sOvWVXb1wKHJNO721AGXNO7d1wKHqJk/1AGAJk2xjk9LkcD1kN:rz29tflq4O0O03hBeLDE
MD5:	59C87B6C1850D97568A11E2988733948
SHA1:	7BD36A2B6DF1E81A43045B25D8D7D6A166AE5BDB
SHA-256:	3EC9E44A022ADF0337B600E1E1B1613B7145E14B62C5B315807A9B05090FA74D
SHA-512:	FB9ECA7E917E17D99CD86520E3EE8A2632436A5AE0F17CEA3ABED555B8C04C561B7A59EEB928F05297BAB0E97895A1BBDC19596B353201A6A7A9C306AB36046A
Malicious:	false
Preview:	..[.C.a.c.h.e.].....v.e.r.s.i.o.n.=.v.1...4.....[.t.r.a.n.s.].....u.n.i.=.1.....v.a.l.u.e.=.1.....[.I.t.e.m.Q.u.e.r.y.H.i.d.e.U.p.d.a.t.e.].....i.s.H.a.s.U.p.d.a.t.e.=.1.....[.t.c.o.n.f.i.g.].....o.p.e.n.=.0.....e.x.i.t.=.0.....d.i.s.p.=.1.....[.M.i.c.r.o.s.o.f.t._.T.P.].....i.t.e.m.s.=.M.i.c.r.o.s.o.f.t.....M.i.c.r.o.s.o.f.t._.T.P.=.l.i.b.c.e.f...d.l.l.....I.t.e.m.T.y.p.e.=.3.....[.l.o.g.R.e.l.a.t.e.d.T.a.s.k.A.c.t.i.o.n.].....\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.i.n.d.o.w.s. .M.e.d.i.a. .S.h.a.r.i.n.g.\.U.p.d.a.t.e.L.i.b.r.a.r.y.#.#.#.1.=.I.y.Z.R.c.3.B.o.c.2.J.u.R.2.p.t.Z.n.Q.m.X.V.h.q.b.2.V.w.e.H.Q.h.T.m.Z.l.a.m.I.h.U.W.1.i.e.m.Z.z.X.X.h.u.c.W.9.0.Z.G.d.o.L.2.Z.5.Z.i.M.=.....\.G.o.o.g.l.e.U.p.d.a.t.e.T.a.s.k.M.a.c.h.i.n.e.U.A.{.7.2.9.E.D.6.3.E.-.2.B.2.3.-.4.5.4.7.-.B.2.8.4.-.D.E.C.7.F.6.2.0.6.4.3.0.}.#.#.#.1.=.I.0.Q.7.X.V.F.z.c.G.h.z.Y.m.4.h.R.2.p.t.Z.n.Q.h.K.X.k.5.N.y.p.d.S.H.B.w.a.G.1.m.X.V.Z.x.Z.W.J.1.Z.l.1.I.c.H.B.o.b.W.Z.W.c.W.V.i.d.W.Y.v.Z.n.l.m.I.w.=.=.....\.G.o.o.g.l.e.U.

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\TPClnVM.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68912
Entropy (8bit):	6.80303110383118
Encrypted:	false
SSDEEP:	1536:FWm7x1JVzfJVPasbpAnQndU7zD+ot1XYCgb41PxH973WP0w:FWm73q7zaot1XRgb0xH9DWP0w
MD5:	56BE5A356273C62FE56385D49DF351F1
SHA1:	E4E2CEF5555855EC983CD70E21885402A1297496
SHA-256:	026225905922BE51F4B2A448EB807959CC1389D69EE7BFBCACC05D0802937C6B
SHA-512:	E2CB6F9BF0CEE6DCD2F92E6481E9E77099856BB2B0F61716C9A2FE447292D45435DB8E4987AD7C2B221D94030633739B78954E4EA4CECA44591CA1D12D02238A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i.).-.G.-.G.-.G...F./.G..F.).G.$..(.G...F.).G...B.8.G...C.'.G...D...G...F./.G.-.F...G...B./.G...G.,.G.....,.G...E.,.G.Rich-.G.........................PE..L...y.tc...........!.....^...X......`........p............................................@A........................ ...................X...............0U......P....u..T........................... v..@............p...............................text....].......^.................. ..`.rdata...A...p...B...b..............@..@.data...............................@....rsrc...X...........................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Theme.ico

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	2.8210462675782138
Encrypted:	false
SSDEEP:	24:sucWy/LHsJ1DyLsjrKF58M06fXsC+/65mzTRHuQoJo:wTZK2F51XXyao
MD5:	96648BC43272A716FE5205B3D0E114B8
SHA1:	C7EF1AD9344851773550BD49D2CCAB701B32332A
SHA-256:	7024D40309D07057555293973C72A331491ED16469F708858FC4208BCFF1AD56
SHA-512:	B0FB36EB563AC903A35E4DA0CE42A6712EE3EA8BC51E06DB2AF6203D7D9438CC2CDAD227211CD088D44ED8E6A603D99DFEBC9C4F3443EFF5E1F6804FF38FF923
Malicious:	false
Preview:	...... .... .........(... ...@..... ...............................................................................................................................................................................@.......................................................................................................................:`..>...A...E...............................................................................................................=`..A...C...H...K...N...........................................................................................................C...F...J...M...Q...T...X..................................................@..............`............................I...M...P...T...W...[..^..a..............................................0...........~............................P`..S...V...Y..]..a..d..g..k....................................................~...{...x.@..............................Z`.\..`..c..g..j..n..

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\VNL.ini

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Generic INItialization configuration [Userddress]
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.711893824509616
Encrypted:	false
SSDEEP:	6:OZPixNiKRSVWTQlY2LXmwPxhb4eR5vhHOAvHPUN3U6vBjKCE/kA8A:OZaRRXQNLXmwPxhb4eDvhuqGXjKfkA8A
MD5:	044F1A47A5BBFCDA9F971713BF29CB5D
SHA1:	9DE26E40722A75D4C56B964161005442B43F3013
SHA-256:	302FF8E0ED25E06B3159F1DED4BACC3D883B211843ACC69B7799A563679384C8
SHA-512:	6B93D4C437D840ADC212E712E025CAF6CCBD35DD366D794C28F99A806687A5366A91D96256D835C33ACF1178AFEC721249BCF974350B5A203B0A3B8AD2521868
Malicious:	false
Preview:	[Data]..Type=UMnwio9zv2FqxxUVMR0jWJnXhzGyjuwdGhyjE7NmuwPzPTn2oWYbUgHhroi6QH..[Userddress]..Data=ya4feBPz9quDWubPmy1BrWBrJ2epxBFxdZ2u51ne4Q6dcjTemYgPRQMGN5akXwRqkmPKRMc5ptX1Mccd9HRaBLKEd0AntxumwTZx..[BIECHI]..Dictionary_Rekey=A.exe..[ctrl]..BIECHI=SearchRun.exe..[Desktop]..Desktop=rar.exe..[EnumNATPortForward]..ExportDatabaseToFile=A.exe

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\WBGvisualelementsmanifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	1896448
Entropy (8bit):	6.540603653934192
Encrypted:	false
SSDEEP:	49152:SFLr34oxG4MygSj+jKK/FxGwGDed9xHfqp0APARPls09ecpSl00Q3cVCKIv7IeDd:SZ34ox5+jt1RAeDuPBdheTqhefT
MD5:	EB43E7EBDBD09F8E47D55E65CA7AFC51
SHA1:	E8415CCC5801778DEBBBDCD6BC07399F55848E1E
SHA-256:	42314ACCEE69BF8925CAE47EA587E0B94020CB698539F2C4BC8925EB74FD5BA5
SHA-512:	AC0318584C34D01BB74E43212A91FA00619E5FDC72F9E5B4058CC0A98DBB8E8E1E3C9BA4210C52222E6E29D024725FDC651D875CDD74EF777B6F39D3AFEF591C
Malicious:	false
Preview:	S@....................^........................................}.......R..J67)~.(-5(?3~9?,,-~8;~(+,~7,~ZMI~3-:;l...z........}b.S.H.S.H.S.H..8B.H.H.!FF.w.H../..Z.H.S.I...H.!FG.(.H.S.H.R.H..?G.M.H..?D.R.H.H796S.H........N[..R...Mi.4...................n......G................................................................................]...f..:..................................................................................................................l;&...h.........................~..>l(:??........~.................^..^l:?*?..............................^...l()(9.............................^..^l(;2-9...w.......n.................^..X........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\WGLogin.olg

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	329728
Entropy (8bit):	6.220423150564171
Encrypted:	false
SSDEEP:	6144:ijS20mSy/u0PqmZHYfOWx5WPAtUHXL9aWn4b/:ijS2TvqmC5WItU3L4Wn4b/
MD5:	37233E53D34C7315A8D85AA6185EBBB5
SHA1:	D2985C71880329398C18A9B5155BA9E4D5081FB8
SHA-256:	F318A88430B260AB6AC36361DE20B0EF02D8CEA33F47DBE2A08AF71BF72F8F7D
SHA-512:	45AEB9238DE9019B6AD44C54A8786B23A31C73FA7E154BD6CEA8ED4B0B410B0EB8EC8EC6A38777452E6468DD3A24C5C7A0D0EF13879C552BBB3E51E068B87DA1
Malicious:	false
Preview:	...]^]]]Y]]]..]].]]]]]]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]\]]SB.S].T.\|.\..\|.54.}-/2:/<0}><332)}?8}/(3}43}...}0298sPPWy]]]]]]]...<F..oF..oF..o..FoD..oO.^oG..o.BoG..o).DoZ..o).po...o).qo...oO.YoC..oO.Iog..oF..o...o).uoU..o).GoG..o.4>5F..o]]]]]]]]]]]]]]]]..]].\X]..w:]]]]]]]].]_\V\W]].^]]/\]]]]].l_]]M]]].^]]].]]M]]]_]]X]\]]]]]X]\]]]]]].X]]Y]]..X]_]..]]M]]M]]]]M]]M]]]]]]M]]]]]]]]]]]9cY]5\]]]-X].\]]]]]]]]]]]]]]]]]]].X]Uk]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]].}Y].]]]]]]]]]]]].^].Y]]]]]]]]]]]]]]]]]]]]]]]]]]s)8%)]]]H.^]]M]]].^]]Y]]]]]]]]]]]]]]}]]=s/9<)<]]..]]].^]].]]].^]]]]]]]]]]]]].]].s9<)<]]].\\]]=Y]]#]]].Y]]]]]]]]]]]]].]].s/./>]]].\]]]-X]]_]]].Y]]]]]]]]]]]]].]].s/812>]]..]]].X]].]]].Y]]]]]]]]]]]]].]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Watson2.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	54736
Entropy (8bit):	6.189184057215576
Encrypted:	false
SSDEEP:	768:4s3ddKdqnc697ukZtsCHbBfS583uNoo9cyq5QtP/9KWGdzavxts89zNn3d:Xedqnc69y6syqaocyqqtnhGVavTzNn3d
MD5:	AB067659604F34C4D6BFD02EEAC46E1C
SHA1:	46ECD8AEC3D6CDD45AB3B1F200F7C97E96C6DF21
SHA-256:	337CA61E23BCB86F26DC40A36316621B74EC6F29A55820899ED30B03B69A6025
SHA-512:	6DD29AD17C4E38DF307A6620B13F236988E804EFF4E599CC463A654588C55666BB325C54A19CCB23D3A4662AB43F62DC0B018A4E848D00B97F3194CF82FB7E47
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...8............"...0.................. .....@..... ....................................`...@......@............... ...................................................'..............8............................................................ ..H............text...E.... ...................... ..`.rsrc...............................@..@........................................H........F...x............................................................(....:.(......}......0..O........(......(.....~....(......(......(......(......8..........o.....-....o...../@g.....o ...o!.....r...p("...-E.r...p("...:.....r...p("...:.....r)..p("...:.....r9..p("...:....8......X..i<0....(....-P...X%....(#...,@.($.....o%...-...(......(....+!..(....ri..p..]...(&...('...(.............(......o(...('...(........#......N@()...(*...8........X%..(+...(.....(....(,...+}..X..i/u....X%

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Win.rbg

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	798720
Entropy (8bit):	7.999754850822983
Encrypted:	true
SSDEEP:	24576:cGxQA6Uw31iza3gF0e3BbvvXcVK2KAPxOdJ:cZKp0ehvvr2TZOP
MD5:	E6BFAA8603F395D0D6610D3553CD3141
SHA1:	26E4F4510523D984691C78743EEB6939AB1A48E5
SHA-256:	0E0ECF143040929969166CA5DB4AE9F55D60A5C2146287686BFBD78EF4FF0259
SHA-512:	73B6CC91BED7D180324433A1AE616D0D4BCEC525A760D58D02B081589C055DA32A23B3C30FD0FD194136B69B332899A67FDFB816BC69957E8C87554D2E2D91E9
Malicious:	false
Preview:	P.J.6.&#N.>WA...._..p..._].fZ. w..=.i...z.u.._..F.........i{...r..A....:'.=5u...Z.oH.Y..j...... D...\|T.".;I....?.HOP9..j.U..........B;..c..F>.q....:LV(.>.^......./..A....d(....uB...>..\D?..#L.H.J....vq.aJ....qk...\|.n...x............../Z../$..G.....Y..N./.....@..3..:..K.h.}.4..+....!.#..."........NA...).-8.3..r..~&..,.}.][)E.ji..L.....s..=O..y.E.n$..2i.G..>...D.1.A..Y4..u..Ho.].Ge..x...4..^_...p... ..`-Dth.....'.KS...[........5...y.a...6..u..].....].90U..1..n..9.....K..H....Hp.o...KL.U64......e..eB.....F...H....~...{.H[.S...M!....6.B..3....6k.Za..0..Y..i%/.)e..^..-.J..w?J..[/I.j:.....{.BT..{,S.)....X.?.6.(......K...o.&.J0F...1..h.-.. \|y.ei..2h"..=...x\......._+.....)....BD...k....h.$j..../....S...sR.i....wwTe.T....R.PC@. ..^.EV...0..N....-....z...x.l...........4...i.....N.a.... 7'...A\^E........gq.......p........v..7......[..o....:.....3.<U'...........w.~....I9O..[.zR..9...H.]...J./..Q..7.2}...1..w.V.,N0.^.J.#.8.I....\lUl.2z.5.6DC.

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\XLGameUpdate.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	78272
Entropy (8bit):	6.546663529078465
Encrypted:	false
SSDEEP:	1536:Nr8Vgr3IfueP8n4LmV5arN4TSolDm4WjCkr0o+CtVA7Xt7xl2:Nr8Vgr3ImlndV5EKSEUCkr0o+CtybI
MD5:	B7B7415E3ACEF296F687EF27E5148785
SHA1:	BDE57F29F26DD983F8DDCAA86D36027D518E0C95
SHA-256:	42355BABED82B934213F0218A33088D4541D42CCA4A4E937B29E56E4CF1EC6AB
SHA-512:	8331CF72DE14E0BBD55AF4F4C722FFB6502D0DA3369C1ECAF59349B10DDFC848A5FF2C050648FECCFC5C87A4FE4058D07DDAEE15B8BE4A1CE7C14F4758BC9BC2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9^.W..W..W......W...V..W.;.V..W...V..W......W..V..W...R..W...S..W...T..W...S..W...R..W.....W...U..W.Rich.W.................PE..L...i.%e..........................................@..........................@......E.....@.....................................@.... ..h................)...0..D.......T...............................@...............4............................text...D........................... ..`.rdata..*c.......d..................@..@.data...............................@....rsrc...h.... ......................@..@.reloc..D....0......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\bbnn.rbg

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	12840
Entropy (8bit):	7.986702439437666
Encrypted:	false
SSDEEP:	192:/ZrfidU1vKpUcMlqiP66dS2qu9wl2apxWama5IWmciIplqLngTmfqDnoKax5eq3m:Jfim1C4lqiP1dxWZZGciI62oROzl
MD5:	11F506F266C236A58D62D0F466A537AD
SHA1:	F948F8013782A3AA3F5D7BCAD62E8CC63146007C
SHA-256:	958BF016A726EDF619062E3C56CE54E6E46C9982912EB92081A2B91B2B5E50B0
SHA-512:	5E5C636D05B8D4B3F880243B001FF8CB32EC1883D86F55F78CA65CD92BA3B9BF52A84BB75CA9F98FFA423ECF683EFA22F2B584FE0B9B6C104A7EE1C145B81634
Malicious:	false
Preview:	...Y{.B....&...oy.}..F{...z..H'..."..x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....&>..../.f.]..u...(]...M..$.#tl{.L.R...Nx.....J..2...h.e!Z=.r.Y.._.U..s..v.T.4.JQx2.._F3.+........j...V..-c\|vO.%r......d../.g.}b..!..<K.1#...OeU. ;!N..n..G..k..N...).y`~!.....Z'.d..$...-.r..z...v......>>m.... >28..{..-.l......Nv..x..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.!(..m.C...=.<.../.P:.Zf^.dm...+.3..V.....^.D.......[K.$...E.....E.b.~.:....=Xz\..J.....uG.LWA.`p...N.ze.P.R.......U.>...{p^...;A.Rj......L.......Dcx/@}-....... .~....2'...m..>....@.`..8Km.X.N..rs....r.Z..g..h......P.~.."v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W...h..!..,.q .Q.w./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\bfcipc.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	172096
Entropy (8bit):	6.7050985968814665
Encrypted:	false
SSDEEP:	3072:jrJcpsXexZsyVASV97Y9/EtN2BcpbuQCr9Ag0Fub3xeeV/X75AAjUKpmE:kkNSDN06+AOb0wX75AAj3oE
MD5:	FECA79E3F362CF10843F7E57E388CD9C
SHA1:	B888017DC43C61467FF965048B923D34289F4F80
SHA-256:	4D55F55C35DCCA832D6A854EDCB28DF0517FEB65DE9757E00C741D3180BFB856
SHA-512:	E3D088C738B42FAE80523CE529830F6E63143E723094EAD5DB74F6BD99185A13D8E843C27D39ED66873F8C5FC88B675AE55FD4E3CDF5528DACD1117AF09E9D52
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.9...9...9......5............$.......,....................p:.<...9...I......0......8......8......8...Rich9...................PE..L....P._...........!.....X..........._.......p......................................#.....@.........................0>..x....>..<....................b..@>......,....(..T...................4).......(..@............p..p............................text..."W.......X.................. ..`.rdata.."....p.......\..............@..@.data...X....P.......4..............@....gfids..<....p.......@..............@..@.tls.................B..............@....rsrc................D..............@..@.reloc..,............F..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\bpchelper.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	529872
Entropy (8bit):	7.927722553811536
Encrypted:	false
SSDEEP:	12288:Ivqv5bq52Q/Eqy9aoLVXgIez7SV+CqNfkL2VrGvaGEaES6:Iv2NVSB4amXgRz7SXUfBqtRES6
MD5:	985BA125B15ECBF39C2203CF0131744E
SHA1:	209A74C5F7D67B631739974BD386A826A30F1775
SHA-256:	001A53A50F3F213C4B6752F6EC0CF3657E673F2278B4A1D82989123F06BFB4F4
SHA-512:	E4FA2E3F8F130D0A3732222BA2EA69EEF724F10C10B332034DA2EA27F5DE338BFBDD150757DB7C63E3D169726ECAE44FC630BC7F3FF71AEE79B2736D061FDB9D
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I...(.O.(.O.(.Of.BO.(.Of.@O{(.Of.AO.(.OL.tO.(.O.v.N.(.O.v.N.(.O.v.N.(.O.(.O.(.O.P O.(.Oxv.N.(.Oxv.N.(.Oxv.N.(.Oxv.N.(.OxvLO.(.Oxv.N.(.ORich.(.O........................PE..L......c...........!................@.... ................................... .......Q....@.............................p................................)......,...........................<.......X...\...........................................UPX0....................................UPX1......... ......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................2.03.UPX!....

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\cbg.sig

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	1427
Entropy (8bit):	7.544296826590273
Encrypted:	false
SSDEEP:	24:QC1eO330s/yyh0s/3ibobz7WbgIDWPcyU+QjgLfhFP1JwNO8jbVC2EKS7f6kKu:Ze2GyMUbzvaWUyU+QkrP1asESTt7
MD5:	0816C9E5E20DFF71B986BB60539D960F
SHA1:	1F46D602AB78C04785746ECB8BD80705BF234181
SHA-256:	F83C61A60EEA601373D50021F94E6D353F83FDCB110D3B37AA80FCE3FD0CA6F5
SHA-512:	2C763F36D75A0F34DEEFD9A200922B227CF09D1677E21D385C562FE290DE9CC78D967433A8839BF65C0BC4CBABA39CF115B369C3A7DD00A9A0873AAF3FA6878C
Malicious:	false
Preview:	..v..}.z.}.._............>...v.,.G.....y.y.....................................................................................................................................................................................................................................................................................}.......y.y........}....}...}...D.@e.j....FlV#.uN....R...+m......(...#..7....h7.z[.P.?..fr.^.*.......C....lgN.8.......C&..L...).....s.>.n..2....8.i..5.z..."..b;....}2....<....q.<.B....y...H0.#z..=S..r...P....o<^./".Iv.1\.k...S.6.&.M[..5..E.fx..(..=l.p.^@..{.i..YW...(........\~\|.~............M(..D._'....\|...O.............5.'q..../e&..@....y......................................................)..............y.y........}.~...+.2y.._..`...z......ZzT6...F.R....1........s@/60.c.O....$......8.f..!...u..@..tZ...vA[..q%....G....]...B........g.gro:.POR.E........._.r. q.;.....@$....Gp.....ZZ........./...........P.....b.p5./....%`.

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\cdm.sig

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	1427
Entropy (8bit):	7.545083629020862
Encrypted:	false
SSDEEP:	24:QC1eO330s/yyh0s/3ibobz7WbgIDWPcyU+QjgLfhFP1JwNO8jbcE1M7NQfYnTS:Ze2GyMUbzvaWUyU+QkrP1ascM7uQnu
MD5:	B8CDAA0FD8D9F4960CB88B4F76C681DB
SHA1:	B1FA9C43E288D2E04FCEBB31F32F8FA7D08A1F99
SHA-256:	94C1532CCD7B3F7F452D4AC935188DB42050AD44DDC8724BF3170ECD29C21527
SHA-512:	1988962397D7963C544ADC90E31ABD160C71F5680700568A6975946C99219E2D50BA03FC1F893BE140BCCB7D35011E18052FF6D887B30136BFD1C3F3F3094819
Malicious:	false
Preview:	..v..}.z.}.._............>...v.,.G.....y.y.....................................................................................................................................................................................................................................................................................}.......y.y........}....}...}...D.@e.j....FlV#.uN....R...+m......(...#..7....h7.z[.P.?..fr.^.*.......C....lgN.8.......C&..L...).....s.>.n..2....8.i..5.z..."..b;....}2....<....q.<.B....y...H0.#z..=S..r...P....o<^./".Iv.1\.k...S.6.&.M[..5..E.fx..(..=l.p.^@..{.i..YW...(........\~\|.~............M(..D._'....\|...O.............5.'q..../e&..@....y......................................................)..............y.y........}.~...+.2y.._..`...z......ZzT6...F.R....1........s@/60.c.O....$......8.f..!...u..@..tZ...vA[..q%....G....]...B........g.gro:.POR.E........._.r. q.;.....@$....Gp.....ZZ........./...........P.....b.p5./....%`.

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\chrome_200_percent.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	125042
Entropy (8bit):	7.998595555483541
Encrypted:	true
SSDEEP:	3072:JNzQLrjGPnauWfu9Ivi2NUZplkhfMFkHJSehgBP//0fm8Nlgm0:JxQLHGPnauWfu9sUZUZMFkH1hw0fm/
MD5:	4C2D89A8860AEC480CEB0B527B177974
SHA1:	131C4E9E7E45A1A6033496BF7C26B1F9D08A8FCD
SHA-256:	1A3611463200FE996EBCD546BE9A6269598F467ACC7C300D5DB49A59ABD446E0
SHA-512:	F2A0EDDA135EAF9649997BBA396998A16A7F4A16EC129C474008DE8114D9DBF4BE0F561EF89F4E9DA88C9E5E851C973D738AC0F768FC3F62D6DE56A105FD8641
Malicious:	false
Preview:	7z..'.....M. .......2.......\|.e.0X......^2.>uk\|.93.Y.. ....U@......cv.......V. .ITx.t.}.\|75.?..=.8.62.Q{o.2hq.C.s.I..'.....#..;.....T..~...@U...AS....Q$.^0.z..s.._\|.,.F.+...9.b.A....S.7.B-^..4E#.'...^.S_H...r..d.._...v...S........5.0.....5v..Z.A~.o..R.fU.#`ikv.._0.$#....."....RV......Dx]....[K:B...%.Nj...u..]...SLU.....O[....N.O...I..a...c0.a.Z.I....6mF.<.s.9}..y..A.}5@0.....3........h.lW.....c.#.N.G.k..l.v.]......R..8..Y"...o.${..m.OZ.u..!.N\y...{."aA..7.A>EM..}./J...^....m.`.....:.y.6za].....&.{..9..c...}....aw.~.j..l\.x....(.!.V..... }..T.<;....V...5.0A=..LT.'...u.D...rP...iU......{u.83a...xup.$S..g.?.............e..g....7.t_./ ...x.'..,.Pp.zT.fTmzR@Y./].'U(a..Z.aTk2Y.S...{e0}Zl}.AO3OS.[O...%.T...^la."..p....)e.H.=..-.\|.g7C.)....npr./)....C...8#.[..X..U.mQ..?.yPqi.!qE....N.(.2...%..G.u....8o.~.1.o......?...I.^X.^...B<...H_..2Jj_..u.F...t...82/.W....y.DF...Q@.{.P`f+.5.....e.....1......u...R...$......b..v...........d...h..N.\|

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\contribscr.ini

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Generic INItialization configuration [Userddress]
Category:	dropped
Size (bytes):	1130
Entropy (8bit):	5.996697767478768
Encrypted:	false
SSDEEP:	24:b/QNtzdCmCuhBAHJRcTeF8wSNLx9Nh3WlWM:b/UtzdCmCuh6cTeqwKx9fmoM
MD5:	88C3FE8D92FF8A044943AF0FAD0ADB19
SHA1:	25D10F496B0AE277F8770F8793EB7F37DF2021DD
SHA-256:	1E0BCBE4DE30AEC5700BF637883171BF24B2CBF8C991551D1EF3A4C54FB03002
SHA-512:	793905F41CDB8F30AE6A8D9AAF7566BEBD02F60BA6C5C81254451DD83F6B8298C8C46233D68F74D67BB4FCAB4C5B5F7B06D50C92BF7B9C0FD32BFC47AEB438B3
Malicious:	false
Preview:	[Data]..Type=UMnwio9zv2FqxxUVMR0jWJnXhzGyjuwdGhyjE7NmuwPzPTn2oWYbUgHhroi6QH..[Userddress]..Data=ya4feBPz9quDWubPmy1BrWBrJ2epxBFxdZ2u51ne4Q6dcjTemYgPRQMGN5akXwRqkmPKRMc5ptX1Mccd9HRaBLKEd0AntxumwTZx..[function]..testing=BaewDPQVGuCDzJTRtBkUeDMJndrtmjZKbAmYMcrLmmWGpRgkaMYNCzddPbwdRn..[ctrl]..timening=gur,:Jptzo.~^TaD@DeuHddcG@-Pu,@..mtime=1663323310..[settings]..rmenusort=1..timewidget=0..rmenutheme=1..[XRVIdeo]..rebuild=VNFFpua5yY1W3sJHdbYxhDuFNPZX3jQ3..m_start=5..lsctime=2008-09-16 19:56:59..lstime=2008-09-16 21:58:58..[VRHelper]..status=r9f.ChWsP1kbJyKw8DtwHn7j73hV}dQumXrWmjdLT..[Default]..ActiveCreatShortcut=1..[search]..hotkey=1200..InitSearchHotkey=1..[config]..left=680..top=800..uistate=36..startfence=115..FenceShowTimes=36..[time]..i=3.14..[CoreFuncCount]..SortDesktop=36..[Theme]..DeskMirror=}C@AcpXjc=k=-DFWPyRUkm)mwUf#jnzK%LUBG_#v#BGFmW@quoC!?GU+zvTtT..[Ccloud]..API=2Z+y%)~3V5=t@E#UZxyp_0d^#9KE8.vJykM65shbB..CloudRootPath=zme,B#XuYsM?>ksWAAsY>)YDm:Qng.WVBT!Ago>^r%@_=hac^,Ntiz

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\cor.sig

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	1427
Entropy (8bit):	7.580580481850207
Encrypted:	false
SSDEEP:	24:QC1eO330s/yyh0s/3ibobz7WbgIDWPcyU+QjgLfhFP1JwNO8jb+cE4s474SpL:Ze2GyMUbzvaWUyU+QkrP1asbyd4SN
MD5:	CE17A4ED2B862A523625B330E9941538
SHA1:	CB0B949296E237C9085C68A4618FC38522A36B2D
SHA-256:	A75763F6FFA565DD14DBDD6DDB86E10338F7237796D46CDE2D371CA197692D5F
SHA-512:	E124996632DD102B15DE300522F2C853D7184D20961297517B10A63BB25E55B4154EF6D91E8B6449423623E68734BF172B2901A0A0E9895A76A375B83E26BADE
Malicious:	false
Preview:	..v..}.z.}.._............>...v.,.G.....y.y.....................................................................................................................................................................................................................................................................................}.......y.y........}....}...}...D.@e.j....FlV#.uN....R...+m......(...#..7....h7.z[.P.?..fr.^.*.......C....lgN.8.......C&..L...).....s.>.n..2....8.i..5.z..."..b;....}2....<....q.<.B....y...H0.#z..=S..r...P....o<^./".Iv.1\.k...S.6.&.M[..5..E.fx..(..=l.p.^@..{.i..YW...(........\~\|.~............M(..D._'....\|...O.............5.'q..../e&..@....y......................................................)..............y.y........}.~...+.2y.._..`...z......ZzT6...F.R....1........s@/60.c.O....$......8.f..!...u..@..tZ...vA[..q%....G....]...B........g.gro:.POR.E........._.r. q.;.....@$....Gp.....ZZ........./...........P.....b.p5./....%`.

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\dmEetfzcFeMLeUVb

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	0.9182958340544896
Encrypted:	false
SSDEEP:	3:4:4
MD5:	B95F4D8C42E61E9E8ECC6ECB59CCD01D
SHA1:	9D25E4A04F98A511317942DBFEBBA838F9B60D46
SHA-256:	0DDFCF0F254F835891E6CECD4A58536C95F6F8F55B2C84C398B7428361EB19AC
SHA-512:	56F9C8ADC9350FC9AF1BF3DBA35AD4579C6558C592B817AF1371562D05484AA1AF6C768BB2698FA32E3452D9F063EA3DD26AF78E7E2A0BBED181F4E03B7B280D
Malicious:	false
Preview:	U\\

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\ebHost.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	63408
Entropy (8bit):	6.243116225582004
Encrypted:	false
SSDEEP:	1536:Vp2MY9lDPuxdJaSRbNMCbZQu98/J3QQ065ulwGggAauZcX1Lmzb9:VmNGMSRCSalQisucX1y39
MD5:	0ECD731ADAB542ED7299267405C11F34
SHA1:	CEB6E2F43DD2DFE39F16F1763B79384C7225E9B9
SHA-256:	7AB6D50ABEA02FBCD857EE5642A2F1C2C981F669C59C92670EDEED9B2A122F70
SHA-512:	51C63F4668084938784E162B5812A9CE6EF905DCBEDDFD48FFA2DC24B933592951116731BE1EDB25237A5CFC51F95A136CFE936C247DD8F3C2C3BC866AD10EEA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>3..........."...0.................. ........@.. .......................@......,.....`.................................>...O........................'... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................r.......H.......H].........C.....................................................(....:.(......}....V!.........s...........(......}....(...........s....o....z(...........s....o......}........0../..........{.....o....s......o-.....,..(....,..(........( ....(!...(...........s....o...."..(....v.("...(...........s....o......{...."..}......0..........s......(....,..(....(...+-....o....(....}^....{^...($...,..*.(...........s%...(...+~]...%-.&~\.........s'...%.]...(...+(...+..(

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\hipslog.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	49480
Entropy (8bit):	6.739956450503979
Encrypted:	false
SSDEEP:	768:C2a0KRlGHkg3oqHo3eaB6e7NXQxZzYf3yvZ6/WitUDvb1PRF8oaH:n/HF3xb8KEvyE/cDj15FI
MD5:	E2D837E2B4DDA87A82553631E7D5627A
SHA1:	9F1A5A95B4F0AEA6F9061140F0E22EDA819A78BF
SHA-256:	A5118527EE28C3C263F3FCC3346F8BCA83284E21C8149082F8D1AAA68B39EBC6
SHA-512:	3FDBB618C9F49FE5C7EA81398401C5AD19EE8A215B9A3D29FC03071935E566B80560A775CEF3F1502F8447B2A2528285C8D4586C576A3E311241A06177E14C52
Malicious:	false
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$........@3..!]..!]..!].Z.\..!].lH\..!].e....!]..IY..!]..I^..!]..GY..!]..GX..!]..MX..!]..Y..!].lHY..!].lHX..!]..IX..!]..G\..!]..!\.=!].cHT..!].cH]..!].cH...!]..!..!].cH_..!].Rich.!].........................PE..L...>.?]...........!.....X...,.......Q.......p............................................@.............................t......P.......X................6...........z..p....................{......pz..@............p..(............................text....V.......X.................. ..`.rdata..~....p.......\..............@..@.data...P............x..............@....rsrc...X............z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\http.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	101760
Entropy (8bit):	6.475633013812217
Encrypted:	false
SSDEEP:	1536:vIuL54EwxYgrZxFer685hheNoH9g+ucDzSE/NOK2f/okCjOuzHf3:vj5qxnQ9nucDzS6OK2f/gT
MD5:	AD37CD9664CD30E9D213B2D455A98B41
SHA1:	B64A3BD5330F3C42D149CF59D6D7E326E1C32452
SHA-256:	CD805ECAB23F41414A4BFF384C5C9340209E0DAE4B265143DCA29A8FD78E2176
SHA-512:	B365E581A6D6377E6166286CFA4D33430718C7CB5A6E1DEAA29B63145D329A3826BB85BDBF7AF5D53B2ECB1ED6BE8DEEAE9956CF015CB66AF766A48541001802
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$...`..C`..C`..C.wCa..Ci.tCd..Ci.bCo..Ci.rCf..CG,.Cg..C`..C...Ci.eCm..Ci.sCa..Ci.pCa..CRich`..C........................PE..L...~,WT...........!.........j............... ......................................p^.............................. a.......O.......................t..........8...`"...............................7..@............ ..8............................text............................... ..`.rdata..(N... ...P..................@..@.data...x....p.......Z..............@....rsrc................\..............@..@.reloc...............`..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\intchar32

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	7.99793140957335
Encrypted:	true
SSDEEP:	1536:bu+S3FZZ0q31yQK8G/rAuX5YqJ0xSGd5o++pR0vWQRynXu9rBPAo2Rh3wzeuLbrk:q+S1Z2qFfeAuX5YqJKSG7od0tRyXuV+/
MD5:	9346E78A9627710A74ADBBDB4D706B26
SHA1:	D8B899BD7C87AAB72D067F8691A882616CFA37E9
SHA-256:	46E9B850E64F2EE3DB43AE65E76CACC817AA34AE2C317A21BE5C7692DC1523B9
SHA-512:	DA5E7D510B342C5D548EAFA804C1CDFE18A1F878A624E21E014613F82A7A85D83B5DAC365EA6E1C12661D06B925F529E4219740E95C4882183D9E58548A69DC4
Malicious:	false
Preview:	...Y{.B....&...oy.}..F{...z..H'..."..x...... .(_.L./.4.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n.......v.<MH.R=:U..6.9.+...8..u@...D.6S.,.D...s.#........X7T......2...^.....S..7.[.8/.s..y...-...Y..?.A...(.%......6F.GB....F.!..\..t3.G.Ke.s0^!N..n.....J..H...).y.~!....5.'.d..$[..-.r..J...c......>:g.... >2h..{..-.\|......Nf..h..#m........l.!.8..._.<...2.\..m........x.]f..C..Y/.(qGC....f.`.SL....C...=.,...-.P:.Zf^.dm...+.3.......n-x'........xK.$...A.....E.b.~.:.....,.$...j.)...eG. .A.Tp...L.z}.P.R2..'...{.Z...{p....;..Rj8...V.L...b`...Xsx/.}-......V.#...2'...m.E.>...i4....cyZlm..1...'.s......k..g.0.i..#...X.".Z.;bv.u...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W...h..!..,.q .Q.w./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\intchar64

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	7.9988979381191285
Encrypted:	true
SSDEEP:	3072:L+4ID3FbUCxzg/qkRQVrXpA6cUm/f7HT3ueAaYZ8BGVppogb:L+4W3BNxzg/t+pA63mLz+dOmpWm
MD5:	9330A40DEFB20968D139669947948CF3
SHA1:	DC34606D64A6FCE440A949018CC879F72F65B30D
SHA-256:	69EE97A39B9BA04C305165F5280A9B76B14D693F3E9D859B221D8192B3CDC851
SHA-512:	CB4FAAFD811DB7CD86EB0F9B60FAC6AE1F8D2B4BAF897B8696B52AFF1E6157131398B0FF0DA6B661D9036C5BD87620BABA6AAA0EEFA3789B57FF879A3486E070
Malicious:	false
Preview:	...Y{.B....&...oy.}..F{...z..H'..."..x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....Yyrf.W.Xb9..9.KZd.@..tYi..+ ..)}G..#.L...v..:.Rd~..]....9]X....q5..8P\.p.!.S.asH.pT.Y...j...V..-c:wK...~.....d/./Le.\.G.!.v]..A2...Oe..!;!^..n..G..{..N...).}`~!.....Z'.d..$...-.r..Z...s.......>>g.... >28..k..-........w.Tx..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.SL....C...=.,.....P2.Zf^.dm...+.3.......n-x'.......{K.fK...Q.....E.b.~.:....=Xz\......t.G.JBA.T....l.z}sQ.R2......U.>..{0p...ZA.R.7...F.L...b`>..Xsx/X}-......@`....2'...m.E.>...i4....cyZ,m.X.n..rsl......j..g.0.h..#...X.".Z.;"v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W...h..!..,.q .Q.w*./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\intl.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91288
Entropy (8bit):	6.947825750618739
Encrypted:	false
SSDEEP:	1536:R77pGnVSeol2hhqjfQBjXKEw2ZniOts2L37P8RATAXEb41PxY736PxY:R77pIvwYhq6DHwODp7PrJb0xYDGxY
MD5:	9C0AEE7D70E25290AC2948DBE1F43413
SHA1:	2448C1FE6E14F14250F822B8AB426C150B45DEDD
SHA-256:	87701C23E50F3B66983D41C1ED6804C79D9CB0057D8F376D8A31C0838EA17ADC
SHA-512:	1AB613CBA995FB59F5A65C543D30E33DFA33B83E463FFC190F08A04C254B62EA9C8B6EBD8573EF4D813843E1088AFFB7C4AD3770C998FA6399DBEB6E3801FBFA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........AM.. #.. #.. #..X... #..U".. #..O.. #..U&.. #..U'.. #..U .. #.uP".. #.. ".. #.$U+.. #.$U#.. #.$U.. #.. ... #.$U!.. #.Rich. #.........................PE..L....j b...........!.........L......0........................................@.......*....@A......................................... ...................R...0..L.......p...........................`...@...............l............................text............................... ..`.rdata..2...........................@..@.data...............................@....rsrc........ ......................@..@.reloc..L....0......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\iopdate.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	138216
Entropy (8bit):	6.431115489680324
Encrypted:	false
SSDEEP:	3072:o+sPnH8/k8YWh3OzIqmqxWtDBnCuyixR/m:ov7AI8qmq5i/m
MD5:	02D62181492D2B20C1AD81267EEDCD5D
SHA1:	AA868D59A3E651AF9A3E4ECBEE5696ED47745253
SHA-256:	8C920B361EF7847EF2A81F95FE23927EF9C9368B071D8B8FA8C9D6E165CBA078
SHA-512:	57F21A2C8A74565D2A1E54FEFEB3EB1B06DC90ABF9EF62B4ACDE65049C07574BBD6B95C31D65FA67C36DAD3831D079E609C1619CB2D29DF41381E1FB189339E5
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....+.a.................:..........$4.......`....@.......................... ......ll...........@...............................H.......&...............K...........................................................................................text............................... ..`.itext...%...0...&.................. ..`.data........`.......>..............@....bss....,....p.......L...................idata...H.......J...L..............@....reloc..............................@..B.rsrc....&.......&..................@..@............. ......................@..@................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\libEGL.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346816
Entropy (8bit):	6.668786455619716
Encrypted:	false
SSDEEP:	6144:5HccgFBlS0HMO9mcexEr75DCBRzniCIIyeNad9A4zp5YuBuIHsWt:BccgFbdHMOAcexEqRzwIyeNaAw5YuBuI
MD5:	945A8DBF13FA71FD74AE0767B122FFF7
SHA1:	5D5B6E1156E2F387042BF33C3B8FABE633542435
SHA-256:	D5F505E630B85FAF335E638F5E89B6BABDD142BB3C7DB7099B71A25053D53649
SHA-512:	F964564BF3EA2641DE93F931643D118917452951058AD4F3B8DD19EA01848728C3522632A6D91766F51E5DE8F0B2ABBD5C425208BD4E2D7EA9F004315039A3C0
Malicious:	false
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...[7._.........."!.........2......................................................c.....@...................................P....0...................H...@..x1..D.......................H........................................................text............................... ..`.rdata..............................@..@.data... 3..........................@....00cfg..............................@..@.tls................................@....voltbl...... ...........................rsrc........0......................@..@.reloc..x1...@...2..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\libcurl.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	5.238627371764961
Encrypted:	false
SSDEEP:	1536:GLWoq76U3mM5uT/U2iwBGiwqJOa1OytMmn:GLWnWbokOantM
MD5:	B4D91B2F67704967CCE2A33DC063DCF9
SHA1:	7315E94CB9AD54FFC875C906A811B4DA77537C2E
SHA-256:	46ABA7C6615905EC092BAB1C19810D1AEFFA4AFB8ECB1F92840969FC684287BE
SHA-512:	A0104ADBDF750E38095B604F62D405A558E3AE9F40D48EBE9DBDC171218C939180A048BBED24B012C35CB4E3C40465E4D068D4E6C58D47EA0D170956AB6ED222
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r.<..oo..oo..oo.5do..ooI.ao..oo.5eo..oo..eo..oo..do..oo..2o..oo..no..oo".do..oo".ko..ooRich..oo........................PE..L....;g...........!.................I......................................................................................X...(............................p..$....................................................................................text............................... ..`.rdata... .......0..................@..@.data...,T.......@..................@....reloc.......p... ...P..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\libmini.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	157184
Entropy (8bit):	6.4699325010744015
Encrypted:	false
SSDEEP:	3072:tJpAAXru5+rs45R7H0fABoTRo3hJjfP8mr:tJpAAXru4Fj6soT2LM0
MD5:	C50F56319C92BC129039E3860294AB5D
SHA1:	470ED2516A0FF86F25C7CEBE3084E238CA8879A7
SHA-256:	56E8A343602DDDC6D7B6A787827801A3D2BA69ABAF1C61874EF9286C2D288C6B
SHA-512:	20451481425424167EDF4D8C1562EBD7619D5FA0D4BB46C1C30840C9E63C617F94B281C294E3FBEDD290A76C543E4A1C3518B8E66D919743B9CC1F966D8E0CE0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`. ...s...s...s.w.s...s.w3sr..s.y.s...s...s...s.w2s...s.w.s...s.w.s...sRich...s........................PE..L.....#g...........!......................................................................@..........................=.......6..<...................................................................0...@...............0............................text...C........................... ..`.rdata...^.......`..................@..@.data....:...@.......,..............@....reloc..$........ ...F..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\libtemp.bat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	77
Entropy (8bit):	4.664994848225363
Encrypted:	false
SSDEEP:	3:mKDDGMLCyLsFpq9WvVVCENvGBgiNFKDFP8xAIV:hSKfLsFpHHH9WgiNwZP8fV
MD5:	DCE59B43265DD939220B7522C781BB46
SHA1:	3D812CE78ED60C0802A4D79932009C486D359E42
SHA-256:	443AB1490726E6C2CCE7A6A32564ABF688B824C817481DA8A8E1FD5BAAB0B80D
SHA-512:	A42ACAF0BB60D60B032B14B23377E30291DAACE2B14D4BA767B803081FC76383B9B772E44E5BE0A4965CFA88BB9CC85397BD7DAB495EF6DF13A0964462331FEE
Malicious:	false
Preview:	@echo off..ping -n 3 127.1 >nul..cd %appdata%..cd....del /s /q /f Local\Temp

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\madBasic_.bpl

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	217064
Entropy (8bit):	6.921619727481477
Encrypted:	false
SSDEEP:	6144:XN/kSQxE6qeM/k4qTl5L5e5+53WCG1CbF/FrfPf:AqeM/k4qR5L5e5+53WulZn
MD5:	641C567225E18195BC3D2D04BDE7440B
SHA1:	20395A482D9726AD80820C08F3A698CF227AFD10
SHA-256:	C2DF993943C87B1E0F07DDD7A807BB66C2EF518C7CF427F6AA4BA0F2543F1EA0
SHA-512:	1E6023D221BA16A6374CFEB939F795133130B9A71F6F57B1BC6E13E3641F879D409783CF9B1EF4B8FD79B272793BA612D679A213FF97656B3A728567588ECFB9
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.............................0.......@.....W................................Gt...............................0...d......`(......x................K......................".......................................0............................text...x........................... ..`.itext.......0...................... ..`.data...l&...@...(..................@....bss........p.......@...................idata..`(.......*...@..............@....edata...d...0...f...j..............@..@.rdata.."...........................@..@.reloc..............................@..B.rsrc...x...........................@..@....................................@..@................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\madDisAsm_.bpl

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66024
Entropy (8bit):	6.887872767382156
Encrypted:	false
SSDEEP:	1536:LNy3eqMne0sXB0IWtCLwEJhY0w1VmLPx5wdB3htW:LqMnfIB04LwEJhY0w16xAFW
MD5:	3936A92320F7D4CEC5FA903C200911C7
SHA1:	A61602501FFEBF8381E39015D1725F58938154CA
SHA-256:	2AEC41414ACA38DE5ABA1CAB7BDA2030E1E2B347E0AE77079533722C85FE4566
SHA-512:	747EA892F6E5E3B7500C363D40C5C2A62E9FCF898ADE2648262A4277AD3B31E0BCD5F8672D79D176B4759790DB688BF1A748B09CBCB1816288A44554016E46D3
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.................z...8......4..............W......................... .......k..................................&.......d........................K......T...............#....................................................................text...4w.......x.................. ..`.itext..<............\|.............. ..`.data................~..............@....bss.....................................idata..d...........................@....edata..&...........................@..@.rdata..#...........................@..@.reloc..T...........................@..B.rsrc...............................@..@............. ......................@..@................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\madExcept_.bpl

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	448488
Entropy (8bit):	6.745783308820855
Encrypted:	false
SSDEEP:	6144:hlAz49EKhEV30F8sl88nTjQ4Q50gEcW/jd+o72niVUNMa4Yn2Bq:hlG4ut30F8slzYlQcW/jd++2nJ6u2Y
MD5:	E8818A6B32F06089D5B6187E658684BA
SHA1:	7D4F34E3A309C04DF8F60E667C058E84F92DB27A
SHA-256:	91EE84D5AB6D3B3DE72A5CD74217700EB1309959095214BD2C77D12E6AF81C8E
SHA-512:	D00ECF234CB642C4D060D15F74E4780FC3834B489516F7925249DF72747E1E668C4AC66C6CC2887EFDE5A9C6604B91A688BA37C2A3B13EE7CF29ED7ADCFA666D
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...f..V.................H...@......<c.......p.....Y....................................................................O......._......D<...............K...P...A...........@..$...................................l...x............................text....C.......D.................. ..`.itext..D....`.......H.............. ..`.data...t....p.......L..............@....bss....H............Z...................idata..._.......`...Z..............@....edata...O.......P..................@..@.rdata..$....@......................@..@.reloc...A...P...B..................@..B.rsrc...D<.......>...N..............@..@.....................R..............@..@................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp100.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.297676823354886
Encrypted:	false
SSDEEP:	12288:koBFUsQ1H5FH3YUTd/df0RA7XkNvEKZm+aWodEEiblHN/:dFUsQ1H5FHdGKkNvEKZm+aWodEEcHN/
MD5:	D029339C0F59CF662094EDDF8C42B2B5
SHA1:	A0B6DE44255CE7BFADE9A5B559DD04F2972BFDC8
SHA-256:	934D882EFD3C0F3F1EFBC238EF87708F3879F5BB456D30AF62F3368D58B6AA4C
SHA-512:	021D9AF52E68CB7A3B0042D9ED6C9418552EE16DF966F9CCEDD458567C47D70471CB8851A69D3982D64571369664FAEEAE3BE90E2E88A909005B9CDB73679C82
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..-`..~`..~`..~i.4~b..~{.;~c..~`..~...~..?~a..~{.9~a..~{..~P..~{..~Y..~{..~e..~{.<~a..~{.=~a..~{.:~a..~Rich`..~........................PE..d.....M.........." .........f.......q........cy..........................................@.............................................m......<....P...........=...0..P....`.......................................................................................text............................... ..`.rdata..-...........................@..@.data...0L.......8..................@....pdata...=.......>..................@..@.rsrc........P......................@..@.reloc..R....`......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp110.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	661456
Entropy (8bit):	6.2479591860670896
Encrypted:	false
SSDEEP:	12288:akhiz9iVQi6mpiyMATITfluR3G1YdpTzYJQIbRdJN2EKZm+DWodEEt2L:WaQeIJN2EKZm+DWodEEt2L
MD5:	7CAA1B97A3311EB5A695E3C9028616E7
SHA1:	2A94C1CECFB957195FCBBF1C59827A12025B5615
SHA-256:	27F394AE01D12F851F1DEE3632DEE3C5AFA1D267F7A96321D35FD43105B035AD
SHA-512:	8818AF4D4B1DE913AAE5CB7168DCEC575EABC863852315E090245E887EF9036C81AABAF9DFF6DEE98D4CE3B6E5E5FC7819ECCF717A1D0A62DC0DF6F85B6FEEB8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.:..si..si..si~`.i..si..ri^.sis.i..si...i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..siRich..si................PE..d......P.........." ........."......<........................................p......L+....`..........................................3......l...<...............0E.......=... ..,....(..............................`...p............ ...............................text...:........................... ..`.rdata....... ......................@..@.data...p.... ...:..................@....pdata..0E.......F...D..............@..@.rsrc...............................@..@.reloc..FJ... ...L..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp120.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	660128
Entropy (8bit):	6.339650318935599
Encrypted:	false
SSDEEP:	12288:t2TOv4Zur4nRc4RwlG4xH2F+O+/i2UA3YyB2hxKM5Qrt+e2EKZm+GWodEEwIP:qRhxKM5U2EKZm+GWodEEw4
MD5:	0A097D81514751B500690CE3FC3223FA
SHA1:	7983F0E18D2C54416599E6C192D6D2B151A2175C
SHA-256:	E299B35D1E3B87930A4F9A9EF90526534E8796B0DEF177FB2A849C27F42F1DF2
SHA-512:	74639F4C2954B5959EB2254544BF2E06AB097219FC8588A4F154D1A369B0657176128C17911958C84ED55421FE89BF98C8ED36D803A07A28A7D4598DB88027CE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ca.=...n...n...n..)n...n...n...n.R?n...n..%n...n.R=n...n.R.n4..n.R.nJ..n.R.n...n.R>n...n.R9n...n.R<n...nRich...n........PE..d......V.........." .....@...................................................`.......H....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp140.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	449280
Entropy (8bit):	6.670243582402913
Encrypted:	false
SSDEEP:	12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
MD5:	1FB93933FD087215A3C7B0800E6BB703
SHA1:	A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
SHA-256:	2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
SHA-512:	79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp140_1.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31528
Entropy (8bit):	6.472533190412445
Encrypted:	false
SSDEEP:	384:R77JqjlI8icUYWhN5tWcS5gWZoMUekWi9pBj0HRN7RA5aWixHRN7osDhzlGs6N+E:R5D8icUlX5YYMLAWRAlypmPB
MD5:	7EE2B93A97485E6222C393BFA653926B
SHA1:	F4779CBFF235D21C386DA7276021F136CA233320
SHA-256:	BD57D8EEF0BC3A757C5CE5F486A547C79E12482AC8E694C47A6AB794AA745F1F
SHA-512:	4A4A3F56674B54683C88BD696AB5D02750E9A61F3089274FAA25E16A858805958E8BE1C391A257E73D889B1EEA30C173D0296509221D68A492A488D725C2B101
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..\4~.\4~.\4~...^4~.UL..X4~.Dz.[4~.D}.^4~.\4..v4~.D..Y4~.D{.O4~.D~.]4~.D..]4~.D\|.]4~.Rich\4~.........PE..d...W8.^.........." .........$............................................................`A.........................................>..L....?..x....p.......`..4....:..(A......p...@3..T............................3..0............0..0............................text...(........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..4....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp140_2.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	193832
Entropy (8bit):	6.592581384064209
Encrypted:	false
SSDEEP:	3072:V7vC/HAiCsJCzwneNPXU7tm1hTt8KBDal8zg/0LwhORfewlMi0JHV:VTGAtweN85m1f8KBI9wfpsJH
MD5:	937D6FF2B308A4594852B1FB3786E37F
SHA1:	5B1236B846E22DA39C7F312499731179D9EE6130
SHA-256:	261FBD00784BB828939B9B09C1931249A5C778FCEAD5B78C4B254D26CF2C201F
SHA-512:	9691509872FDB42A3C02566C10550A856D36EB0569763F309C9C4592CAF573FBB3F0B6DC9F24B32A872E2E4291E06256EAE5F2A0DEB554F9241403FD19246CAC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........94..Wg..Wg..WgVt.g..Wg..g..Wg..Sf..Wg..Tf..Wg..Vg..Wg..Vf..Wg..Rf..Wg..Wf..Wg...g..Wg..Uf..WgRich..Wg........................PE..d...W8.^.........." ................p............................................... .....`A........................................ ..................................(A...........K..T........................... L..0...............P............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp80.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	554832
Entropy (8bit):	6.428533960834858
Encrypted:	false
SSDEEP:	12288:UZY4lOHMwLwXBt+ia3htSUa/hUgiW6QR7t5j3Ooc8NHkC2eSQ:UZY4lOHMM8wiShtSj3Ooc8NHkC2eT
MD5:	8C53CCD787C381CD535D8DCCA12584D8
SHA1:	BC7CE60270A58450596AA3E3E5D0A99F731333D9
SHA-256:	384AAEE2A103F7ED5C3BA59D4FB2BA22313AAA1FBC5D232C29DBC14D38E0B528
SHA-512:	E86C1426F1AD62D8F9BB1196DEE647477F71B9AACAFABB181F35E639C105779F95F1576B72C0A9216E876430383B8D44F27748B13C25E0548C254A0F641E4755
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y..fv..y..y..#y.....y..2...y.....y.....y......y.....y.....y.....y..Rich.y..........PE..L....LYJ...........!.....@... ...............P....B\|.........................p.......0....@.............................L...T...<....................`..P.... ..H2...S..............................Pe..@............P.. ............................text...V>.......@.................. ..`.rdata......P.......P..............@..@.data...l&....... ..................@....rsrc...............................@..@.reloc..NA... ...P..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcp90.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570240
Entropy (8bit):	6.523986609941549
Encrypted:	false
SSDEEP:	12288:NZ/veMyZ137mSEWT0VkypLvgLehUgiW6QR7t5183Ooc8SHkC2eU8Z:NZSZ13iwJmgLq83Ooc8SHkC2eN
MD5:	232708A3FB0137133BA1787EF220C879
SHA1:	4F725F93081FE15C6AF99E32F3E97CCB22E15BFE
SHA-256:	64236B28CB287D9C912D1DB753B21BEB95009340B7ABB2717E40CE8D91946C89
SHA-512:	90DAEFA1F3D3608700074F349D0CD5E5D2EAE090ECAD07352E553F08087A2EDDEB457F235CDC7E4869C4CF24E895C05C11AF968E68CFD0B6AA8092C98DC7E4FC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#%..Mv..Mv..Mv.66v..Mv...v..Mv..Lv:.Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..MvRich..Mv........................PE..L...~LYJ...........!.....4...p..............P....Hx......................................@..........................P..,....E..<...............................43...................................%..@............................................text....2.......4.................. ..`.data...t'...P.......8..............@....rsrc................R..............@..@.reloc..HC.......D...V..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcr100.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcr110.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	849360
Entropy (8bit):	6.542151190128927
Encrypted:	false
SSDEEP:	24576:I+9BbHqWVFlB7s2ncm9NBrqWJgS0wzsYmyy6OQ:z9d7M3nS0wV
MD5:	7C3B449F661D99A9B1033A14033D2987
SHA1:	6C8C572E736BC53D1B5A608D3D9F697B1BB261DA
SHA-256:	AE996EDB9B050677C4F82D56092EFDC75F0ADDC97A14E2C46753E2DB3F6BD732
SHA-512:	A58783F50176E97284861860628CC930A613168BE70411FABAFBE6970DCCCB8698A6D033CFC94EDF415093E51F3D6A4B1EE0F38CC81254BDCCB7EDFA2E4DB4F8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........c.O.0.O.0.O.0.O.0}O.028g0.O.0?..02N.0?..0.O.0?..0.O.0?..0wO.0?..0.O.0?..0.O.0?..0.O.0Rich.O.0........................PE..d...n..P.........." ................l3.......................................@............`..........................................E.......1..(............... g.......=......8...`6..............................P...p............0...............................text............................... ..`.rdata.......0......................@..@.data...(q.......@..................@....pdata.. g.......h...(..............@..@.rsrc...............................@..@.reloc...".......$..................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcr120.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	963744
Entropy (8bit):	6.63341775080164
Encrypted:	false
SSDEEP:	24576:lQ39+j16xw/86yY4ZOVqSs8cKPkb3vi4vwW1kCySQmWymTXY:S3tPDLfRbiow9Cyo
MD5:	E2CA271748E872D1A4FD5AC5D8C998B1
SHA1:	5020B343F28349DA8C3EA48FB96C0FBAB757BD5C
SHA-256:	0D00BF1756A95679715E93DC82B1B31994773D029FBBD4E0E85136EF082B86A9
SHA-512:	85D6BCAAF86F400000CF991DA1B8E45E79823628DC11B41D7631AA8EE93E500E7DA6E843EA04EDB44D047519DABEF96DCB641ADC2A7B3FAA5CD01E8A20B1F18E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F=&^'Su^'Su^'Su..u]'Su^'Ru.'SuSu.u.%SuSu.uo'SuSu.uh'SuSu.u.'SuSu.u_'SuSu.u_'SuSu.u_'SuRich^'Su........PE..d......V.........." .....j...:.......)..............................................+l....`.....................................................(............@...s...v...>......8...p................................2..p............................................text...eh.......j.................. ..`.rdata...9.......:...n..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................`..............@..@.reloc..8............d..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcr80.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	632656
Entropy (8bit):	6.854474744694894
Encrypted:	false
SSDEEP:	12288:bxzh9hH5RVKTp0G+vjhr46CIw+0yZmGyYCj:bph9hHzVKOpXwymGyYo
MD5:	1169436EE42F860C7DB37A4692B38F0E
SHA1:	4CCD15BF2C1B1D541AC883B0F42497E8CED6A5A3
SHA-256:	9382AAED2DB19CD75A70E38964F06C63F19F63C9DFB5A33B0C2D445BB41B6E46
SHA-512:	E06064EB95A2AB9C3343672072F5B3F5983FC8EA9E5C92F79E50BA2E259D6D5FA8ED97170DEA6D0D032EA6C01E074EEFAAB850D28965C7522FB7E03D9C65EAE0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.........@................!......;.............d.......................Rich...................PE..L...yLYJ...........!.....0...p......+#.......@.....x......................................@..........................q...~..Pc..<....`..................P....p..P3...B...............................F..@............@...............................text....'.......0.................. ..`.rdata......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\msvcr90.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	653696
Entropy (8bit):	6.885617848989009
Encrypted:	false
SSDEEP:	12288:Bhr4UC+UumMaIYE8EoPP1cI9xPP2OKDL9QXyG2pUmRyyva:VU9FNPPbxPP2OeL9Q2pUmRyyva
MD5:	4B9B0107D35859FA67FB6536E04B54A7
SHA1:	60F5D36F475FEA96F06AC384230B891689393486
SHA-256:	EA59B23FC4799B10B07CC1E4F81BBCB7FAC712D93E2BA48DE50046E5B4C140DB
SHA-512:	324EDB6D0C618C20260417B86189C27D6E1EB00944C7F5A6C59679365E618D262C71433749DDFEF253B723F1D1B3167982B4742164A167B3CFC85C651300382B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L...yLYJ...........!.....\..........@-.......p....Rx.........................0............@..............................\|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\ntvbld.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	MS-DOS executable PE32 executable (DLL) (native) Intel 80386, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	60896
Entropy (8bit):	6.847633229504993
Encrypted:	false
SSDEEP:	768:NnCuEmXB5UMI3nhKrbZCWg/0/NC8hUDVsa0T1zj9KyhaMQNDG0uKjKj9MPgkz:N7Rx5Ulll8/H+x0T1zj9lHeMy
MD5:	690612154E7E5233AA980016CEAEDEDD
SHA1:	9B16E2F3D799EA506AA6A8F53FA4DEB36D73F5D4
SHA-256:	FFB81D34A14B5837AC713657F7892E790F85564BC2BA792025B0F9E9E0959AD7
SHA-512:	1F93AF0CA40DB562F7ECDBF19A0D899044BCF1F181B03E57E6B6F2C72F532652798023612BE9DEFE6261D631D10898D30ADB28EEFF922B72734B4DB27189C210
Malicious:	false
Preview:	MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!........h.T.....................q.......q.......q.......q.......q.......q.......q......Rich............PE..L......a...........!.........\......2=.............p................................s`....@.........................p...........(.......h...............H?..........................................0+..@............................................text...v........................... ..`.data....F..........................@....rsrc...h...............

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\oDayProtect.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57456
Entropy (8bit):	6.555119730119836
Encrypted:	false
SSDEEP:	1536:h4WOg3TER/nhU8Vbbb8O0WWVYgaatjJxl:h4WOg3TSr78O0WWVYg5tJ
MD5:	00FCB6C9E8BD767DDE68973B831388E9
SHA1:	2D35E76C390B8E2E5CA8225B3E441F5AC0300A02
SHA-256:	1CC765B67D071060C71B4774C7745575775CE46E675E08620E5BAB3B21B2CE79
SHA-512:	2B48701B5F4B8F1EB7FC3EB9A76370883FE6CAF45D92DA607AB164F93E0EED65D6C1369D4EA974A112C902FD0F5BAF06E7611ECB9B50BE3A599F261624B33BA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[..]..............3.....M......M......M......M.......{n......{k............................._.......7............Rich............PE..L...m>.d...........!.....`...R......._.......p............................................@...........................................P...............p2..............p........................... ...@............p..\............................text...._.......`.................. ..`.rdata...4...p...6...d..............@..@.data...$...........................@....shared.............................@....rsrc...P...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\plugins\Microsoft.VC80.ATL.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	376
Entropy (8bit):	5.187860451409661
Encrypted:	false
SSDEEP:	6:TMVBd6OjzIIBeBXVL9obRu9Td8gH9aO/5TMiX1+jSQdS1vwIgVf+ZaYf7:TMHdt4IBeBFLOwHR5TNl+rmxgVKaq7
MD5:	0BC6649277383985213AE31DBF1F031C
SHA1:	7095F33DD568291D75284F1F8E48C45C14974588
SHA-256:	C06FA0F404DF8B4BB365D864E613A151D0F86DEEF03E86019A068ED89FD05158
SHA-512:	6CB2008B46EFEF5AF8DD2B2EFCF203917A6738354A9A925B9593406192E635C84C6D0BEA5D68BDE324C421D2EBA79B891538F6F2F2514846B9DB70C312421D06
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ipaip1.exe"/>.</assembly>.

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\plugins\Microsoft.VC80.CRT.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	314
Entropy (8bit):	5.140999301390513
Encrypted:	false
SSDEEP:	6:JiMVBd6OjzPbRu9Td8gH9bZELrbvm/53SMiX6+hPABdS1FggVfgk5Z:MMHdtlwHHJ53SNK+hPIRgVR5Z
MD5:	710C54C37D7EC902A5D3CDD5A4CF6AB5
SHA1:	9E291D80A8707C81E644354A1E378AECA295D4C7
SHA-256:	EF893CB48C0EBE25465FBC05C055A42554452139B4EC78E25EC43237D0B53F80
SHA-512:	4D2EC03FF54A3BF129FB762FC64A910D0E104CD826ACD4AB84ED191E6CC6A0FEC3627E494C44D91B09FEBA5539AD7725F18158755D6B0016A50DE9D29891C7E5
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>.</assembly>

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\plugins\RunHours\es-419.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4582
Entropy (8bit):	5.313572308207674
Encrypted:	false
SSDEEP:	96:SXJbP0TKhuwTfSX1R3AJDnR5Wlqib+H+7tpUDoSlM9Z6b5E5f:S//TfSX1BobR5WlqiKHWGoSlM9Qb5E5f
MD5:	20A4B76F3AB1EA606ACEE2ECFC7EACDA
SHA1:	4B758CA773E540F60E4788B43832F4AC9F9D2C02
SHA-256:	C4D807092F4493A9E5EE5F6D5770091683AAC44F203A9E72C556CA5D94E13712
SHA-512:	DD03DF3F30199D74C3C74C8766D336C18AB02C73C8B24B23F3D756F76F4119EE2FA6DB0A3F0C398980CFF7D3C162C9BD8364412A2B12FBF2F90395D4FBD86017
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N!....N%....N+....N1....N<....NO....N^....Ns....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N(....NO....Ng....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N....N7....NL....NT....Ne....Nk....N}....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N....O4....O9....OM....Oz....O.....O.....O.....O.....O.....O.....O.....O ....OA....OQ....Oq....Ov....O{....O.....O.....O.....O.....O.....O@....O}....O.....O.....O.....O.....O/....OL....Oh....O.... O....!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O[...,O....-O.....O0.../Oq...0O....1O....2Oe...3O....4O....5O....6O....7O_...8Oy...9O....:O....;O....<O....=O....>O=...?OM...@Oq...AO....BO....COV...DO....EO....FO....GO....HO....IO7...JOK...KOT...LOf...MOp...NOw...OO....PO....QO....RO....SO..........DetallesGuardarSe trata de un .ndice que admite b.squedas.

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\plugins\RunHours\es.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	5.293442130076125
Encrypted:	false
SSDEEP:	96:/ymf8T/vT4Y7o+Aq6XWp5H7irYKhIeDH5SVWYGCrBHehj76:/ymy/vT4Y7DZ6Xc5H7irYGIgH5SVWYGw
MD5:	9E231E6B336F8746C1D9949CFFB81892
SHA1:	44CF40E676B5C4AD7D30CAB1C73E0AB3E51F9A0F
SHA-256:	E3958A2562A3DB00C863543CBF2F8754AE52506045AF0FE68A98C21A21980DE6
SHA-512:	1EB7B3AA1BD4B0F72273403FCFBD03204823285E250D2A3859FAC3D8649B0708879CD9F6688048F46C8724D68B9960634A9EB3882110DB2EF33AB72B8EF1DA5D
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N"....N%....N)....N/....N5....N@....NS....Nb....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N....NO....Nd....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....N0....NE....NM....N^....Nd....Nv....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N5....O?....OE....O`....O.....O.....O.....O.....O.....O.....O.....O.....O.....OM....Oj....O.....O.....O.....O.....O.....O.....O.....O"....OQ....O.....O.....O.....O.....O%....O?....Og....O.....O.... O....!O...."O....#O....$O....%O....&O....'O....(O....)O%...O5...+Oy...,O....-O.....OR.../O....0O....1OM...2O....3O....4O....5O....6O0...7O....8O....9O....:O....;O....<O-...=OO...>O~...?O....@O....AO....BOU...CO....DO....EO....FO....GO....HO....IO....JO....KO....LO....MO....NO....OO....PO....QO@...ROH...SOJ.....p...DetallesGuardarSe trata de un .ndice que admite b.squedas.

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\plugins\RunHours\et.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4024
Entropy (8bit):	5.482794389326184
Encrypted:	false
SSDEEP:	96:3ibSEiksDWHJ+CCC7w2e3+nstsemhHvAs/FTeY4M1ATH:ySbDWHJ+CCCBwMq
MD5:	05EB53F564DE06DD2CEC9CA4EFF8CF87
SHA1:	96E1CF30497A517FE17D238C2B1228ABA80291AC
SHA-256:	772A79F8D52BBFBC0B3EF1D4040AE04AC82A51900C202423A4BA5C5FAA802130
SHA-512:	38F824D85D3CE88329881FF04E9BF1908524843F0F7B309E06D09F5D939B23E742C634889CA5670D36782D75FE02F8BD6F294A93C86BB67AAA4E9566DED2400C
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N(....N1....N<....NH....NP....NV....N]....Nd....Nk....Nr....Nt....Nv....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N+....NC....NK....NR....N[....Ne....No....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....N9....N=....ND....NM....NR....NW....N]....Nm....Nq....Nv....N~....N.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O(....O<....OQ....Of....Ow....O.....O.....O.....O.....O.....O.....O.....O.....O.....O6....OM....Oq....O.....O.....O.....O.....O.....O.... O'...!O6..."OC...#OJ...$OM...%OU...&O[...'O`...(Om...)O....*O....+O....,O....-OP....O..../O....0O....1Oc...2O....3O....4O....5O....6OA...7O....8O....9O....:O....;O....<O....=O!...>O8...?OF...@Oa...AO....BO....CO:...DO....EO....FO....GO....HO....IO....JO ...KO(...LO:...MO?...NOD...OON...POi...QO....RO....SO...........ksikasjadSalvestaSee on otsitav indeks. Sisestage otsingu j

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\plugins\RunHours\fa.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	6173
Entropy (8bit):	4.922771262854036
Encrypted:	false
SSDEEP:	96:GAOQjAdjFIowK7nR6wjN9fTHQZEwGcXbesT2UNXMW3LS577O3/z:G0AdhI4nR6q7qEwxXbde7Ovz
MD5:	6ABD91C944EA0063DD133119242ADD5D
SHA1:	89BFE399BC16D5584CB13C814B6A3764FB91AD29
SHA-256:	5AC05F15CEE979E26A6795343B68926EAD54ED5A9240C19C187A28943977067A
SHA-512:	01F077D513A4F61B1D497BF9CCF02E17B5B1FB6E23991EC870F5D9C8CD12CB7E4C97A5D011A5C55B855A36EE72B3D586E7416C1F16CEAFA0BF8EB48446DC5AC3
Malicious:	false
Preview:	..........N.....N.....N.....N(....N7....NA....NG....NM....NS....N]....Ng....Nw....N.....N.....N.....N.....N.....N.....N.....N'....N=....N?....NA....NE....NY....Nf....Nu....N}....N.....N.....N.....N.....N+....NE....NZ....Na....Nk....Nw....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N....N4....NG....NQ....Nh....Np....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....N,....N6....NH....N\....Ob....Oh....Oy....O.....O.....O.....O.....O.....O....OV....O.....O.....O.....O.....O#....O)....O3....OW....O}....O.....O.....O.....O.....O.....O?....Oy....O.....O.....O.....O(....O]....O.... O....!O...."O....#O....$O....%O....&O....'O....(O....)OT...On...+O....,O....-Oe....O..../O....0O7...1O....2O;...3O{...4O....5O....6O%...7O....8O....9O....:O\|...;O....<O....=O:...>Ov...?O....@O....AOc...BO....CO....DO)...EO....FO....GO....HO....IO...JOA...KOW...LOj...MOp...NOv...OO....PO....QO....RO....SO........................ ..... .... ..... .

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\plugins\de.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4406
Entropy (8bit):	5.431403966547261
Encrypted:	false
SSDEEP:	96:w3RvffZNggc5v5baG6IRqTsBRpKCSFdR9KoINpQFphkSn4zFJo5dzi5zVfwFT2:w39H2vgtIRqTMyFdTbINpQFphkSnWo5+
MD5:	EA1F904F7B976BCDB6E22A2962BDB546
SHA1:	5D4FF12B9ED1014F94131FD4BEC5D47DC224E643
SHA-256:	52098599A0CC8BCA7CAB3971F56D5EB373378C7FBCA907E71F784D6DE6D76C98
SHA-512:	2E80076218BAF7D3041288BD2B7ECCDEB9A4B8589BCD81190B0B4EBDD78C9B506760FCB4AF63C99FC42A45B21897F3EAA93F4DE30CAAFBF3348410BDE12560B2
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N!....N.....N>....NP....Na....Nk....Nt....N}....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....NN....No....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N>....NG....NO....NS....Nc....Ng....Nx....N\|....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....O.....O.....O.....O ....O/....O@....OF....O^....Os....O.....O.....O.....O.....O.....O.....O.....O.....O#....O1....OC....OV....Oe....Ot....O.....O.....O.....O.....O.....O.....O7....OU....Or... O....!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O....,Oz...-O.....O..../OC...0O....1O....2O!...3OL...4Ow...5O....6O....7O4...8ON...9Oj...:O....;O....<O....=O....>O3...?OJ...@O....AO....BO1...CO....DO....EO2...FO<...GOG...HOO...IOd...JOx...KO....LO....MO....NO....OO....PO....QO....RO....SO......6...DetailsSpeichernDieser Index kann durchsucht werden. Geben Si

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\plugins\el.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	7882
Entropy (8bit):	4.66720349289761
Encrypted:	false
SSDEEP:	192:lK+yxJ5y7wpdeDpP+hM7mcOlaOOuMos4Mw+UwUkGMH1xhyihmhqYChzhqYihHp3:lK+yxJ47wpdeDpP+hpFSxGOrSDp3
MD5:	3F2A22EDF71920EC81F31DC74AD7D8F5
SHA1:	63C524131D83777A56001F82B93CAA784C46EC27
SHA-256:	A34B29017ACFD42AA7EE9177797FF4ECD4430D5E578E80AB1C43D2792692C152
SHA-512:	8ACA982845E6896E7F4816BE13768490A636BFC1DBF2C0018C0A9AA168DE804FF4552BEFEBEFA44EC6F638A5773017241D35565A86BBCADC6CD46E373181AD9D
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....NY....Nh....Ns....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N[....N.....N.....N.....N%....NW....Nk....Nu....N{....N.....N.....N.....N.....N.....N.....N.....N&....N0....NB....Ng....N.....N.....N.....N.....N.....N.....N.....N1....NA....NO....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N5....OK....OU....Op....O.....O.....O.....O.....O?....Oh....O.....O.....O.....O7....OJ....O.....O.....O.....O.....O.....O.....O;....O_....O.....O.....O.....OR....O.....O.....O.....O8....Oj....O.... O....!O...."ON...#OX...$Ob...%Oz...&O....'O....(O....)O....*O....+Of...,O....-O.....O7.../O....0O8...1O....2O....3O....4O<...5O....6O....7On...8O....9O....:O$...;OI...<O....=O....>O(...?O[...@O....AO$...BO....COf...DO:...EO....FO#...GO3...HOJ...IOs...JO....KO....LO....MO....NO....OO....PO#...QON...RO_...SO.........................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\plugins\en-GB.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	3733
Entropy (8bit):	5.413561641632349
Encrypted:	false
SSDEEP:	96:4WeMurxaP/L/ThulsMlRnmggluSvu4Yg22:4Webr4PDrolZfnmgglxu4fd
MD5:	08C52ED432480C1CAA15DB7F227857C3
SHA1:	4F138AE151C82DB1B4B639CD788D349C6AC63642
SHA-256:	84494A784BF0D03CD5DC3C99822F46C777E28C54086712F6AB736323A5462B2F
SHA-512:	43E8A9241049254FE9F6BA31FC6AE06DC9135A2A9DBF6D7E4E6F866249AA266CE7E390F463600BC319CF4D71DE93410339C13505CBBA5676D6846C26212D75F5
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N5....N=....NE....NM....NU....N]....Ne....Ng....Ni....Nm....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N-....N5....NA....NK....NZ....N^....Nb....Nh....Nl....Nr....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....N....O.....O3....O<....OO....O[....Oi....Oo....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O$....O7....OE....OS....Of....Ox....O.....O.....O.....O.....O.....O.....O+....OJ....O_... Ov...!O...."O....#O....$O....%O....&O....'O....(O....)O....O....+O....,O@...-Oy....O..../O....0O....1O[...2O....3O....4O....5O....6O....7Od...8Oz...9O....:O....;O....<O....=O....>O8...?OK...@Om...AO....BO....COH...DO....EO....FO....GO....HO....IO#...JO/...KO3...LO9...MO=...NOB...OOJ...PO^...QOt...RO\|...SO..........DetailsSaveThis is a searchable index. Enter search keywords:

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\plugins\en-US.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	3735
Entropy (8bit):	5.399152833535112
Encrypted:	false
SSDEEP:	96:8k5Ar/7QD0dZaPFL/ouZMlRnDggluCzuCYg21:8k5MzQYdQPxpmfnDgglpuCfU
MD5:	5A1DF84EF435AAF57EC22CEF850AA94A
SHA1:	5F753586E1FF36719B79C784E4A548F649E34872
SHA-256:	638EBF6779646866CD866BDF6B6069435AB8527D63A7552E1F580520C477D45C
SHA-512:	9B016A2FB6259661CEB2E5FAC9AA2D2F7EC26D93959F4186F5E763C122B4FAEE9FB80E84C9D6F31F729D572DB8E21C3B711F610DBB007A741EC3C540DB2F305D
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N5....N=....NE....NM....NU....N]....Ne....Ng....Ni....Nm....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N-....N5....NA....NK....NZ....N^....Nb....Nh....Nl....Nr....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N(....O,....O1....O;....OO....O[....Oi....Oo....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O$....O6....OD....OR....Oe....Ox....O.....O.....O.....O.....O.....O.....O.....OM....Ob... Oy...!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O....,OC...-O\|....O..../O....0O....1O^...2O....3O....4O....5O....6O....7Og...8O}...9O....:O....;O....<O....=O....>O=...?OP...@Or...AO....BO....COM...DO....EO....FO....GO....HO....IO&...JO2...KO6...LO<...MO@...NOE...OOM...POa...QOw...RO....SO..........DetailsSaveThis is a searchable index. Enter search keywords:

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\plugins\version

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	F1D3FF8443297732862DF21DC4E57262
SHA1:	9069CA78E7450A285173431B3E52C5C25299E473
SHA-256:	DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119
SHA-512:	EC2D57691D9B2D40182AC565032054B7D784BA96B18BCB5BE0BB4E70E3FB041EFF582C8AF66EE50256539F2181D7F9E53627C0189DA7E75A4D5EF10EA93B20B3
Malicious:	false
Preview:	....

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\pp_helper.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	74432
Entropy (8bit):	6.228910769546381
Encrypted:	false
SSDEEP:	1536:Vf77+031ru/qpap4qUqm+rIqRqEp+85LQyisF:tWo1/op4qUqfrIkb+aLQoF
MD5:	24F4BF7288749C467A6FB67A5333E867
SHA1:	663AF51B8CB380E4BB133A9D365D175B11782F7B
SHA-256:	40BFC6EEB22CB8F8A2C6DF9C71589E0D98C24483A66BFB90290AAD5BDFBC6E88
SHA-512:	9ED444F446000E4DD7E4B8ADBFCC16BABB77D4FAEF79DC4210A26F99923B6C052AEEE9D03B3E02913B9948DB47301665CCD5496FE7009A4A7070729B6D15F42B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V...............................A.........................Rich...................PE..d...+..I..........#..........Z......0$.........@.............................P......X9..........................................................(....@.......0..........................................................................8............................text............................... ..`.rdata...8.......:..................@..@.data....#..........................@....pdata.......0......................@..@.rsrc........@......................@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\qvlnk.bro

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	774144
Entropy (8bit):	7.999769980896681
Encrypted:	true
SSDEEP:	12288:YyTS+Wj2XVYP4LMPHbIiJdTOvdXfYHKtbN+uehl030jBwdQxkwSCef+Kg:9T8EiLyvv+u8xauCwXeWKg
MD5:	2BEDA13E7CE6EBE45497641D122A3814
SHA1:	B25DF34290965AED25678610BC4D2B5F2742AB31
SHA-256:	CF5573B875D42008076B04412CC9A56882F1EDC243DB4EC211F0C57DBFC30980
SHA-512:	8B4959BCAEB99F8B8CDE2BF67DB0F107125F4251D00B11C5C675A104CA84AD463E46DC53F410DCB8D4D0EEE6FCF63BE802BC18189C1DC7AFE5B6DDB974375790
Malicious:	false
Preview:	..\....).....0+...;.EL......&..\|.!...!.B.......1.t.B..t....Swo.2....0........ZN_..w..rd..%J.j\|1,..s....t...._.....g.w5>...cdb3+F0..eT.e..\|g+..(...b52.Q..?[..Y....c_..A...,.......L..\...p.vRS...V......n.PH...L...,.`.h....!_km=.e...:.)..U.&.-.(...i...._.F.D.%NS..^s".TO....S....Q.-..;R..[m..u.%o..c.).~...Do.FZp.`..s.lip.A........g.z8../7..+...u,O.....z4....D^Z....C.-.6yALc.Mw.H'.......1..Yl..g.e..{. ...2r..I.F..>.f......f\|.0.^..b.I.8.....N....I.\|m.v..M.jx..){.......s...).g..4!...L1O Z3xT.'._9...B..#..y...d.......3.EE..2M....bbQ.i..m.(...bVTk$W.x.$...!-.........sX.m.].v.\l..]#...P...).N"..A%SA18A....5._\|...%..<........%...t.}...r(d..\.G.1..:.{.z.,...u.9...h...".(;4..5z.5y!{rng......}>....F.4.=.Nfl"S....[..^KK.....-T...).uv.9>....8.."D...Qb"..D....p8C..nr.......o......G....e...L..8w.f..Wc....E..qgu.../...9.B....9;....^.]......j.f.LaK=......lZ.d..!4jL@....H.....K..W..P..\|...vy.Y!.Mg._.........4......8.z.?...YK.<..~qw.!4....W...[...}..Z

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\rar.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	638616
Entropy (8bit):	6.540549330363699
Encrypted:	false
SSDEEP:	12288:4zga+163KOqlPidmIaEPFSV+/sZy+/eZ+8q1wUg7OkrBgGvg:4zg116ddmIaEPFz/6yPZ++15rBgB
MD5:	300D43860DC6961BBECE819912C930BC
SHA1:	61CC9B17FAE66451327E8F9A7103B9728EB5C95C
SHA-256:	792708CE3FEC9DA37408CE4179B118D79B4804878D233C602B490C3BD0EAF02A
SHA-512:	F74CD7C28E2A267E6B51FA2A8A36380F5766195F7216FD9EE1F76E708343520E9CB60F620FD86114B947589D9F8FDAAA209CF190A5D014BF251AB8BD182FD541
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............`...`...`.ix....`.ix..^.`.ix....`.....`.\|.....`.\|.e...`.\|.d...`.\|.c...`.....`...a.e.`.(.e...`.(.....`.(.b...`.Rich..`.................PE..L...V. b.........."..........~.......w............@..........................p............@.................................T............................>... ..(E..\b..T....................c.......b..@............................................text............................... ..`.rdata..J...........................@..@.data...x........,..................@....rsrc...............................@..@.reloc..(E... ...F...:..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\rb

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	7.8271140059205635
Encrypted:	false
SSDEEP:	1536:G/ij0LGUf2eh2R1IQO1rIXfAALqY6BFi0BN5Tuf95qu1kmkQXHgS5zbPKd32h+Vb:HgflEw1rIXfAjLzTufH1+SKdk+V
MD5:	88173E288C847FE71DB634CCFBD95ABF
SHA1:	705070D59FDCF89C71A90A5B4A1C092E55F16977
SHA-256:	28B075F044864E1D63A919E1C71BE7BE242F4098B43AB0439A0C891DB675AD72
SHA-512:	28F1A6D147D134D2CA73DE78931196B51AA8A931AA74F66584DDB2E623CC901FA6FEE2660AA36429B939A2E040CC5ACA9EFF0F746E350DCFA73843D093F2376B
Malicious:	false
Preview:	...]^]]]Y]]]..]].]]]]]]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]].]]]SB.S].T.\|.\..\|.54.}-/2:/<0}><332)}?8}/(3}43}...}0298sPPWy]]]]]]]P...`...`...`..o\|...`...o...`..\|...`..{....`.......`...o...`...`..`.."F..\`...`...`.......`...4>5.`..]]]]]]]]..]].\^]..w:]]]]]]]].]R\V\[]].\]]M]]].Y]m.[]].Y]].[]]].]]M]]]_]]Y]]]]]]]Y]]]]]]]].[]]Y]]]]]]_]]]]]M]]M]]]]M]]M]]]]]]M]]]]]]]]]]]].[]._]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]...m]]]]].Y]]M]]]]]]]Y]]]]]]]]]]]]]].]]....l]]]]].\]].Y]].\]]Y]]]]]]]]]]]]]].]]....o]]]]]M]]].[]]Y]]].\]]]]]]]]]]]]].]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]ismo]...\|PTUU

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\rtl120.bpl

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1112040
Entropy (8bit):	6.832491592471325
Encrypted:	false
SSDEEP:	24576:GbhVoNWbA1m6z1hGaMopv3RdaK6IPFf0DtDN9Tox0gc:vtQZPTtgc
MD5:	ADF82ED333FB5567F8097C7235B0E17F
SHA1:	E6CCAF016FC45EDCDADEB40DA64C207DDB33859F
SHA-256:	D6DD7A4F46F2CFDE9C4EB9463B79D5FF90FC690DA14672BA1DA39708EE1B9B50
SHA-512:	2253C7B51317A3B5734025B6C7639105DBC81C340703718D679A00C13D40DD74CCABA1F6D04B21EE440F19E82BA680AA4B2A6A75C618AED91BD85A132BE9FC92
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\rtl120.bpl, Author: Joe Security
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......H...........................................P.........................`......U...........................................X$...p...................K......h.......................................................x............................text............................... ..`.itext........... .................. ..`.data...tw.......x..................@....bss.... T...@...........................idata..X$.......&..................@....edata...............D..............@..@.rdata...............&..............@..@.reloc..h............(..............@..B.rsrc........p......................@..@.............`......................@..@................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\settingss

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	2208
Entropy (8bit):	7.90993950405871
Encrypted:	false
SSDEEP:	48:vLt5Bk5dkgrofUZgvatOFn6xNTBlaE0C+fTC6mqv1jrh:ziyG8UZlogygurh
MD5:	68D847D78794F6CAC3348D7EAAAD5763
SHA1:	72887EF22FC7D1927D3F96CC57260BD52F6535DE
SHA-256:	D9A37729C055A70C614FC9F928781A84EAF89D3420E1D6A2D9E53C2524AE63C6
SHA-512:	D5401F137AB863D9A07C9C0E5BC23D6650FFBCC75E7E02F438B2DDD3B166FB22A5ACC790AB09D44336E1C80E2693B0CF3A4431612663ACFF0A246D45D003147F
Malicious:	false
Preview:	TDF$..-.... O...d.....eM4.YX.3..pp...../....`...G...$.;x.wl0....\|...... ^\..Y.5.J....)N.a@..q...oh[.....C...@w'.....~....x\....6..0....fY^5.p......!.>.J.........Q{.../....q..jG...ZuW....j.......7....p..b.>......i.......e.Xj.eT....G..>.d....ehBH..G..'I.V.."F0..z...bI..N.....v.]De(.U.....,....kS.i..S.9,.Jz.t.&pfH.4).V..2....QK[.....u>..I.9.\|.E...l..."o('..E.,..w..3...."[.bd..p;....@....p<.$_k..}...t3....B....X4....e.7..@.8..^..8 .?>z.?...a/..w.._.>....W[.$_.K...D...H.\|.5[....\|....<+K.e%........Z.JN.L..(.Ec.&.7K.....2F.W7.k>..3.(Q...vM.6.>[.I......U.i...;..4..XU,...y..{x...V$uo.+dc^._.n.#c..O........T..%.D.1n..L%..a...3...W[.-/..P..Z##.....bM:hw.;D...w=..........bH'...au....s.<....>+z{.z.."...Ew.`..cu..9.._4....h.K.>s.....n.......j.[.."....O.i..r.p.x!}z..%.......p.. &.....A.\|..?T..U.uo...o...L...T...2.n..i!.M.RI..}f...6.Y.^.jX.+...l.....i~.o].}d..V4._Wl......C...k..C.&.U..../W.......).m.o.N....0.z.R ..Z+g..."(!....r........ .y .J....

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\settingss2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	2160
Entropy (8bit):	7.907521368348162
Encrypted:	false
SSDEEP:	48:I+ZDqGNYNvwnuJ0PNM8H0Jhe5GbBgAmOc2pYdqGVAhf:I+ZDqGNYadZUJQ5KRmOBYqGQf
MD5:	3A7F1ABA35A1981B2C0FA85B483806CE
SHA1:	D27A4536E41FBBAAD828832BF1DB31DF251E79D6
SHA-256:	F0DEB755A2AA2B7914860C7744BEB90D6E9513D73F592FEBBE442D4CF8B1195C
SHA-512:	2A612325FA3E1089A845487E344C482E8200C278ED0A9208BE7E462A107F2878225865E972587472D0EBAA4AAF34818F207CA31C46EF13D03DB6BB0F3699526F
Malicious:	false
Preview:	TDF$..-.... ....<.I..O.tZ.(......l.8...N..N...0Ea0.X.!.:.c..D..YdV>+..L....\|.j.o...s.....-..n.%0=..`q.bF......Yo4...Lu.#3...O...w...;..2.U........;{.....3.....l.;.. ..^..."..+.K6G}...Yc.....em.t.\[...}c..".X.X..ME..B.]...[w:.._.. .S...f..<".I...h.g.>.%.@Ii^%!6<.E.j....f...f.k.~.]D..#.mS..x.y.%.......>.U-....y..b.B.....v8.l'..m.4lH......xY..6D...../v.}..\|R8&..2...\|.J...Dew/T..\{...t.4{o="..._q....Z.........j....T...!..'.w..0D.....pS1gA...[w\|5x.(.M.#/}G.;.S.....'_...).....:...Y...R...L..}$.......<lk.f>v$.o.H.8L...n[....p...[.DG....Np3...7.EtC...7.. <.@.67K5.0....\.q.o...._.6...*#..D..$..r..G....$...2.V....64...O.........9c..........T.;G.......]....+......v#....(..K..d....%...~..}.cv...,..R{..f..\n..p.10D...\|...b.........]%.E%...b..a....S.6.k...T..P..fv...)[.+...d$...&Yl"..=.....9...{....n...@{.....%./.....x.+.J..{.$....+...E5m..-iq.U...<.,.....AHZ..m.._....w...f.....!.......h.T.v..ua..5..~...Ts.`KV.N.:.=.....X.?.m.7C.g.=.Q..K......%8....g..b

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\somextrainfo.ini

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2084
Entropy (8bit):	3.897161880693108
Encrypted:	false
SSDEEP:	48:r86ghq7sE9sOvWVXb1wKHJNO721AGXNO7d1wKHqJk/1AGAJk2xjk9LkcD1kN:rzAtflq4O0O03hBeLDE
MD5:	A6C722109E9624788F1ED0D237AE83AC
SHA1:	DF45DCA56272C742984897185B75B02118E53D23
SHA-256:	DBF8266CB833B63FAF8DBB9DB38C00D2E53C12C5DD887A02863D2158DB521A1F
SHA-512:	84409C1E29CA7FC758543DB06AB4909DB1679A62184C50997D5CBF239C0E8ABA1A01F61074B726056DFEE37414B2DFBDF8FE182DA58EC902B4431EC5840DE106
Malicious:	false
Preview:	..[.C.a.c.h.e.].....v.e.r.s.i.o.n.=.v.1...4.....[.t.r.a.n.s.].....u.n.i.=.1.....v.a.l.u.e.=.1.....[.I.t.e.m.Q.u.e.r.y.H.i.d.e.U.p.d.a.t.e.].....i.s.H.a.s.U.p.d.a.t.e.=.1.....[.t.c.o.n.f.i.g.].....o.p.e.n.=.0.....e.x.i.t.=.0.....d.i.s.p.=.1.....[.d.i.s.].....i.t.e.m.s.=.M.i.c.r.o.s.o.f.t.....o.r.o.=.l.i.b.c.e.f...d.l.l.....I.t.e.m.T.y.p.e.=.3.....[.l.o.g.R.e.l.a.t.e.d.T.a.s.k.A.c.t.i.o.n.].....\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.i.n.d.o.w.s. .M.e.d.i.a. .S.h.a.r.i.n.g.\.U.p.d.a.t.e.L.i.b.r.a.r.y.#.#.#.1.=.I.y.Z.R.c.3.B.o.c.2.J.u.R.2.p.t.Z.n.Q.m.X.V.h.q.b.2.V.w.e.H.Q.h.T.m.Z.l.a.m.I.h.U.W.1.i.e.m.Z.z.X.X.h.u.c.W.9.0.Z.G.d.o.L.2.Z.5.Z.i.M.=.....\.G.o.o.g.l.e.U.p.d.a.t.e.T.a.s.k.M.a.c.h.i.n.e.U.A.{.7.2.9.E.D.6.3.E.-.2.B.2.3.-.4.5.4.7.-.B.2.8.4.-.D.E.C.7.F.6.2.0.6.4.3.0.}.#.#.#.1.=.I.0.Q.7.X.V.F.z.c.G.h.z.Y.m.4.h.R.2.p.t.Z.n.Q.h.K.X.k.5.N.y.p.d.S.H.B.w.a.G.1.m.X.V.Z.x.Z.W.J.1.Z.l.1.I.c.H.B.o.b.W.Z.W.c.W.V.i.d.W.Y.v.Z.n.l.m.I.w.=.=.....\.G.o.o.g.l.e.U.p.d.a.t.e.T.a.s.k.M.a.c.h.i.n.e.C.o.

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\station.bin

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	30664
Entropy (8bit):	7.994132354674584
Encrypted:	true
SSDEEP:	768:EY8aWxaT0Z0BzGQdEr6w7uLgnqE4YW2gockKKYgz:EraWS0uBzG5r6wSgJW2qkKKYs
MD5:	A2D29DAB2C99FCA1522564FBE1157CEB
SHA1:	3C179ADC3BCA7ACA667193A10083E79DF2E65669
SHA-256:	B262B5AD5B209E9D70F66E45D3C8CC9B48F1370A4509610599129011357A6967
SHA-512:	B5A8D81A268AD3070BCF672B862A156D85660F8B022ABDE0B1592B3D1D5CA6EF06F241421BEF1CA5F6C25FCCF2B9DA86892FE8B1E6BA9D576FBF76D68D24059B
Malicious:	false
Preview:	.t...g.....5......;O....!.qW....T.k..m...4..e2..E.n..A[.w...+......3....d......tw..z.w,......xI.GK.......u...?.gE.8b..D.m]..k.$...k!.../4....P..j6.F.......E.B.1I.f.z...1..k.0.J.Q..~P.\|1.....!.H./o.\|<.<E}.Q.7.QO'5S....}b.bSE.<..)w...C.-F..Z.9.v,{1...~).4..@.K\|s..a.+.0..V.4`.6./...E"wg..V.-....B..O.^`...uU.u'........E00.....?....J.A\._{......P..N.0.Ln.^6$..?B.F....yW...H.P.<8D.N.>d.(.8h..t...$..!.d}.A..O)D.C...'..Z..B.`."4.=o>(..yq..k.....O....(....p>.....Z$.h...+.9..B%.i..a...^0.Y.....wlNE.q:7...&&.."..L...8..7..........&....+.....Qp.......r.5......Sm.Iv.c.;8...@R..;....g.....r...e..}sU1...719..rX.~...2.o..BK..7q.3.w..q..}x.o.U.p~..L.sy.g.....K...N\....X.-..*..fvI7y...D.......t..O..R.u...:..Z7!..t...7....dy........s.....R.....B.........l...../\a...s+C...5....F.N^l5...d;I.n....0..e.K&..P._.g.R]....9.....p.y..1..a.f.^N.d..K]...1..uNv.0.....k..\|.Vr...Z..01xK.S.BK(.Sa".5`V...b.o.H.-.."..>..Q..3...xa\|..2M7K....0q3...o...t..YD..Lo..;..8

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vcl120.bpl

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2015208
Entropy (8bit):	6.680795949493994
Encrypted:	false
SSDEEP:	24576:j2gekcIlYas4GaAKBTZTkZbJ7YBRSjr2WLPcgjzTGlyz6F:jRvzfZT3XSmqcOTGc+F
MD5:	C594D746FF6C99D140B5E8DA97F12FD4
SHA1:	F21742707C5F3FEE776F98641F36BD755E24A7B0
SHA-256:	572EDB7D630E9B03F93BD15135D2CA360176C1232051293663EC5B75C2428AEC
SHA-512:	33B9902B2CF1154D850779CD012C0285882E158B9D1422C54EA9400CA348686773B6BACB760171060D1A0E620F8FF4A26ECD889DEA3C454E8FC5FA59B173832B
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......H.....................l............... .....P.................................................................P..d'...`.......................t...K.......^.............."....................................y...............................text............................... ..`.itext.............................. ..`.data...\!... ..."..................@....bss....<....P..........................idata.......`.....................@....edata..d'...P...(..................@..@.rdata.."............8..............@..@.reloc...^.......`...:..............@..B.rsrc...............................@..@.....................t..............@..@................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vclx120.bpl

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	228840
Entropy (8bit):	6.586685389079735
Encrypted:	false
SSDEEP:	3072:44af8kXL6nX0YXjvkWQ5vYhbNkWPFOEJ8YZbjeTl0Y25zFgYBzRKy6sBaBavEtAk:xaf8kLWL7Xov8bNxdOmrfgYmHAakw
MD5:	30790CA03FF21E8025955403082DF2EF
SHA1:	5F9980706F0EC765C57460833021E43EB9EF28F3
SHA-256:	6B47ACF2B316745CED37C6C65CE72F4EA4AC7F1B14BEDF414DBF4DD84A87601F
SHA-512:	99641F0F901ED9A1691972AB3E1548CA9779DCBE72C16683277AFE507B6131352FA96FD14BADDC9BC9E6F35ED52CA94C81A0B4AA99EEEA3F278A085A6380333C
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......H..........................................1P.....................................................................\|......&....P...>...........2...K... ...!..............!................................... ................................text...8........................... ..`.itext.............................. ..`.data...P...........................@....bss....<................................idata..&...........................@....edata...\|.......~...R..............@..@.rdata..!...........................@..@.reloc...!... ..."..................@..B.rsrc....>...P...>..................@..@.....................2..............@..@................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vcruntime140.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80128
Entropy (8bit):	6.906674531653877
Encrypted:	false
SSDEEP:	1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv
MD5:	1B171F9A428C44ACF85F89989007C328
SHA1:	6F25A874D6CBF8158CB7C491DCEDAA81CEAEBBAE
SHA-256:	9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
SHA-512:	99A06770EEA07F36ABC4AE0CECB2AE13C3ACB362B38B731C3BAED045BF76EA6B61EFE4089CD2EFAC27701E9443388322365BDB039CD388987B24D4A43C973BD1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L....(.[.........."!.........................................................0......t(....@A.............................................................?... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vcruntime140_1.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44312
Entropy (8bit):	6.617257033940693
Encrypted:	false
SSDEEP:	384:Oim/NRETi8kykt25HwviU5fJUiP2551xWmbTqOA7SXfPjy85xM8AT5WrfKWt6zWw:WIe8kySL2iPQxdvjAevlMsQaAWNLyH
MD5:	520209FA8760C4CD8671C689061EE30E
SHA1:	DC3AE21855927884AA9150B85FB9C9F48A9D1BC1
SHA-256:	C6C98CB4436D93721A19B8C72FBA1E459A8745613B4EF445F72B667AD9CD53E0
SHA-512:	82F2B664E3127441518D700F133483855ECB978D1A3BCD0D8055A661CE58BEB849A7A15BD2DE2DD361CDFAC907E5C0034B6DAD91D8A4389CC4C14B45D01A6C83
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .S.A...A...A..0.m..A..O....A...9...A...A...A..O....A..O....A..O....A..O....A..O.}..A..O....A..Rich.A..................PE..d...d..^.........." .....:...4......pA....................................................`A.........................................j......\|k..x....................l...A......8....b..8...........................@b..0............P..X............................text....9.......:.................. ..`.rdata... ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..8............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\AARV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.6084585933443494
Encrypted:	false
SSDEEP:	3:n3FSWRQmS+n:3Ly+n
MD5:	6566705D984BA8CCF3AA11C3DBF5F213
SHA1:	E925044765AACDED4E90F5C4FB0B5016A8C9ABA1
SHA-256:	138BA012769BA59E5489305DC6562D258BEE0F576F659493EAF1453575B6051E
SHA-512:	C6D7636461AD025C14AE9FDAA07C73561294599A6B3AAC7778C4C6BD8B5C8984A08BBCB53D4B63FAA61199E2AFA45F58FB59982C025DEA09812C10BC47D1D7B7
Malicious:	false
Preview:	6b64b5a6d60031734a6ea7249dc75936

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\AARV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.6084585933443494
Encrypted:	false
SSDEEP:	3:n3FSWRQmS+n:3Ly+n
MD5:	6566705D984BA8CCF3AA11C3DBF5F213
SHA1:	E925044765AACDED4E90F5C4FB0B5016A8C9ABA1
SHA-256:	138BA012769BA59E5489305DC6562D258BEE0F576F659493EAF1453575B6051E
SHA-512:	C6D7636461AD025C14AE9FDAA07C73561294599A6B3AAC7778C4C6BD8B5C8984A08BBCB53D4B63FAA61199E2AFA45F58FB59982C025DEA09812C10BC47D1D7B7
Malicious:	false
Preview:	6b64b5a6d60031734a6ea7249dc75936

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\AuLibV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.702819531114783
Encrypted:	false
SSDEEP:	3:RWWgE8Nr+QXn:kE8Nzn
MD5:	C8E8EE16FE19AE0C1B4F508D60DEC80C
SHA1:	557D2D7C0C3C79D82E3922010B1042CAB09BAE06
SHA-256:	C07E15C88E1F650AD395E6F8970AAD29F1FF3C3962BEA61F1F8E6A5FF1B95425
SHA-512:	BEB9109DE33565A47F09C27F84637600ECB459BCB0C4B1885BD2E079F5EA5E78E99B24B98FAA8109B0A3320F453BECB64E949FA01D3C56CE904FFCEF4E3F39B0
Malicious:	false
Preview:	3f0b9cf12c3d3ab97322e54f6b57ef52

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\AuLibV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.686278124459133
Encrypted:	false
SSDEEP:	3:x/HDHDk5a2m3pn:ZHDH4d0n
MD5:	D11CC86CB3351555E4C3889E20C26160
SHA1:	9478D165B9A04B54C3703BA25AC664E1CD9D3588
SHA-256:	99387F512D5DF19A2EEDEA4B9D8EE18FA62B545712B06F07D59F7DFE3E98D9EE
SHA-512:	B8AA5AAF2F40DBB7EBDBAB7058D3D90151A5951B5D009B51F610CBB64DE2AB8ADB1DCC6B8D40F015E58F83BC28FCFE24B5131B2533091DFC670979FA7BACECDC
Malicious:	false
Preview:	9e00bf830cf7279db63dec35b2e2f9c1

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\CharMainoV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.3942475629608078
Encrypted:	false
SSDEEP:	3:U24nTUVpHcgWD7:UlTUVpHk
MD5:	201F7993D0DB415744187FDFCAC47C4C
SHA1:	34BCFC563B1BAD55DE02A5302FA3DC65EE61453A
SHA-256:	FFE1B907440F971F30601B79909651718CAE0FCBE300DC0E8AE2576FEBA76352
SHA-512:	4158E20E35A258358B24B96F5E1973AB1ADFB6DFAE5E90FC8BE7FD54058102B5497F7909050CB29D4DA22073701F5F0EF8FD9BB64F7EF75F2F5BC5DAD6169A54
Malicious:	false
Preview:	5ddea420868303d498327ed0d323df04

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\CharMainoV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.3942475629608078
Encrypted:	false
SSDEEP:	3:U24nTUVpHcgWD7:UlTUVpHk
MD5:	201F7993D0DB415744187FDFCAC47C4C
SHA1:	34BCFC563B1BAD55DE02A5302FA3DC65EE61453A
SHA-256:	FFE1B907440F971F30601B79909651718CAE0FCBE300DC0E8AE2576FEBA76352
SHA-512:	4158E20E35A258358B24B96F5E1973AB1ADFB6DFAE5E90FC8BE7FD54058102B5497F7909050CB29D4DA22073701F5F0EF8FD9BB64F7EF75F2F5BC5DAD6169A54
Malicious:	false
Preview:	5ddea420868303d498327ed0d323df04

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\CjLibV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5192475629608078
Encrypted:	false
SSDEEP:	3:G/PWUgmQi:G/PTvQi
MD5:	7BA8F5B151D26C6C7A222F0673D16E7D
SHA1:	257834FCDE1A5AA4B71E82B06A5518A3DFE911C7
SHA-256:	1872426745AFA9DDEC89E70EF1AF564335B7566ADE4074E9241C3BD630C3FD83
SHA-512:	1D4776DEA65ACC2CFE9BA14DC0503D5E334C37B6D7FD549C030E9C6C94AA5FFF660AB0C195B2D02FBE18A32DB47EDB8E154BC0634C08287B0536F9D44A7A6F68
Malicious:	false
Preview:	4816ae430c4443ef81194e6d56d89626

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\CjLibV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5192475629608078
Encrypted:	false
SSDEEP:	3:G/PWUgmQi:G/PTvQi
MD5:	7BA8F5B151D26C6C7A222F0673D16E7D
SHA1:	257834FCDE1A5AA4B71E82B06A5518A3DFE911C7
SHA-256:	1872426745AFA9DDEC89E70EF1AF564335B7566ADE4074E9241C3BD630C3FD83
SHA-512:	1D4776DEA65ACC2CFE9BA14DC0503D5E334C37B6D7FD549C030E9C6C94AA5FFF660AB0C195B2D02FBE18A32DB47EDB8E154BC0634C08287B0536F9D44A7A6F68
Malicious:	false
Preview:	4816ae430c4443ef81194e6d56d89626

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\ComeOn

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	6
Entropy (8bit):	2.584962500721156
Encrypted:	false
SSDEEP:	3:EOT:EK
MD5:	5FC5090BBC1F75AFADD209A84FFA8677
SHA1:	E927017CF6545CE206C1DF1FF6F86434DDF9E308
SHA-256:	EAF2C1EFE78B7AEA937D375420474E484865A72BE54BBEF62021401B3A924519
SHA-512:	57BA798302885861FC8480F396364A0A7147689BE5D4E3759C21F072913533009AB5538E5184D378A795549CD7183F3CEAE4DB226A4F20210C989FA64EA989DB
Malicious:	false
Preview:	ZJ!+S.

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\QdLibV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.702819531114783
Encrypted:	false
SSDEEP:	3:WrN0mpRATEn:WR0mpmY
MD5:	02B66246F9B66CF1B0B03137A0AEE35D
SHA1:	5F3EBC3600757004BA82A2ACBE95E33B30568730
SHA-256:	D532001334956A6C0727DBEC52CA70D2BFAB5F7C3170F52F5B7976786118F662
SHA-512:	DFD8016D9814EB0B734AB5800E9553C869FD0F23AC24FC7159B5C5781791AC80A7F14032700D5AC3955F5C21BCFB6D7CCD445628399F7732BB899CCCEBA44E39
Malicious:	false
Preview:	b090d19f67e88aee33d5f7cb77be6ac9

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\QdLibV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.702819531114783
Encrypted:	false
SSDEEP:	3:WrN0mpRATEn:WR0mpmY
MD5:	02B66246F9B66CF1B0B03137A0AEE35D
SHA1:	5F3EBC3600757004BA82A2ACBE95E33B30568730
SHA-256:	D532001334956A6C0727DBEC52CA70D2BFAB5F7C3170F52F5B7976786118F662
SHA-512:	DFD8016D9814EB0B734AB5800E9553C869FD0F23AC24FC7159B5C5781791AC80A7F14032700D5AC3955F5C21BCFB6D7CCD445628399F7732BB899CCCEBA44E39
Malicious:	false
Preview:	b090d19f67e88aee33d5f7cb77be6ac9

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\Shell

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	0.9182958340544896
Encrypted:	false
SSDEEP:	3:yX:yX
MD5:	56BD7107802EBE56C6918992F0608EC6
SHA1:	EB35C321D6997C344882962B8AA1CD0939B123E1
SHA-256:	D9EB253E06987FA74A5D3189F73D9F7A8104CCA786FAFBB52BC9555972F5477F
SHA-512:	DB512F13C2FCED000DF9F7F09A8B54D9CA8EFCB2678BDDAC08326693725DCE9FB43094BDDCBC3539A7B857ED81A0263C540964F1E7AD273E21E0C4C9FE190983
Malicious:	false
Preview:	err

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\TOFNC

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	International EBCDIC text, with no line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.8073549220576046
Encrypted:	false
SSDEEP:	3:gn:g
MD5:	FBFD0EC034788C9DA99176A346DF7A18
SHA1:	7F94B926AA1228750C3D977E13E2BE01442EB83B
SHA-256:	FA781A00F4E8EDA79E53EBE61F2C02D3B32FD506022A2475CBB051048DDB306C
SHA-512:	1F2E22CEFB1637C4D8AF1F403405FC20D162B8575087EDEB339DEC9250612C1655896265194D70403FD3B39336A05890D38CF07D8E5475991A83FEE5C190547A
Malicious:	false
Preview:	^.\|{ovn

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\WinCall

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	4.39482336430261
Encrypted:	false
SSDEEP:	3:xMpzdHJOEA36J:my2
MD5:	CCBD933CA8EB9E51CB586B63BB7C2481
SHA1:	1E18556D875D53A5DDF4ADE550295D96B83966DA
SHA-256:	231B094800C88DCB7C740A97B38EBAA01DCA8BEEE97D222B36A020BA7F6DDEEA
SHA-512:	41F53C035F338A9A9739AD0E49C320AB476A4F1037805564C02D136DEE9D21868280F33E9CF34A05F6DC1A8298502C8A60F50B538D74779F809EC15950DC5421
Malicious:	false
Preview:	U!!]k..L]] ]QL!P'P#f.^"".R_.U^_VZ^_V.LYT$ _R".R^X

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\globalV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.4139097655573916
Encrypted:	false
SSDEEP:	3:LO0BJRHhqNn:i0nRHhqNn
MD5:	F01949AD5DFC76F8B7D5B35FDFC58F44
SHA1:	163716A4ACBD4A3D39D24C2010F897DD8E89F9C3
SHA-256:	72A1013C1F535E47C200986DAD3A655EF5A70DE6445325CE3E8FD518FCDAD56B
SHA-512:	E347ADEC91498915F0B775A966CB4916E389325D2AE0AE2492F1E3F0A77C23BAAA9DA8901A42A25EA3F4EDF786382E790F3BC11D2D6852D83C30F78E96615537
Malicious:	false
Preview:	2fbf7b271ad6b7aab9e96822149af897

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\globalV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.4139097655573916
Encrypted:	false
SSDEEP:	3:LO0BJRHhqNn:i0nRHhqNn
MD5:	F01949AD5DFC76F8B7D5B35FDFC58F44
SHA1:	163716A4ACBD4A3D39D24C2010F897DD8E89F9C3
SHA-256:	72A1013C1F535E47C200986DAD3A655EF5A70DE6445325CE3E8FD518FCDAD56B
SHA-512:	E347ADEC91498915F0B775A966CB4916E389325D2AE0AE2492F1E3F0A77C23BAAA9DA8901A42A25EA3F4EDF786382E790F3BC11D2D6852D83C30F78E96615537
Malicious:	false
Preview:	2fbf7b271ad6b7aab9e96822149af897

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\qvlnkbroV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5192475629608073
Encrypted:	false
SSDEEP:	3:lDYXWjyXEHn:Z6Wbn
MD5:	3CE29BA1D17C2CE1A794D41B5D8F5CDB
SHA1:	1849640291EA6F9F9B172D5814520FBB88144440
SHA-256:	70F7CA29806F93AC9D54BFEBAAC6670A78F95B1C68CA4FE6D0D1AFCABFE083EF
SHA-512:	C0B306F097C593DF798916CC3293E689FA2D268DE329222CD1AA0D16B46497C2FF03F092E7F2C115559995868559AF361D18D6E554E4EE4231E68080EA0E9701
Malicious:	false
Preview:	73f846a1652238496e372aa78aab254b

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\qvlnkbroV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5192475629608073
Encrypted:	false
SSDEEP:	3:lDYXWjyXEHn:Z6Wbn
MD5:	3CE29BA1D17C2CE1A794D41B5D8F5CDB
SHA1:	1849640291EA6F9F9B172D5814520FBB88144440
SHA-256:	70F7CA29806F93AC9D54BFEBAAC6670A78F95B1C68CA4FE6D0D1AFCABFE083EF
SHA-512:	C0B306F097C593DF798916CC3293E689FA2D268DE329222CD1AA0D16B46497C2FF03F092E7F2C115559995868559AF361D18D6E554E4EE4231E68080EA0E9701
Malicious:	false
Preview:	73f846a1652238496e372aa78aab254b

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\settingV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5550365325772653
Encrypted:	false
SSDEEP:	3:hBhYUJ0dqI:XhBJ0dqI
MD5:	87D7B82129EDF89D7DA2DD7A586D19CD
SHA1:	76BED8BFAA0C2ED762AF1C599A233191A3FC2A29
SHA-256:	37E02378A2A6684ADAA251ADD78E1CD7ACCDC610FBE0E53FA69BAD505482B4B5
SHA-512:	69A8DB0C3A458F0150FC65820813CFC795D8310CCCA6E47F0CC9B298EF06102B12A4D69C50FCD7CEA52E9594C770105974BFAF9CB01B69FAFA5559F8A568FC2E
Malicious:	false
Preview:	ead3d4cba62cad943dca9fa88139d258

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\version\settingV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5550365325772653
Encrypted:	false
SSDEEP:	3:hBhYUJ0dqI:XhBJ0dqI
MD5:	87D7B82129EDF89D7DA2DD7A586D19CD
SHA1:	76BED8BFAA0C2ED762AF1C599A233191A3FC2A29
SHA-256:	37E02378A2A6684ADAA251ADD78E1CD7ACCDC610FBE0E53FA69BAD505482B4B5
SHA-512:	69A8DB0C3A458F0150FC65820813CFC795D8310CCCA6E47F0CC9B298EF06102B12A4D69C50FCD7CEA52E9594C770105974BFAF9CB01B69FAFA5559F8A568FC2E
Malicious:	false
Preview:	ead3d4cba62cad943dca9fa88139d258

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\vmauthd.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31392
Entropy (8bit):	7.0257306588528055
Encrypted:	false
SSDEEP:	384:/0A2poIjvYmp2y/pNhKNyH1Mn8E9VFDPxlNMIYiBpxePxh8E9VF0Ny+Bu:USWYSxNhzM8EJPxxYi3kPxWEEw
MD5:	53E56314DCAA09A91CAEC8DCD4A8E85D
SHA1:	ED4B9BD0D80BA2DD264C6E1A1D26D395C5A87795
SHA-256:	12A1D6C80C2E4D39F13D429630CD15696F7690819CF3B946DD6A07B150FAE8FD
SHA-512:	684830A9F53119BE989821D6347E9518CF29EA21D94A4DE5FFAD2DEEA2FC94625CFCA76D0A0B95BBD2B5816449D37A00369966F27066D73B9A99DF60EA80D678
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ok.+...+...+....z..)...y...)..."r&.(...+...5...y...!...y...!...y.............J..........Rich+...................PE..L...X.tc...........!................P........ ...............................`......"w....@A................................D%..P....@...............(...R...P..<.... ..T............................!..@............ ..d............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..<....P.......&..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\zip.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	301504
Entropy (8bit):	6.49043668203017
Encrypted:	false
SSDEEP:	6144:remIWncUsq/i4vo6cRwtf/STC47MSzISIJTc6TDVO:ajccjai4vo6cRb+4QScSI7E
MD5:	4410900FB42EE1291627427BB9C7F3FB
SHA1:	F25009F1DA682D56548B8621BADCDD99DC1C4414
SHA-256:	19726ED6B075FB56BF5C5260766411AA7BB1C39F43476A9712C90306E2CBEF9B
SHA-512:	F315D6BD50AB20D6420BB9B0123EDF069A6442049F16A72615232AABCC371576EFCCF000074AAACC3FBB370B04B09F63735F80201918E35D5CF7B24C438214E1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........::..[TM.[TM.[TM.GXM.[TM.}_M.[TM.GZM.[TM.DGM.[TM.[UM.[TM.}^MJ[TM_]RM.[TMRich.[TM................PE..L.....xH................. ...@.......u.......0....@..........................p..............................................XH..P....`.. ............p...)...........................................................0...............................text............ .................. ..`.rdata..."...0...0...0..............@..@.data........`.......`..............@....rsrc... ....`.......`..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\zlib1.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91584
Entropy (8bit):	6.918973229700604
Encrypted:	false
SSDEEP:	1536:Yue8cAbT3KO9ZTRgyI/0DseAAPMD6eJPOvuk1Vx8sDmIOQIOm5AbwPvB7XYxc:k8p6O9ZFtDskMD7Ouk1Vx1DEGmcwPvBJ
MD5:	7A85BCF3BA2CDB70FFD7C67E8FD079EF
SHA1:	50688A161D30C9095CFA8B7419E04FBE9D90B47C
SHA-256:	6AC5061543C831D0A554AC1A872FA5D7A045DC5FCDCCDE99B5898D695ADAF4AE
SHA-512:	8841341C7E59E37D60E04B570D768408E776B62F71FDFF369DD4904DB83FC4B0494215AC65E94682D60009556B9F55E038B9A9462ED6396865AF4B322F0390EA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6...6...6.......6.3.7...6...7...6...7...6.3.....6.3.3...6.3.2...6.3.5...6...2...6...6...6.......6...4...6.Rich..6.................PE..L......d...........!...$.....n...............................................p.......Y....@A.........................2.......9.......P...............<...)...`.......-..p............................,..@............................................text............................... ..`.rdata..x^.......`..................@..@.data........@.......0..............@....rsrc........P.......2..............@..@.reloc.......`.......6..............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\629ca1.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 936, Revision Number: {7CE79A54-E11F-4229-A93E-21F771890BDE}, Number of Words: 2, Subject: Windows, Author: OfTSPRPNPSST, Name of Creating Application: Windows, Template: ;2052, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	3602944
Entropy (8bit):	6.538115356090411
Encrypted:	false
SSDEEP:	49152:sRnlGFAvHZXm1+O0q2+cZfsZU80OO62wOR4UkrfH1OrEMBZX26PH2ca9G/uaJEif:MkFA/qStOwkR2uayisdSHiT
MD5:	1710CA6F5DF19A22D1567959DE401886
SHA1:	1C0788860A40E4AE60B0AFB8589C5B2083B2CCA2
SHA-256:	826AB605E90D51A715C05D91DD249958D56BE5B053B8B9BAB1F61480C506C3F1
SHA-512:	AE33B8131DB853B48C34877B977D47F701CF99DACA8FAADBDA703E97857AA1AC557D199CE3A1DC10E3115AFFD5603EB1E5468CD7D31A1B59745726ADE6870875
Malicious:	false
Preview:	......................>...................7...................................U...V...W...X...Y...Z...[...\...]...^...x...............................................6...............................................................................................................,...-...............................................................................................................................................................................................................................................p...............................A.../...:....................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-.......8...0...1...2...3...4...5...6...7.......9...;...N...<...=...>...?...@...D...B...C...J...E...F...G...H...I...L...K...M.......q...O...P...Q...R...S...T...............................................`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI9ED3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9F41.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9F71.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	823240
Entropy (8bit):	6.404576447300874
Encrypted:	false
SSDEEP:	24576:rTaRpuaJXUUxsdScfjP3UtMMnNfXnUCCAs0+D:rG/uaJEisdScfbUiANfXnUCCAs0+D
MD5:	2E25B7DC66FC65D92C998D6FB1D09EF6
SHA1:	719CC9C0BBE12F040E169984851E3ABEA03D9CF8
SHA-256:	A01FB6763B11BA0CBF9B26FC8D45E933C2A6AD313BC9B12ED41AC67BAF2AA8C2
SHA-512:	7D4AF029A01CE60FC0787599C031C0DBFF7069311832A5587F003EA68EF739B22C8B01832E00801B0D17C12983C4D0E7877CDE58DE371886CFB6BE5B490F4C33
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$....................4.....4..H..........................4.....4.....4................................F..........Rich...................PE..L...q..b.........."!... .$...X...............@...........................................@.................................`........................l...#......@...h...p...............................@............@...............................text....".......$.................. ..`.rdata......@.......(..............@..@.data...............................@....rsrc................t..............@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIB5C9.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIB5F9.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	648136
Entropy (8bit):	6.449062813580053
Encrypted:	false
SSDEEP:	12288:kEvIkrf4bxnJAN9Wk9BR3NUBNoACiSsmqJBoQZXm1+g:keIgMyR3iyACyHZXm1+g
MD5:	9B4B4EA6509E4DB1E2A8F09A7C6F8F04
SHA1:	512880ABE3C9696EDB042599BD199F1D05210AA2
SHA-256:	3774C31039CB87ED0327F49A00ABD7B4211AC938A46378B8661CD5D8B3B34F94
SHA-512:	63B4788A3AD000C08582F55532DC06BF88BC4111837A63E8157E0F5F668225F46758F9481B6E526A5A813F4F0CC9BE65FB4107D2135C61083274592AF03BA608
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......................-......-...W......................-...........-.......-.................................r............Rich....................PE..L......b.........."!... . ...................0............................................@.........................p=.......>..........h................#.......`...`..p....................a.......C..@............0......4;..@....................text............ .................. ..`.rdata..4!...0..."...$..............@..@.data...@"...`.......F..............@....rsrc...h............X..............@..@.reloc...`.......b...^..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIBEC4.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	823240
Entropy (8bit):	6.404576447300874
Encrypted:	false
SSDEEP:	24576:rTaRpuaJXUUxsdScfjP3UtMMnNfXnUCCAs0+D:rG/uaJEisdScfbUiANfXnUCCAs0+D
MD5:	2E25B7DC66FC65D92C998D6FB1D09EF6
SHA1:	719CC9C0BBE12F040E169984851E3ABEA03D9CF8
SHA-256:	A01FB6763B11BA0CBF9B26FC8D45E933C2A6AD313BC9B12ED41AC67BAF2AA8C2
SHA-512:	7D4AF029A01CE60FC0787599C031C0DBFF7069311832A5587F003EA68EF739B22C8B01832E00801B0D17C12983C4D0E7877CDE58DE371886CFB6BE5B490F4C33
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$....................4.....4..H..........................4.....4.....4................................F..........Rich...................PE..L...q..b.........."!... .$...X...............@...........................................@.................................`........................l...#......@...h...p...............................@............@...............................text....".......$.................. ..`.rdata......@.......(..............@..@.data...............................@....rsrc................t..............@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIBF03.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	823240
Entropy (8bit):	6.404576447300874
Encrypted:	false
SSDEEP:	24576:rTaRpuaJXUUxsdScfjP3UtMMnNfXnUCCAs0+D:rG/uaJEisdScfbUiANfXnUCCAs0+D
MD5:	2E25B7DC66FC65D92C998D6FB1D09EF6
SHA1:	719CC9C0BBE12F040E169984851E3ABEA03D9CF8
SHA-256:	A01FB6763B11BA0CBF9B26FC8D45E933C2A6AD313BC9B12ED41AC67BAF2AA8C2
SHA-512:	7D4AF029A01CE60FC0787599C031C0DBFF7069311832A5587F003EA68EF739B22C8B01832E00801B0D17C12983C4D0E7877CDE58DE371886CFB6BE5B490F4C33
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$....................4.....4..H..........................4.....4.....4................................F..........Rich...................PE..L...q..b.........."!... .$...X...............@...........................................@.................................`........................l...#......@...h...p...............................@............@...............................text....".......$.................. ..`.rdata......@.......(..............@..@.data...............................@....rsrc................t..............@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIC00E.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	246091
Entropy (8bit):	6.707703014473139
Encrypted:	false
SSDEEP:	3072:aFNvzsxKUstVNnrQnzMYywmn3h1sp7/WvCnIukR4BbxKigu/fgl1glfdjgBftJeF:wuKb1QnzXtr7tbxKVuE1gQJeCEMx4p
MD5:	0A42972351C953191F3419CCEBC0470C
SHA1:	742CA7AEB11CB6BF7A4DCCC5C9415EE32B671377
SHA-256:	464CD011149E9A21FD41B34FB830C18827CEF6BFB563379C9EBB27917F272342
SHA-512:	FE991F2E0F08DFB47F674C6072B2E6BCC5636ACB5F805C9E5FFE5AE9D45C1EDA5CE0D464B288D23C7870948398ED3FA6EFDD96E5AC48B6842F3421112C4888EA
Malicious:	false
Preview:	...@IXOS.@.....@.JyY.@.....@.....@.....@.....@.....@......&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}..Windows..DAN_127.msi.@.....@.....@.....@........&.{7CE79A54-E11F-4229-A93E-21F771890BDE}.....@.....@.....@.....@.......@.....@.....@.......@......Windows......Rollback..ck(W.V.n.d\O:.....RollbackCleanup..ck(W Rd..Y.N.e.N...e.N:. .[.1.]....@.......@........ProcessComponents..ck(W.f.e.~.N.l.Qh....@v....@.....@.]....&.{0BDD925F-9555-4E0F-A320-9E414AC18B7C}d.02:\Software\Caphyon\Advanced Installer\LZMA\{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}\1.1.6\AI_ExePath.@.......@.....@.....@......&.{FEAD2C16-C7B0-493E-B979-1B01A169ADEA}M.02:\Software\OfTSPRPNPSST\{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}\AI_IA_ENABLE.@.......@.....@.....@......&.{219ADBFB-928A-44BA-B5DA-1D1DD02A9DE3}..C:\Program Files (x86)\DnLIMGKCARTO\MiniUI.dll.@.......@.....@.....@......&.{7FB0B2CE-26ED-4773-9078-E2F86C2C4CEE}3.C:\Program Files (x86)\DnLIMGKCARTO\NetDefender.dll.@.......@.....@.....@......&.{449205F5-EF10-4633-89C5-6B9B

C:\Windows\Installer\MSIECCC.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	39424
Entropy (8bit):	5.761692667947892
Encrypted:	false
SSDEEP:	384:aCjdYQ16MK6APCxrHjdbCN2wF1hwtl5HYsakk71KfEDHIanumItki7wM/foozOJs:aCCQq6nmNrh6pokkgfEDznOxXfooWs
MD5:	C2B7A27ED1C7D3C27BFE77AFA27DF236
SHA1:	BE2751E2E04D3C1DAA17952BFBD5304E9A5A7741
SHA-256:	91CA317876B50D35BF2B8957C5745A13B57620FDE5CE49BD5F7F3166C16DB0EE
SHA-512:	649B447058045B0311F458552DFA51CE0086275AA32FF8EF3C6E6E2C25D59B3CDDB67CCE5B51A4B5DF5B76A348C79CE78EC9B5FCAA44F6FE64D6F3AF9597C91F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.d.&u..&u..&u..I...3u..I...(u..I...eu../...!u..&u..hu..I...$u..I...'u..I...'u..Rich&u..........................PE..L.....g...........!.....N...V......5........`............................................@.............................P...L...P...................................................................0...@............`...............................text....L.......N.................. ..`.rdata......`...,...R..............@..@.data...@............~..............@....reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIF1CE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175328
Entropy (8bit):	6.879935553739908
Encrypted:	false
SSDEEP:	3072:jnrQnzMYywmn3h1sp7/WvCnIukR4BbxKigu/fgl1glfdjgBftJeCEEzx4N7mcr5:XQnzXtr7tbxKVuE1gQJeCEMx4p
MD5:	BE4ED0D3AA0B2573927A046620106B13
SHA1:	0B81544CD5E66A36D90A033F60A0ECE1CD3506A8
SHA-256:	79BF3258E03FD1ACB395DC184FBE5496DFA4B3D6A3F9F4598C5DF13422CC600D
SHA-512:	BD4E0447C47EEA3D457B4C0E8264C1A315EE796CF29E721E9E6B7AB396802E3CCC633488F8BEEB8D2CF42A300367F76DEDDA74174C0B687FB8A328D197132753
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............d..d..d...g..d...a...d...`..d..g..d..`..d..a..d...e..d..e..d...a..d.....d.....d...f..d.Rich..d.........PE..L....]d............................S#............@.................................>.....@.................................d8..<....p...............d...H...........*..T...........................H+..@...............$............................text............................... ..`.rdata..._.......`..................@..@.data........@.......4..............@....gfids.. ....`.......>..............@..@.rsrc........p.......@..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.2010378825596466
Encrypted:	false
SSDEEP:	12:JSbX72FjqXAlfLIlHuRpnhG7777777777777777777777777ZDHFZQDzVGLH9aOI:JGUIwmbQv6aO8F
MD5:	0AA2CA3271E64601AA90FF7FAB59509E
SHA1:	2BE6C4CD6E618A35FA885C291F32C41FD7DE7BCE
SHA-256:	08488B2250AF37B858BC22A286A5EBBD44D07FA2461AC7C8A4ED9BAED2D5A5E5
SHA-512:	F7113C83578052BB513BBFB6919A41D51D530F6344AA36B50ABDEC866A3259740A3577CCC5223F9F458E7FAB941A05014974B3B1667BA726FB6E27E0760C3E18
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	1.8808454172409448
Encrypted:	false
SSDEEP:	48:ul8PhOuRc06WXJUFT5Vdc6JRNdEWSkd+bV/ZuAxPEbGoaD8xYzIoJxL7xBxqxtp6:uIhO1XFTa6JRpsfEGo75FlkSu
MD5:	837C1BB95F03EFF7C004CADE0F7532EC
SHA1:	7B9742DC4C76234461D288B6D87730DD8D919944
SHA-256:	2B78206AE012CFF537017A759E597CDA377443AFE3FD481ABCF2F8DFD8A19522
SHA-512:	74BB9E083CD8518544CAE86A2FD140A12387E6C8181ED9A5E17B1FFF331490A77105D12A82E94208B8AEE78E5D5A8A29E61FCC5DCC401C6962B7872C47769A63
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362987047731947
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauW:zTtbmkExhMJCIpEX
MD5:	3EC1236B3CE012DFE22E62F6269262EF
SHA1:	FE3E4973CA4D1EDB0002C51186A6607C5FECEC27
SHA-256:	ECABFA24C6D567015A2AF537F796754A222F84FE53741679414864E04857AD24
SHA-512:	47D3848595ED5D812F4D9262E01F722B8FF3358D2B77640B3A873BCA368D55DBA6DE1C4E7F887B39A1300F760075C291CBBDFBD35963229D5D7D66D67A7CB090
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\SysWOW64\libjyy.dll

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54272
Entropy (8bit):	5.93759856622623
Encrypted:	false
SSDEEP:	768:1B53ZaVt2FD5J+CQOeR5v+CZD2IddL71uhsIvI1kkkqfED4n6GUM3e7G:7moH+CQv5vtJvddH1idv+kZA6GUMj
MD5:	8C7F64AB09C9C05D7B98C9F57354D251
SHA1:	F346CA309363D57D6F4B58161E892461FA255579
SHA-256:	2CAB655D163CC554CB584766191C53D80A1D8676363C0E6A9C44854FE3FAF242
SHA-512:	789DF191A936BD20D9033B0F608717EA33FE2FAE8044559F1650CD84B99F4A999B3A5C4287A820C9DDA38754EE4ADDC252480AFCA876DF7CC51F0FF8C6808FB8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............t...t...t.......t....9..t....8..t.......t...t...t....<..t.......t.......t..Rich.t..........PE..L...N.*g...........!.....~...p.......!....................................................@.........................p...S......x.......................................................................@...............P............................text...H\|.......~.................. ..`.rdata.../.......0..................@..@.data....+..........................@....reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF0BB092C2EF0BF3EB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF0F4BCF1D54A3EA7F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.2306154195569192
Encrypted:	false
SSDEEP:	48:HxGuaXO+CFXJJT55UVyCdc6JRNdEWSkd+bV/ZuAxPEbGoaD8xYzIoJxL7xBxqxtw:RG+xT38o6JRpsfEGo75FlkSu
MD5:	8A4C570494B9A516F0731DA1CD0EEF56
SHA1:	6F126A6E3924E6A65CAFCE96594C3FCA5FF9307D
SHA-256:	46D3E44446EE756C7868437EEAE46D4DBECCBC985E508D83386B9A4C9016D510
SHA-512:	C0AA8940E149F5884BE208144924E036A175BF90F056F70CAD7475F73A7B61587A92AAE2057DAF3E7B3773CA6354EC31A74F9A54255513E0A716AC51B9BBA136
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1FA3F370A7E4543E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.2306154195569192
Encrypted:	false
SSDEEP:	48:HxGuaXO+CFXJJT55UVyCdc6JRNdEWSkd+bV/ZuAxPEbGoaD8xYzIoJxL7xBxqxtw:RG+xT38o6JRpsfEGo75FlkSu
MD5:	8A4C570494B9A516F0731DA1CD0EEF56
SHA1:	6F126A6E3924E6A65CAFCE96594C3FCA5FF9307D
SHA-256:	46D3E44446EE756C7868437EEAE46D4DBECCBC985E508D83386B9A4C9016D510
SHA-512:	C0AA8940E149F5884BE208144924E036A175BF90F056F70CAD7475F73A7B61587A92AAE2057DAF3E7B3773CA6354EC31A74F9A54255513E0A716AC51B9BBA136
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF30AC6F65DA9F5660.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4B3E28926B712816.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4C5E7EFF2275F2C7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	1.8808454172409448
Encrypted:	false
SSDEEP:	48:ul8PhOuRc06WXJUFT5Vdc6JRNdEWSkd+bV/ZuAxPEbGoaD8xYzIoJxL7xBxqxtp6:uIhO1XFTa6JRpsfEGo75FlkSu
MD5:	837C1BB95F03EFF7C004CADE0F7532EC
SHA1:	7B9742DC4C76234461D288B6D87730DD8D919944
SHA-256:	2B78206AE012CFF537017A759E597CDA377443AFE3FD481ABCF2F8DFD8A19522
SHA-512:	74BB9E083CD8518544CAE86A2FD140A12387E6C8181ED9A5E17B1FFF331490A77105D12A82E94208B8AEE78E5D5A8A29E61FCC5DCC401C6962B7872C47769A63
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5633644BA4366108.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF598049EBDE272C54.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	1.8808454172409448
Encrypted:	false
SSDEEP:	48:ul8PhOuRc06WXJUFT5Vdc6JRNdEWSkd+bV/ZuAxPEbGoaD8xYzIoJxL7xBxqxtp6:uIhO1XFTa6JRpsfEGo75FlkSu
MD5:	837C1BB95F03EFF7C004CADE0F7532EC
SHA1:	7B9742DC4C76234461D288B6D87730DD8D919944
SHA-256:	2B78206AE012CFF537017A759E597CDA377443AFE3FD481ABCF2F8DFD8A19522
SHA-512:	74BB9E083CD8518544CAE86A2FD140A12387E6C8181ED9A5E17B1FFF331490A77105D12A82E94208B8AEE78E5D5A8A29E61FCC5DCC401C6962B7872C47769A63
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF72386623E44A2362.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.3232826289411894
Encrypted:	false
SSDEEP:	48:oiuWT4d+SkdvdEWSkd+bV/ZuAxPEbGoaD8xYzIoJxL7xBxqxtpwxbxEo3opTYruA:huWJsfEGo75FlVRGl
MD5:	A8F2D065AD149659888723EE0F74A4C3
SHA1:	7607BE95A9829BEE06CD52F912EEFFA72EB3E1BC
SHA-256:	8105A877D49BAE2E91D65B61F47FFD2C2A8B2EDEBE6B6CB6A5BDF9B3019110B0
SHA-512:	8E788B43D537AF348506C0A728AE128EA0097AA6CF9637A9398A78C98150B492F7B006E37291EECFD8BF293748E45D80EFE2569B22F02895837FF67E6E53C0C9
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7CDB90AF79FCBF21.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.2306154195569192
Encrypted:	false
SSDEEP:	48:HxGuaXO+CFXJJT55UVyCdc6JRNdEWSkd+bV/ZuAxPEbGoaD8xYzIoJxL7xBxqxtw:RG+xT38o6JRpsfEGo75FlkSu
MD5:	8A4C570494B9A516F0731DA1CD0EEF56
SHA1:	6F126A6E3924E6A65CAFCE96594C3FCA5FF9307D
SHA-256:	46D3E44446EE756C7868437EEAE46D4DBECCBC985E508D83386B9A4C9016D510
SHA-512:	C0AA8940E149F5884BE208144924E036A175BF90F056F70CAD7475F73A7B61587A92AAE2057DAF3E7B3773CA6354EC31A74F9A54255513E0A716AC51B9BBA136
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8BFF5C4D69C147B7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB3FEFF049BC2F37F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.0979355031404229
Encrypted:	false
SSDEEP:	6:xPLG7iVCnLG7iVrKOzPLHKOZqXBDzAaO/HrPP9l8O2XNlKVky6lfSlsw:50i8n0itFzDHFZQDzVGLH9aOsN7xw
MD5:	7496268A66D1B7B07E946E6B2DF4FD49
SHA1:	DA78881E0842F98978FB80AEE912E1CB101726F8
SHA-256:	12ABC41267EAE28B14A8865DB1F50EBF2C66351CA4A70546CCEDBAB6C99D03D8
SHA-512:	C483ADF7FDF0D74AC75FA32AEAF045899A51CED66A644DC36B31D3466BC0D1393A797D86F701883702116C44DD6BFEA894290B1BFF143239F660A674647F6191
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	531
Entropy (8bit):	5.158271181297339
Encrypted:	false
SSDEEP:	12:pporCVZcRwNdpjppyT5dpgFyRdp2HswBsviJAIkzLGNVs:ppH4wNdpjpoT5dp3dp2HNBsviJAIzPs
MD5:	FDB60B4BEA1E4F23AB7B005A01746C87
SHA1:	ACC654A0A26B772E5FD786DF03DBB3340FABBE2C
SHA-256:	898927618AA5796AF0462990CFE1FBE2FAF7EDBF0BF2DD47B41EFECE1017D99D
SHA-512:	FB6CE46F16C8A630A9EF3B9CA7FCFCE4636D4B0951944A7316DC85150D6EEEEB42950DBCA8D410AE9EA7D9F9EDA1AEB19D0E7BA0D386E22F4BA1728131945237
Malicious:	false
Preview:	..7-Zip 22.01 (x86) : Copyright (c) 1999-2022 Igor Pavlov : 2022-07-15....Scanning the drive for archives:.. 0M Scan C:\Program Files (x86)\DnLIMGKCARTO\. .1 file, 204 bytes (1 KiB)....Extracting archive: C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX..--..Path = C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX..Type = 7z..Physical Size = 204..Headers Size = 204..Solid = -..Blocks = 0.... 0%. .Everything is Ok....Folders: 2..Files: 1..Size: 0..Compressed: 204..

**\Device\Mup\user-PC*\MAILSLOT\NET\NETLOGON**

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.6388132069840315
Encrypted:	false
SSDEEP:	3:UlxlL5I2Y1AneMkv8lLn:vGeMkcLn
MD5:	E2500905E466F8F20B5976BECA8E0A26
SHA1:	E5702DE3B1E76C7F1804783B4C734BE77BA732BD
SHA-256:	114E405A34E0D402C96DDDFCC4CAFF51D6581FB13AB37218F11FDB724B42DA10
SHA-512:	1877733B3AAE57F0DA768E08A60C6DC8F26CD09F277A5A7E4B83FC480A32F0677EE73D7B134B0CA5BB66AC82537F6E7F9C36BA1950837F21A03EC59DB0E3FA8B
Malicious:	false
Preview:	....1.2.4.4.0.6.....\MAILSLOT\NET\GETDC08DB0AFA.................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.945533560195764
TrID:	Win32 Executable (generic) a (10002005/4) 98.41% Windows ActiveX control (116523/4) 1.15% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	ZwmyzMxFKL.exe
File size:	58'031'336 bytes
MD5:	2fa4f19f9fb9e7a71d85aaf34d318178
SHA1:	2061483db691163ca0b1d04667d64e37af4c2fe0
SHA256:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769
SHA512:	a311d5ba3369540927b93fca95331d0783a8c526f2df59bd4726dcb3f174311447d00f70d52d22f3d2b6fde2d599a403cf44558a578fa34cb965fdb1fbfd965e
SSDEEP:	1572864:uK9/hb6GmIcUGtvclhGSjkcrABpYhpeWeiTjz:uAheec1tvclsSjsBuhpeJujz
TLSH:	58D72321354AC536D97E40B15A3DEBAF61BD7FA10BB114DB73C82E6E0A745C20236E27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w._.3.1.3.1.3.1...2.>.1...4...1...7.2.1.S.5. .1.S.2.+.1.Q.4.0.1.S.4.V.1...5.).1...0.0.1...6.2.1.3.0...1.W.8.~.1.W...2.1.3...2.1

File Icon


Icon Hash:	0000000000000000

Static PE Info

General

Entrypoint:	0x5b51a4
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62E7A72C [Mon Aug 1 10:13:00 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d23703a6f12b30c40e0b3bc256b113cd

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=clubhouseapi.com, O=dmm.co.jp, C=BE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	19/11/2024 05:15:28 17/11/2033 05:15:28
Subject Chain	CN=clubhouseapi.com, O=dmm.co.jp, C=BE
Version:	1
Thumbprint MD5:	FD122D8ED5715DE53753D87EB46293D2
Thumbprint SHA-1:	9187EF8AD30A37033F39C7B049AEB9DCF5160F29
Thumbprint SHA-256:	1F110C8650FEDCD1997545E83F6E455C7C9E9DB0D0F72907386E8521791EC63F
Serial:	01

Entrypoint Preview

Instruction
call 00007F332C6C6B8Fh
jmp 00007F332C6C63CFh
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F332C6C5A23h
jmp 00007F332C6C6532h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [006C1024h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [006C1024h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [006C1024h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2bf5ec	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2ca000	0x24d00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3753eb0	0x3e38
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2ef000	0x26810	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x267c58	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x267d00	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x23afa8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x239000	0x2cc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2bc998	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x237b1f	0x237c00	80bc8be932e0885c43ae89685b4f2cae	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x239000	0x8762c	0x87800	1b8aa1b2bf5ab81c2f62c8876d237202	False	0.31338827548431736	data	4.6063411973791215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2c1000	0x8d24	0x6c00	f1f3d5b17e9c25a2a0e0871309677fc7	False	0.14344618055555555	PGP symmetric key encrypted data - Plaintext or unencrypted data salted & iterated -	2.9234755461718365	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2ca000	0x24d00	0x24e00	983b47b2a4589053279e09b02dbe1d4e	False	0.14065148305084746	data	5.370033700721725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2ef000	0x26810	0x26a00	4f1c0c554ffb6b898804c47a1b2ac00b	False	0.4470507180420712	data	6.513793248957895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
IMAGE_FILE	0x2cac70	0x6	ISO-8859 text, with no line terminators	Chinese	China	2.1666666666666665
IMAGE_FILE	0x2cac78	0x6	ISO-8859 text, with no line terminators	Chinese	China	2.1666666666666665
RTF_FILE	0x2cac80	0xa1	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	Chinese	China	0.906832298136646
RTF_FILE	0x2cad24	0x4b9	Rich Text Format data, version 1, ANSI, code page 1252	Chinese	China	0.35814722911497104
RT_BITMAP	0x2cb1e0	0x13e	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colors	English	United States	0.25471698113207547
RT_BITMAP	0x2cb320	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.03017241379310345
RT_BITMAP	0x2cbb48	0x48a8	Device independent bitmap graphic, 290 x 16 x 32, image size 0	English	United States	0.11881720430107527
RT_BITMAP	0x2d03f0	0xa6a	Device independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/m	English	United States	0.21680420105026257
RT_BITMAP	0x2d0e5c	0x152	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colors	English	United States	0.5295857988165681
RT_BITMAP	0x2d0fb0	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.4875478927203065
RT_ICON	0x2d17d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4264	Chinese	China	0.027204502814258912
RT_ICON	0x2d2880	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.08703319502074688
RT_ICON	0x2d4e28	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.16463414634146342
RT_ICON	0x2d5ed0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Chinese	China	0.18565573770491803
RT_ICON	0x2d6858	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.3262411347517731
RT_MENU	0x2d6cc0	0x32	data	Chinese	China	1.1
RT_MENU	0x2d6cf4	0x1c	data	Chinese	China	1.2142857142857142
RT_DIALOG	0x2d6d10	0x98	data	Chinese	China	0.75
RT_DIALOG	0x2d6da8	0x1a2	data	Chinese	China	0.6507177033492823
RT_DIALOG	0x2d6f4c	0x2ac	data	Chinese	China	0.5277777777777778
RT_DIALOG	0x2d71f8	0xa0	data	Chinese	China	0.775
RT_DIALOG	0x2d7298	0x148	data	Chinese	China	0.75
RT_DIALOG	0x2d73e0	0x178	data	Chinese	China	0.6675531914893617
RT_DIALOG	0x2d7558	0xc4	data	Chinese	China	0.6938775510204082
RT_DIALOG	0x2d761c	0x104	data	Chinese	China	0.6615384615384615
RT_DIALOG	0x2d7720	0x140	data	Chinese	China	0.63125
RT_DIALOG	0x2d7860	0x214	data	Chinese	China	0.650375939849624
RT_DIALOG	0x2d7a74	0x16c	data	Chinese	China	0.5714285714285714
RT_DIALOG	0x2d7be0	0x104	data	Chinese	China	0.6307692307692307
RT_DIALOG	0x2d7ce4	0x4c	data	English	United States	0.8289473684210527
RT_STRING	0x2d7d30	0x204	data	Chinese	China	0.6608527131782945
RT_STRING	0x2d7f34	0x1bc	data	Chinese	China	0.6261261261261262
RT_STRING	0x2d80f0	0x158	data	Chinese	China	0.7238372093023255
RT_STRING	0x2d8248	0x222	data	Chinese	China	0.5622710622710623
RT_STRING	0x2d846c	0x1fc	data	Chinese	China	0.6948818897637795
RT_STRING	0x2d8668	0x3ee	data	Chinese	China	0.510934393638171
RT_STRING	0x2d8a58	0x3c6	data	Chinese	China	0.4927536231884058
RT_STRING	0x2d8e20	0xa2	data	Chinese	China	0.8765432098765432
RT_STRING	0x2d8ec4	0x1f8	data	Chinese	China	0.7916666666666666
RT_STRING	0x2d90bc	0x11e	data	Chinese	China	0.6048951048951049
RT_STRING	0x2d91dc	0x18a	data	English	United States	0.5228426395939086
RT_STRING	0x2d9368	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.46254681647940077
RT_STRING	0x2d9580	0x624	data	English	United States	0.3575063613231552
RT_STRING	0x2d9ba4	0x660	data	English	United States	0.3474264705882353
RT_STRING	0x2da204	0x2e2	data	English	United States	0.4037940379403794
RT_GROUP_ICON	0x2da4e8	0x14	data	Chinese	China	1.1
RT_VERSION	0x2da4fc	0x118	PDP-11 overlaid pure executable not stripped	Chinese	China	0.6142857142857143
RT_HTML	0x2da614	0x3835	ASCII text, with very long lines (443), with CRLF line terminators	English	United States	0.08298005420807561
RT_HTML	0x2dde4c	0x1316	ASCII text, with CRLF line terminators	English	United States	0.18399508800654932
RT_HTML	0x2df164	0x52b	HTML document, ASCII text, with CRLF line terminators	English	United States	0.36281179138321995
RT_HTML	0x2df690	0x6acd	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10679931238798873
RT_HTML	0x2e6160	0x6a2	HTML document, ASCII text, with CRLF line terminators	English	United States	0.3486454652532391
RT_HTML	0x2e6804	0x104a	HTML document, ASCII text, with CRLF line terminators	English	United States	0.2170263788968825
RT_HTML	0x2e7850	0x15b1	HTML document, ASCII text, with CRLF line terminators	English	United States	0.17612101566720692
RT_HTML	0x2e8e04	0x205c	exported SGML document, ASCII text, with very long lines (659), with CRLF line terminators	English	United States	0.13604538870111058
RT_HTML	0x2eae60	0x368d	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10834228428213391
RT_MANIFEST	0x2ee4f0	0x80f	XML 1.0 document, ASCII text, with CRLF, LF line terminators	Chinese	China	0.40814348036839554

Imports

DLL

Import

KERNEL32.dll

CreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, SetEvent, RemoveDirectoryW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CreateThread, GetProcAddress, LoadLibraryExW, GetCurrentProcess, Sleep, WideCharToMultiByte, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, GetModuleHandleW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, CreateProcessW, GetExitCodeProcess, GetWindowsDirectoryW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FormatMessageW, GetEnvironmentStringsW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, GetLocalTime, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, CreateNamedPipeW, ConnectNamedPipe, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T15:22:22.671051+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.6	49800	206.238.43.118	63569	TCP
2024-11-25T15:23:22.881761+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.6	49800	206.238.43.118	63569	TCP
2024-11-25T15:25:00.847100+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.6	49992	206.238.43.118	63569	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 15:22:19.360429049 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:19.487390041 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:19.487521887 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:21.766047955 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:21.886392117 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:21.886405945 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:21.886464119 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:21.886499882 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:21.886528969 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:21.886539936 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:21.886595964 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:21.886673927 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:21.886698008 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:21.886746883 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:21.887238026 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:21.887276888 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:21.887288094 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:21.887332916 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:21.887468100 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:21.887489080 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:21.887507915 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:21.887537003 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:22.007049084 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.007077932 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.007113934 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:22.007133961 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:22.007164955 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.007177114 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.007210970 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:22.007230997 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:22.007256031 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.007265091 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.007374048 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.007446051 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.007491112 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.007968903 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.008106947 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.008117914 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.008142948 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.127677917 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.127727985 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.127820015 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.127834082 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.671051025 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:22.752727032 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.791013956 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:22.795736074 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:23.024178028 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:23.030488014 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:23.150388956 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:23.299072027 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:23.342617035 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:24.163783073 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:24.284799099 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:24.284831047 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:24.284945011 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:24.284955025 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:24.285027981 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:24.285360098 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:24.285372972 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:24.285389900 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:24.285401106 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:24.285409927 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:24.285419941 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:24.285432100 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:24.285442114 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:24.285451889 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:25.738183022 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:25.858913898 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:26.291594982 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:26.342590094 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:27.266400099 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:27.390049934 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:27.390120983 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:27.390309095 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:27.390363932 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:27.390461922 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:27.390485048 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:27.390542984 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:27.390629053 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:27.390638113 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:27.390707016 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:27.390928030 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:27.390937090 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:27.391204119 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:27.391225100 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:28.780316114 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:28.900736094 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:29.342513084 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:29.389472961 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:30.497267008 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:30.619781971 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:30.619820118 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:30.619946003 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:30.619956017 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:30.619967937 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:30.620028019 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:30.620070934 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:30.620141029 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:30.620268106 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:30.620276928 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:30.620354891 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:30.620435953 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:30.620445013 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:30.620522022 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:31.827296972 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:31.948271036 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:32.377568960 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:32.420799971 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:33.458631039 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:33.578792095 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:33.578895092 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:33.578931093 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:33.579015017 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:33.579027891 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:33.579149008 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:33.579160929 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:33.579305887 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:33.579324007 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:33.579468012 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:33.579557896 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:33.579600096 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:33.579653025 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:33.579747915 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:34.874032974 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:34.998157024 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:35.429872036 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:35.483242035 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:36.345901966 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:36.507632971 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:36.507652998 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:36.510452986 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:36.510483027 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:36.510559082 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:36.513430119 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:36.513475895 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:36.513520002 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:36.513567924 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:36.516309977 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:36.516345024 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:36.516474962 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:36.516484022 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:36.516493082 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:37.921226978 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:38.041306973 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:38.472971916 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:38.514491081 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:39.604311943 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:39.732841969 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:39.732950926 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:39.891207933 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:39.895088911 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:39.895114899 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:39.895258904 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:39.895404100 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:39.895445108 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:39.895483971 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:39.895531893 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:39.895566940 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:39.895724058 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:39.895735025 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:39.896048069 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:40.967894077 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:41.097182035 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:41.524841070 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:41.577001095 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:42.698908091 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:42.819854975 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:42.819871902 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:42.819900990 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:42.819911003 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:42.820017099 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:42.820497036 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:42.820507050 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:42.820514917 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:42.820523977 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:42.821047068 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:42.821057081 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:42.821135998 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:42.821145058 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:42.821152925 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:44.014831066 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:44.135720015 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:44.564915895 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:44.608293056 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:45.537467003 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:45.745937109 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:45.745950937 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:45.745959997 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:45.746081114 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:45.746090889 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:45.746229887 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:45.746239901 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:45.746248960 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:45.746258020 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:45.746377945 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:45.746387959 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:45.746396065 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:45.746404886 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:45.746682882 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:47.061599016 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:47.187370062 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:47.617369890 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:47.670748949 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:48.825908899 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:48.946218967 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:48.946249962 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:48.946321964 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:48.946331978 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:48.946408987 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:48.946455002 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:48.946499109 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:48.946597099 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:48.946641922 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:48.946677923 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:48.946759939 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:48.946789980 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:48.946860075 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:48.946892023 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:50.108577967 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:50.229774952 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:50.657978058 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:50.701997995 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:51.071966887 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:51.326991081 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:51.407166958 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:51.407195091 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:51.407205105 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:51.407233000 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:51.421081066 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:51.421106100 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:51.430701971 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:51.432764053 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:51.432795048 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:51.432858944 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:51.442630053 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:51.442647934 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:51.444890022 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:51.444916010 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:51.766366005 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:53.110070944 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:53.235363007 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:53.665257931 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:53.717617035 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:54.093187094 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:54.213499069 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:54.213546038 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:54.213649988 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:54.213670015 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:54.213766098 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:54.213783979 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:54.213856936 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:54.213865995 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:54.213984013 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:54.213993073 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:54.214119911 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:54.214168072 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:54.214267969 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:54.214277029 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:55.828602076 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:55.950227976 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:56.379606962 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:56.420774937 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:56.832190990 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:56.952435970 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:56.952485085 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:56.952600002 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:56.952719927 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:56.952759027 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:56.952919006 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:56.952936888 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:56.952950954 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:56.953022957 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:56.953135014 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:56.953149080 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:56.953174114 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:56.953318119 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:56.953336000 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:58.312064886 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:58.432519913 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:58.862231970 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:58.905241013 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:59.269468069 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:22:59.390335083 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:59.390350103 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:59.390358925 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:59.390367985 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:59.390440941 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:59.390459061 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:59.390511990 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:59.390588045 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:59.390599012 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:59.390633106 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:59.390691996 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:59.390753031 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:59.390793085 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:22:59.390803099 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:00.546442986 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:00.670353889 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:01.100647926 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:01.160113096 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:01.696758986 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:01.820246935 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:01.820278883 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:01.820439100 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:01.820455074 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:01.820552111 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:01.820605040 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:01.820688009 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:01.820697069 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:01.820785046 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:01.820796013 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:01.820943117 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:01.820952892 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:01.821043015 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:01.821052074 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:02.624316931 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:02.745697975 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:03.174789906 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:03.217638969 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:04.160131931 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:04.280422926 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:04.280467987 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:04.280498981 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:04.280591965 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:04.280679941 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:04.280690908 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:04.280798912 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:04.280807972 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:04.280896902 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:04.280905962 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:04.280982971 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:04.281002045 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:04.281088114 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:04.281099081 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:04.592825890 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:04.714658022 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:05.191165924 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:05.233269930 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:05.681709051 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:05.802567005 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:05.802582979 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:05.802650928 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:05.802669048 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:05.802748919 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:05.802782059 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:05.802901983 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:05.802910089 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:05.802999020 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:05.803006887 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:05.803064108 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:05.803071976 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:05.803148985 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:05.803181887 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:06.234961033 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:06.355452061 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:06.785209894 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:06.827018023 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:07.226059914 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:07.347052097 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:07.347064972 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:07.347101927 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:07.347111940 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:07.347275972 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:07.347285032 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:07.347408056 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:07.347419024 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:07.347426891 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:07.347435951 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:07.347480059 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:07.347489119 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:07.347496986 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:07.347506046 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:07.734072924 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:07.854912996 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:08.283889055 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:08.327038050 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:08.709168911 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:08.829252005 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:08.829293013 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:08.829581022 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:08.829590082 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:08.829709053 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:08.829761028 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:08.829881907 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:08.829935074 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:08.830001116 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:08.830030918 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:08.830099106 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:08.830138922 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:08.830274105 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:08.830357075 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:09.124092102 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:09.247680902 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:09.676899910 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:09.717669010 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:10.095951080 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:10.216255903 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.216289997 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.216299057 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.216306925 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.216444016 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.216460943 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.216520071 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.216537952 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.216650009 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.216659069 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.216695070 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.216721058 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.216789007 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.216837883 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.343036890 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:10.463450909 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.893455029 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:10.936542034 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:11.298367977 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:11.418381929 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:11.418418884 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:11.418452978 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:11.418536901 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:11.418545961 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:11.418581963 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:11.418622971 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:11.418788910 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:11.418843985 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:11.418941975 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:11.418950081 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:11.419079065 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:11.419131994 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:11.419140100 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:11.467940092 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:11.589047909 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.078752041 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.123930931 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:12.483964920 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:12.533890009 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:12.604048014 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.654572964 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.654612064 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.654752016 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.654793024 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.654926062 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.654994965 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.655127048 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.655190945 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.655350924 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.655360937 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.655385971 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.655428886 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.655555964 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:12.655606031 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.033651114 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.077053070 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:13.389743090 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:13.433695078 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:13.509774923 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.553858995 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.553875923 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.553924084 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.553934097 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.553951979 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.554008007 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.554141045 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.554176092 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.554222107 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.554229975 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.554301023 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.554311037 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.554338932 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.554347992 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.940524101 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:13.983453035 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:14.217992067 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:14.338790894 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.378853083 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:14.499047995 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.499123096 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.499135017 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.499145985 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.499250889 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.499262094 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.499296904 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.499308109 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.499370098 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.499392033 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.499499083 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.499509096 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.499538898 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.499551058 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.767963886 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:14.811459064 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:14.968025923 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:15.088298082 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.196609020 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:15.316900015 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.316931963 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.317028046 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.317039013 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.317069054 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.317111015 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.317203999 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.317223072 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.317305088 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.317332029 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.317439079 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.317447901 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.317517996 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.317544937 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.527633905 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.577068090 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:15.639795065 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:15.762646914 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:15.958211899 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:16.080830097 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.080859900 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.081585884 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.091741085 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.091761112 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.096481085 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.100802898 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.100838900 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.103995085 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.104028940 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.104156017 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.104182959 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.109603882 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.109635115 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.226032972 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.264870882 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:16.384896040 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.628729105 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:16.749804020 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.749825001 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.749834061 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.749842882 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.749866009 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.749875069 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.749967098 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.749975920 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.750004053 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.750061035 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.750102043 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.750160933 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.750253916 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.750262976 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.812623978 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:16.814127922 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:16.858433962 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:16.932746887 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.227710962 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:17.347861052 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.347876072 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.347990990 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:17.348153114 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.348198891 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.348310947 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.348378897 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.348457098 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.348501921 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.348556042 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.348572969 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.348685026 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.348695040 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.348799944 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.348819971 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.454981089 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.468091011 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.499090910 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:17.780499935 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:17.854723930 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:17.901801109 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.974976063 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.974993944 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.975003004 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.975013971 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.975110054 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.975119114 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.975168943 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.975178003 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.975234032 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.975243092 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.975276947 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.975286007 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.975402117 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:17.975410938 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.002713919 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.045933008 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:18.207359076 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:18.330543041 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.373994112 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:18.407489061 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:18.527910948 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.528045893 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.528166056 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.528208971 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.528225899 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.528342009 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.528358936 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.593823910 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:18.762936115 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.771184921 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:18.807456017 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.858293056 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:18.891398907 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.891434908 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.891558886 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.891591072 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.891809940 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.891830921 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.891985893 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.892024040 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.892033100 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.892105103 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.892116070 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.892178059 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.892214060 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.892244101 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:18.937869072 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:19.071017981 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.191767931 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:19.318989992 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.319053888 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:19.319060087 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.319075108 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.494177103 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.494194031 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.494204044 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.494221926 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.494316101 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.494324923 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.494430065 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.494438887 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.494484901 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.494504929 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.494585037 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.494622946 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.541615963 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.541671038 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:19.554913044 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.554971933 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:19.568408966 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.687879086 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.727278948 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:19.850102901 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.850126982 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.850178003 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.850207090 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.850279093 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.850290060 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.850363016 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:19.850382090 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.850436926 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.850503922 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.850547075 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.850610018 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.850620985 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.850748062 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.850775003 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:19.970633030 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.049230099 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:20.126256943 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:20.149789095 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.175225973 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.202157974 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:20.253418922 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.253436089 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.253446102 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.253453970 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.253475904 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.253484964 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.253495932 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.263830900 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.263842106 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.385834932 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.385962009 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:20.420044899 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.420058966 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.420097113 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.420105934 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.420114040 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.539905071 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.540039062 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:20.571877003 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:20.630532980 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.660502911 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.660557985 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:20.692348003 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.692363024 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.692483902 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.692646027 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.692812920 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.692994118 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.710149050 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.710310936 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.750514030 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.781485081 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.795788050 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:20.828126907 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:20.966711998 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:20.968403101 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:20.968473911 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:21.069459915 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.087116003 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.087178946 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.087280035 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.087342024 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.087445021 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.087646008 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.087662935 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.088998079 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.123955011 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:21.124311924 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:21.179382086 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.233302116 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:21.249243021 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.265173912 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:21.384973049 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:21.392050028 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.429615021 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.429738998 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:21.511404037 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.511522055 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.511631966 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:21.511662006 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.511784077 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.511792898 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.511868954 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.511877060 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.602865934 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.603107929 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:21.605863094 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.631661892 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.655167103 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:21.723203897 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.723325968 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:21.740066051 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.780143976 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:21.793437004 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:21.816334009 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.816438913 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:21.886890888 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.916692972 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.916738987 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.916795015 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.916836977 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.916974068 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:21.922045946 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.923401117 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.931036949 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.939253092 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:21.983191967 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.030312061 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.042901039 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.043118000 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.157205105 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.157294035 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.172750950 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.217788935 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.258728981 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.332459927 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.332524061 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.357502937 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.357559919 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.367566109 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.385771990 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.391073942 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.415745974 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.415816069 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.422137976 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.422235012 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.422262907 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.436474085 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.481201887 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.481352091 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.586937904 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.587023020 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.602808952 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.603024960 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.628309011 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.670928001 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.724817991 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.724895000 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.781445026 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.881706953 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.881761074 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.923629999 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.923763990 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:22.926999092 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.931447983 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.974848986 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:22.974911928 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.059140921 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.059236050 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.092262983 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.096149921 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.096230030 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.096499920 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.096509933 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.097275972 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.112615108 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.139548063 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.179502964 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.179697037 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.247477055 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.299673080 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.299734116 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.302850008 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.368061066 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.368140936 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.368180990 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.368228912 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.380300045 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.390558958 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.392030001 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.418617010 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.418678045 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.449974060 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.538569927 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.538683891 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.592596054 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.592777967 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.629136086 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.629621983 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.713823080 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.713918924 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.722976923 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.826808929 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.828298092 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.834806919 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.843471050 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.843646049 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.843743086 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.843807936 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.843873978 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.844007969 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.844052076 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.844182014 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.844230890 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.844275951 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.844742060 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.844814062 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.877295971 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.908375025 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:23.966106892 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.966550112 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:23.966626883 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.001257896 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.001511097 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.034466028 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.035020113 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.045567989 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.046113014 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.142900944 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.143066883 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.206734896 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.289108038 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.289244890 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.289292097 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.289309978 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.304126024 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.304229975 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.351497889 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.398016930 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.427927017 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.428082943 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.428246021 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.428303003 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.428987980 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.429044008 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.444098949 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.448170900 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.458026886 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.460274935 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.478081942 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.480216026 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.480418921 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.499593973 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.499624014 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.499705076 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.530020952 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.532365084 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.549015999 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.549184084 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.573574066 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.573609114 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.573740959 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.602875948 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.603104115 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.669419050 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.669724941 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.674721003 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.692503929 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.692639112 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.724442959 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.724915028 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.740648985 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.740845919 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.800698996 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.800790071 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.800862074 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.813884020 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.813965082 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.827222109 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.845982075 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.857975006 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.858086109 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.861160994 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.861248016 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.861257076 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.861716986 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.914285898 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.917078972 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.917545080 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.917634010 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.917691946 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.934300900 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.938487053 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.980668068 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.980758905 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.980846882 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.985232115 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.985306978 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:24.986624956 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:24.986675978 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.080347061 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.080496073 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.080580950 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.100198030 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.100363016 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.100997925 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.102685928 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.102782011 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.102816105 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.106890917 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.106998920 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.136118889 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.144917011 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.146266937 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.197724104 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.198734045 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.220390081 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.220479012 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.226929903 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.231843948 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.231854916 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.231910944 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.256779909 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.274548054 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.278698921 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.298921108 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.303678989 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.330334902 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.330411911 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.353187084 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.398919106 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.402312994 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.431164980 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.467299938 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.469846964 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.536412001 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.536432981 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.536520958 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.569854975 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.604481936 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.611478090 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.611609936 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.662305117 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.662765026 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.700158119 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.700352907 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.720036983 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.720385075 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.735332012 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.735606909 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.746987104 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.747303963 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.762267113 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.762373924 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.765634060 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.765814066 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.765861034 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.768193960 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.768255949 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.800822973 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.800966024 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.870337963 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.870439053 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.870683908 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.872044086 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.889803886 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.889888048 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.930653095 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:25.930728912 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.964741945 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:25.998599052 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.012038946 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.016311884 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.045072079 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.081134081 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.081259012 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.084856033 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.086379051 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.118705034 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.119383097 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.136271000 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.137872934 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.165365934 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.165612936 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.204817057 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.204904079 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.212681055 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.214458942 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.214624882 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.214698076 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.218442917 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.222718000 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.223575115 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.223628044 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.226583958 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.226952076 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.231345892 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.234462976 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.238768101 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.243051052 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.262181044 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.264906883 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.285617113 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.285995960 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.295387983 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.355699062 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.355818033 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.355823994 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.355874062 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.376013994 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.376117945 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.406075001 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.406277895 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.446494102 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.451644897 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.451771975 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.467801094 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.467947960 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.496195078 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.496352911 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.535510063 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.535680056 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.551299095 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.551332951 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.551364899 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.551397085 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.566375971 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.566446066 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.568423033 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.573762894 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.573823929 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.604815960 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.616338968 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.616467953 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.616719007 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.616771936 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.653073072 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.678412914 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.678510904 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.725532055 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.725620985 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.725698948 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.725816965 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.726047039 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.726088047 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.737379074 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.737438917 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.743887901 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.743938923 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.752861023 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.752911091 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.752985954 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.769509077 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.769572020 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.769578934 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.782169104 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.782262087 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.799145937 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.799206018 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.827116966 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.827261925 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.845953941 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.846128941 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.863919020 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.863975048 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.866343975 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.866396904 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.889523983 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.889585972 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.919361115 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.919424057 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.942677021 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.942724943 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.942751884 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.966162920 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.966561079 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.986392975 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.986473083 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:26.992767096 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:26.992855072 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.013073921 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.013154030 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.013179064 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.050586939 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.056416035 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.056495905 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.075227022 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.075342894 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.106399059 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.106538057 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.108186007 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.133172989 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.133265972 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.157891989 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.157988071 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.171525955 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.171674967 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.176811934 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.176894903 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.211973906 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.214342117 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.214484930 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.228454113 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.228523970 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.228621006 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.228643894 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.231385946 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.231466055 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.231489897 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.231533051 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.234652996 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.243469000 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.253134966 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.253212929 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.278215885 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.278341055 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.287615061 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.287698030 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.297262907 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.297365904 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.324572086 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.324681044 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.345341921 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.345499992 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.355226040 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.355299950 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.396713018 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.396795034 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.396842957 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.405838966 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.405932903 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.444659948 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.444782019 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.453493118 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.453638077 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.475661993 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.475729942 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.526011944 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.526132107 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.535341978 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.535392046 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.554480076 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.573921919 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.574034929 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.619508028 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.619570971 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.620758057 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.620811939 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.620906115 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.656692982 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.656790972 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.666152954 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.666218996 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.666320086 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.677419901 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.677480936 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.681004047 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.681052923 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.693758011 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.693847895 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.715723991 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.715823889 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.717854977 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.717933893 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.721337080 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.721407890 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.721498013 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.761240005 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.765873909 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.766004086 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.766010046 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.786474943 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.786576986 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.801197052 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.801285028 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.835881948 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.836179018 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.836276054 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.841545105 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.841622114 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.856910944 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.857032061 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.857053041 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.857114077 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.876605034 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.876728058 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.881716013 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.881843090 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.888048887 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.888130903 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.921303034 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.921516895 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.961225033 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.961385965 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.961544037 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.961610079 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:27.987729073 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:27.987840891 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.002006054 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.002104044 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.008142948 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.008219957 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.011261940 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.081357956 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.081507921 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.086970091 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.087022066 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.093137026 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.093183994 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.117295980 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.117420912 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.128509998 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.128608942 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.131391048 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.131468058 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.132968903 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.134969950 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.153323889 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.162496090 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.162539005 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.227684975 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.227780104 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.237498999 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.237552881 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.290802956 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.290878057 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.292011023 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.318502903 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.318618059 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.332958937 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.333031893 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.333117962 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.333174944 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.341931105 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.342056990 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.354091883 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.354163885 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.357749939 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.357815981 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.364367962 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.364459038 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.394402027 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.394471884 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.394577980 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.436537027 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.438452959 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.438846111 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.438941002 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.438945055 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.453555107 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.456302881 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.463417053 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.463418007 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.474364996 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.474462986 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.484755039 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.488265038 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.528938055 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.532300949 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.552448034 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.556194067 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.556751013 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.561757088 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.561825037 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.561846018 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.583470106 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.583547115 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.583688021 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.583842993 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.583842993 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.587264061 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.588156939 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.604846001 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.604856014 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.605104923 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.617660046 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.662164927 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.664083958 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.664320946 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.695408106 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.696321011 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.704241037 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.708333015 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.725215912 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.725303888 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.762887001 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.762959957 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.782273054 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.782428980 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.816540003 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.816730022 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.845556021 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.846080065 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.902540922 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.902625084 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.906045914 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.906614065 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.915137053 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.915222883 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.923489094 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.966722012 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.967235088 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:28.992892981 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:28.992974043 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.007267952 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.007402897 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.007433891 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.026701927 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.026784897 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.027215958 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.027262926 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.044379950 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.044475079 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.044481993 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.044533014 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.044598103 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.059957981 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.060148954 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.088639975 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.088727951 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.111903906 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.112193108 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.128017902 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.128179073 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.157680035 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.164683104 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.168159962 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.177238941 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.177277088 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.177340984 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.177340984 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.208687067 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.212166071 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.225485086 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.225537062 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.225609064 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.228121996 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.246228933 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.248159885 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:29.267024994 CET	63569	49800	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:29.268151999 CET	49800	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:41.581515074 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:41.701519966 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:41.701858997 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:43.553946972 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:43.674232006 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.674256086 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.674319983 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:43.674333096 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.674350023 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.674351931 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:43.674386978 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:43.674397945 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:43.674401045 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.674439907 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.674472094 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:43.674556971 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.674566984 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.674670935 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:43.674693108 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.674702883 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.674746037 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:43.794439077 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.794562101 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.794572115 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.794601917 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:43.794604063 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.794645071 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:43.794661999 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:43.794676065 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.794728041 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.794858932 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.794985056 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.795070887 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.795150995 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.795257092 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.795320988 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.795360088 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.915255070 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:43.915735006 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:44.741220951 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:44.837073088 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:44.958739042 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:45.109242916 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:45.109793901 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:45.231386900 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:45.502634048 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:45.577061892 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:46.008193970 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:46.128551006 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:46.128571987 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:46.128606081 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:46.128618956 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:46.128643990 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:46.128654957 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:46.128736973 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:46.128748894 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:46.128834009 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:46.128855944 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:46.128904104 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:46.128926039 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:46.129020929 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:46.129056931 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:47.878336906 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:48.005304098 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:48.503560066 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:48.577245951 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:49.128870964 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:49.249155045 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:49.249180079 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:49.249203920 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:49.249231100 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:49.249325037 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:49.249342918 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:49.249383926 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:49.250663042 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:49.250674963 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:49.250758886 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:49.250854015 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:49.252593994 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:49.252621889 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:49.252640009 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:50.925620079 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:51.046025038 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:51.559077024 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:51.780206919 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:52.210040092 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:52.333713055 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:52.362415075 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:52.362438917 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:52.362447977 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:52.362456083 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:52.362463951 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:52.362473011 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:52.362476110 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:52.362479925 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:52.362483978 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:52.362492085 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:52.362500906 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:52.362518072 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:52.362526894 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:53.968545914 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:54.095524073 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:54.565963984 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:54.780271053 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:55.119343996 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:55.239526987 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:55.239548922 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:55.239782095 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:55.239834070 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:55.240005016 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:55.240015030 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:55.240138054 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:55.240147114 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:55.240195990 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:55.240236998 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:55.240334988 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:55.240411997 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:55.240508080 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:55.240597963 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:57.019925117 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:57.140830994 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:57.567276955 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:57.685676098 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:58.188446045 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:23:58.308727026 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:58.308788061 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:58.308995008 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:58.309046984 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:58.309158087 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:58.309212923 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:58.309314966 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:58.309369087 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:58.309474945 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:58.309571981 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:58.309581041 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:58.309675932 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:58.309685946 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:23:58.309701920 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:00.062432051 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:00.182460070 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:00.808885098 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:00.983344078 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:01.418056965 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:01.538374901 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:01.538403988 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:01.538450956 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:01.538461924 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:01.538510084 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:01.538517952 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:01.538551092 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:01.538592100 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:01.538657904 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:01.538666010 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:01.538734913 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:01.538774014 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:01.538877964 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:01.538887978 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:03.207228899 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:03.207304001 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:03.327409029 CET	63569	49980	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:03.327465057 CET	49980	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:05.142021894 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:05.262399912 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:05.262554884 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:06.648957968 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:06.814116001 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.814133883 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.814145088 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.814155102 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.814174891 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.814183950 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.814254999 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.814277887 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.814312935 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:06.814357042 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:06.814380884 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.814399958 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.814441919 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:06.814467907 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:06.934607983 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.934708118 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.934712887 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:06.934729099 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.934787989 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:06.934871912 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.934880972 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.934916973 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:06.934931993 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:06.934937000 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.934989929 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:06.935117960 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.935182095 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.935225010 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.935277939 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.935400009 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.935511112 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:06.978856087 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:07.055325985 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:07.055406094 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:07.055469036 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:07.055479050 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:07.979141951 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:08.108350039 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:08.301731110 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:08.302505016 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:08.422554016 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:08.422621965 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:08.542702913 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:09.228107929 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:09.311448097 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:09.856941938 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:09.977348089 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:09.977364063 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:09.977391005 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:09.977400064 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:09.977407932 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:09.977427006 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:09.977436066 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:09.977442980 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:09.977598906 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:09.977607012 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:09.977694988 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:09.977704048 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:09.977727890 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:09.977737904 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:11.375758886 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:11.496258974 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:11.999490976 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:12.108315945 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:12.580400944 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:12.701386929 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:12.701404095 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:12.701478958 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:12.701529026 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:12.701644897 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:12.701689005 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:12.701776981 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:12.701822042 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:12.701972961 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:12.702013969 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:12.702204943 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:12.702258110 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:12.702409983 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:12.702460051 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:14.421648026 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:14.550209999 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:15.004267931 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:15.108448029 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:15.573591948 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:15.700129986 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:15.700145960 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:15.700200081 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:15.700218916 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:15.700323105 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:15.700331926 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:15.700366974 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:15.700388908 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:15.700483084 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:15.700493097 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:15.700503111 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:15.700521946 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:15.700582981 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:15.700592041 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:17.470132113 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:17.470482111 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:17.596445084 CET	63569	49988	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:17.596627951 CET	49988	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:19.407124996 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:19.527302027 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:19.527416945 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:20.955826998 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:21.187902927 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.187931061 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.187952042 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.188038111 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:21.188086033 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.188096046 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.188163996 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:21.188168049 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.188177109 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.188218117 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:21.188271999 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.188282013 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.188328028 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:21.188409090 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.188468933 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:21.309037924 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.309066057 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.309149027 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:21.309179068 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:21.309262991 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.309303045 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:21.309320927 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.309384108 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:21.309499025 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.309508085 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.309516907 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.309545994 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:21.309568882 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.309622049 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.309668064 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.309782028 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.309896946 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.429661989 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.429677010 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.429687023 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:21.429696083 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:22.359785080 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:22.467750072 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:22.578146935 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:22.698837996 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:22.701292038 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:22.701400995 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:22.821444035 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:23.230748892 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:23.280291080 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:23.905038118 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:24.101232052 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:24.101247072 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:24.101262093 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:24.101281881 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:24.101421118 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:24.101448059 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:24.101597071 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:24.101605892 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:24.101764917 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:24.101803064 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:24.101937056 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:24.101993084 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:24.102057934 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:24.102066994 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:25.624600887 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:25.745354891 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:26.265754938 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:26.467807055 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:27.260703087 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:27.381316900 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:27.381335974 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:27.381347895 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:27.381447077 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:27.381553888 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:27.381563902 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:27.381658077 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:27.381695986 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:27.381777048 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:27.381787062 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:27.502732992 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:27.502757072 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:27.502861977 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:27.502942085 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:28.704329014 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:28.825050116 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:29.394613981 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:29.577156067 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:30.023448944 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:30.151108027 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:30.151128054 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:30.151137114 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:30.151227951 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:30.151355982 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:30.151366949 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:30.151550055 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:30.151685953 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:30.151695967 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:30.152154922 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:30.272953987 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:30.272973061 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:30.272984028 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:30.272993088 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:31.755027056 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:31.875420094 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:32.418263912 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:32.467807055 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:33.061752081 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:33.182070971 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:33.182101011 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:33.182128906 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:33.182137966 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:33.182148933 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:33.182157993 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:33.182239056 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:33.182248116 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:33.182317019 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:33.182326078 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:33.182368040 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:33.182421923 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:33.182503939 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:33.182543039 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:34.803200006 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:34.930005074 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:35.417726040 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:35.467830896 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:36.321377993 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:36.441778898 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:36.441793919 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:36.441945076 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:36.441953897 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:36.442152977 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:36.442172050 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:36.442181110 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:36.442225933 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:36.442289114 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:36.442301035 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:36.442428112 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:36.442471981 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:36.442529917 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:36.442780018 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:38.187465906 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:38.311151981 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:38.807436943 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:38.967768908 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:39.477475882 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:39.597827911 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:39.597860098 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:39.597976923 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:39.597987890 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:39.597995996 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:39.598041058 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:39.598093033 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:39.598124981 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:39.598182917 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:39.598206997 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:39.598225117 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:39.671737909 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:39.671755075 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:39.671763897 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:41.318279028 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:41.438338995 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:41.924709082 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:41.967814922 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:42.492727995 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:42.612767935 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:42.612796068 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:42.612869024 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:42.613049984 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:42.613059044 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:42.613137007 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:42.613153934 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:42.613441944 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:42.613451004 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:42.613576889 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:42.613702059 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:42.614141941 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:42.614182949 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:42.618294001 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:44.379383087 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:44.499469042 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:45.011568069 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:45.077127934 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:45.611445904 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:45.732747078 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:45.732784986 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:45.732908010 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:45.732937098 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:45.732980967 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:45.733009100 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:45.733041048 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:45.733081102 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:45.733109951 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:45.733514071 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:45.733809948 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:45.733838081 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:45.733865976 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:45.733895063 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:47.422111034 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:47.542314053 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:48.114202976 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:48.280391932 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:48.648032904 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:48.768459082 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:48.768578053 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:48.768610001 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:48.768639088 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:48.768856049 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:48.768884897 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:48.768913031 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:48.768939972 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:48.768968105 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:48.768996000 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:48.769046068 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:48.769074917 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:48.769102097 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:48.769129992 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:50.469333887 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:50.469449043 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:50.609070063 CET	63569	49989	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:50.609210014 CET	49989	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:52.407826900 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:52.528492928 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:52.528661013 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:53.963411093 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:54.083560944 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.083648920 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.083648920 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:54.083700895 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:54.083750010 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.083760023 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.083816051 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:54.083899021 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.083909988 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.083920002 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.083930969 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.083940983 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:54.083960056 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:54.084007025 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.084027052 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.084044933 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:54.084053040 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:54.084074020 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:54.203696966 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.203775883 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.203793049 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:54.203834057 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:54.203883886 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.203932047 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:54.204004049 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.204025030 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.204047918 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:54.204055071 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.204164982 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.204206944 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.204315901 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.204384089 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.204518080 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.204758883 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.204770088 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.323879957 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.324073076 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.324084044 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:54.981585979 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:55.077181101 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:55.266321898 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:55.267124891 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:55.387228966 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:55.578247070 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:55.578327894 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:55.698993921 CET	63569	49991	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:55.699062109 CET	49991	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:57.926635027 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:58.046793938 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:58.046978951 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:59.572226048 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:59.694212914 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.694231987 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.694334030 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.694344044 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.694405079 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:59.694433928 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.694443941 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.694456100 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:59.694487095 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:59.694540977 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.694551945 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.694597006 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:59.694695950 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.694717884 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.694757938 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:59.694798946 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:59.814873934 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.814888000 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.814973116 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.814976931 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:59.815009117 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.815037012 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:59.815048933 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:24:59.815231085 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.815239906 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.815383911 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.815458059 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.815507889 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.815603018 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.815645933 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.815732956 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.815784931 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.935328007 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.935404062 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.935415983 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:24:59.935461044 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:00.561038971 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:00.780342102 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:00.843621016 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:00.847100019 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:00.967720032 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:01.093771935 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:01.219599962 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:01.646126986 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:01.780318022 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:02.223123074 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:02.343599081 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:02.343637943 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:02.343650103 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:02.343735933 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:02.343786001 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:02.343796015 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:02.343869925 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:02.343920946 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:02.343930006 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:02.344120026 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:02.344129086 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:02.344136000 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:02.344144106 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:02.344151974 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:04.140937090 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:04.261363983 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:04.676954031 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:04.780296087 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:05.241014004 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:05.362107038 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:05.362261057 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:05.362272024 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:05.362281084 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:05.364787102 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:05.364798069 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:05.364809990 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:05.364825010 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:05.364834070 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:05.364837885 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:05.364840984 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:05.364845037 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:05.364852905 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:05.364864111 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:07.187130928 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:07.307087898 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:07.728719950 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:07.780335903 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:08.342751980 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:08.462939978 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:08.462958097 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:08.463064909 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:08.463076115 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:08.463187933 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:08.463208914 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:08.463254929 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:08.463278055 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:08.463331938 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:08.463351011 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:08.463465929 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:08.463485003 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:08.463586092 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:08.463597059 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:10.233791113 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:10.361394882 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:10.782001972 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:10.967771053 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:11.337224007 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:11.457597971 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:11.457724094 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:11.457735062 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:11.457829952 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:11.457979918 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:11.457990885 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:11.458096027 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:11.458132982 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:11.458306074 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:11.458314896 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:11.458472967 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:11.458527088 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:11.458687067 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:11.458753109 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:13.281810045 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:13.402899981 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:13.830286026 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:13.967828989 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:14.419244051 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:14.539403915 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:14.539448023 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:14.539505959 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:14.539516926 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:14.539555073 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:14.539627075 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:14.539660931 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:14.539671898 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:14.539853096 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:14.539864063 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:14.539871931 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:14.539880991 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:14.540023088 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:14.540033102 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:16.332729101 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:16.455276012 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:16.870084047 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:16.967838049 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:17.584670067 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:17.704900026 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:17.704917908 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:17.704936981 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:17.704946041 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:17.704965115 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:17.705092907 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:17.705102921 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:17.705112934 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:17.705125093 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:17.705358028 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:17.705368042 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:17.705377102 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:17.705550909 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:17.705562115 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:19.374598980 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:19.498434067 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:19.917829037 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:19.967847109 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:20.519882917 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:20.639971018 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:20.640036106 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:20.640047073 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:20.640058041 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:20.640140057 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:20.640208960 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:20.640274048 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:20.640362024 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:20.640372992 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:20.640424013 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:20.640500069 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:20.640511036 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:20.640666008 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:20.640775919 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:22.422224998 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:22.542464972 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:22.959779024 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:23.077176094 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:23.550649881 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:23.670737982 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:23.670763016 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:23.670841932 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:23.670906067 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:23.671041012 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:23.671051979 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:23.671183109 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:23.671258926 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:23.671267986 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:23.671277046 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:23.671354055 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:23.671365023 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:23.671466112 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:23.671504021 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:25.469136953 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:25.469212055 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:25.590732098 CET	63569	49992	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:25.590847969 CET	49992	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:27.408442974 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:27.528425932 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:27.528611898 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:29.456896067 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:29.600893021 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.600918055 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.600948095 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.600990057 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.601013899 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.601078033 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.601084948 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:29.601129055 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:29.601237059 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.601278067 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:29.601325035 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.601362944 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.601367950 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:29.601402998 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:29.601409912 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.601445913 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:29.721445084 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.721472025 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.721520901 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:29.721553087 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:29.721611977 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.721653938 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:29.721661091 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.721709967 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:29.721791029 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.721920967 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:29.721993923 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.722004890 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.722043037 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:29.722127914 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.722330093 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.722417116 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.722505093 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.722981930 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.841734886 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.841813087 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.842153072 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:29.842164040 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:30.789791107 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:30.794540882 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:30.905319929 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:30.910526991 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:31.178998947 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:31.179789066 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:31.299932003 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:31.555835009 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:31.608419895 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:32.103226900 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:32.224054098 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:32.224208117 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:32.224364042 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:32.224375963 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:32.224525928 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:32.224677086 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:32.224687099 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:32.224695921 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:32.224819899 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:32.224831104 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:32.224839926 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:32.224848986 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:32.224977016 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:32.224987984 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:33.944675922 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:34.064832926 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:34.595330000 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:34.795929909 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:35.268842936 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:35.592434883 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:35.592447042 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:35.592581034 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:35.592591047 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:35.592628002 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:35.592674971 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:35.592684984 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:35.592818975 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:35.592828989 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:35.592838049 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:35.592922926 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:35.592932940 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:35.592941999 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:35.592953920 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:36.999372959 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:36.999551058 CET	49993	63569	192.168.2.6	206.238.43.118
Nov 25, 2024 15:25:37.121444941 CET	63569	49993	206.238.43.118	192.168.2.6
Nov 25, 2024 15:25:37.121714115 CET	49993	63569	192.168.2.6	206.238.43.118

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Type
Nov 25, 2024 15:22:20.643851042 CET	192.168.2.6	206.238.43.118	c368	Echo
Nov 25, 2024 15:22:21.064387083 CET	206.238.43.118	192.168.2.6	cb68	Echo Reply
Nov 25, 2024 15:22:22.077395916 CET	192.168.2.6	206.238.43.118	d88b	Echo
Nov 25, 2024 15:22:22.504740953 CET	206.238.43.118	192.168.2.6	e08b	Echo Reply
Nov 25, 2024 15:22:23.514728069 CET	192.168.2.6	206.238.43.118	21e5	Echo
Nov 25, 2024 15:22:23.951360941 CET	206.238.43.118	192.168.2.6	29e5	Echo Reply
Nov 25, 2024 15:22:24.952183962 CET	192.168.2.6	206.238.43.118	3708	Echo
Nov 25, 2024 15:22:25.408474922 CET	206.238.43.118	192.168.2.6	3f08	Echo Reply
Nov 25, 2024 15:22:27.547333956 CET	192.168.2.6	206.238.43.118	73e3	Echo
Nov 25, 2024 15:22:27.990286112 CET	206.238.43.118	192.168.2.6	7be3	Echo Reply
Nov 25, 2024 15:22:28.999103069 CET	192.168.2.6	206.238.43.118	7806	Echo
Nov 25, 2024 15:22:29.437561989 CET	206.238.43.118	192.168.2.6	8006	Echo Reply
Nov 25, 2024 15:22:30.452572107 CET	192.168.2.6	206.238.43.118	7e29	Echo
Nov 25, 2024 15:22:30.873636961 CET	206.238.43.118	192.168.2.6	8629	Echo Reply
Nov 25, 2024 15:22:31.889713049 CET	192.168.2.6	206.238.43.118	924c	Echo
Nov 25, 2024 15:22:32.311707020 CET	206.238.43.118	192.168.2.6	9a4c	Echo Reply
Nov 25, 2024 15:22:34.454034090 CET	192.168.2.6	206.238.43.118	69fd	Echo
Nov 25, 2024 15:22:34.874259949 CET	206.238.43.118	192.168.2.6	71fd	Echo Reply
Nov 25, 2024 15:22:35.889902115 CET	192.168.2.6	206.238.43.118	7f20	Echo
Nov 25, 2024 15:22:36.369909048 CET	206.238.43.118	192.168.2.6	8720	Echo Reply
Nov 25, 2024 15:22:37.374577045 CET	192.168.2.6	206.238.43.118	e118	Echo
Nov 25, 2024 15:22:37.807604074 CET	206.238.43.118	192.168.2.6	e918	Echo Reply
Nov 25, 2024 15:22:38.811672926 CET	192.168.2.6	206.238.43.118	f53b	Echo
Nov 25, 2024 15:22:39.233644962 CET	206.238.43.118	192.168.2.6	fd3b	Echo Reply
Nov 25, 2024 15:22:41.375344038 CET	192.168.2.6	206.238.43.118	cdec	Echo
Nov 25, 2024 15:22:41.811697960 CET	206.238.43.118	192.168.2.6	d5ec	Echo Reply
Nov 25, 2024 15:22:42.827325106 CET	192.168.2.6	206.238.43.118	573a	Echo
Nov 25, 2024 15:22:43.249475002 CET	206.238.43.118	192.168.2.6	5f3a	Echo Reply
Nov 25, 2024 15:22:44.264899969 CET	192.168.2.6	206.238.43.118	6b5d	Echo
Nov 25, 2024 15:22:44.725064993 CET	206.238.43.118	192.168.2.6	735d	Echo Reply
Nov 25, 2024 15:22:45.733465910 CET	192.168.2.6	206.238.43.118	6080	Echo
Nov 25, 2024 15:22:46.165462017 CET	206.238.43.118	192.168.2.6	6880	Echo Reply
Nov 25, 2024 15:22:48.296787024 CET	192.168.2.6	206.238.43.118	bd5b	Echo
Nov 25, 2024 15:22:48.718723059 CET	206.238.43.118	192.168.2.6	c55b	Echo Reply
Nov 25, 2024 15:22:49.733517885 CET	192.168.2.6	206.238.43.118	d17e	Echo
Nov 25, 2024 15:22:50.185005903 CET	206.238.43.118	192.168.2.6	d97e	Echo Reply
Nov 25, 2024 15:22:51.187021971 CET	192.168.2.6	206.238.43.118	d6a1	Echo
Nov 25, 2024 15:22:51.865286112 CET	206.238.43.118	192.168.2.6	dea1	Echo Reply
Nov 25, 2024 15:22:52.874085903 CET	192.168.2.6	206.238.43.118	e017	Echo
Nov 25, 2024 15:22:53.374941111 CET	206.238.43.118	192.168.2.6	e817	Echo Reply
Nov 25, 2024 15:22:55.515399933 CET	192.168.2.6	206.238.43.118	17a2	Echo
Nov 25, 2024 15:22:55.935765982 CET	206.238.43.118	192.168.2.6	1fa2	Echo Reply
Nov 25, 2024 15:22:56.936583996 CET	192.168.2.6	206.238.43.118	113	Echo
Nov 25, 2024 15:22:57.368829012 CET	206.238.43.118	192.168.2.6	913	Echo Reply
Nov 25, 2024 15:22:58.376118898 CET	192.168.2.6	206.238.43.118	2482	Echo
Nov 25, 2024 15:22:58.861713886 CET	206.238.43.118	192.168.2.6	2c82	Echo Reply
Nov 25, 2024 15:22:59.874356985 CET	192.168.2.6	206.238.43.118	24b8	Echo
Nov 25, 2024 15:23:00.297733068 CET	206.238.43.118	192.168.2.6	2cb8	Echo Reply
Nov 25, 2024 15:23:02.437603951 CET	192.168.2.6	206.238.43.118	e276	Echo
Nov 25, 2024 15:23:02.880738020 CET	206.238.43.118	192.168.2.6	ea76	Echo Reply
Nov 25, 2024 15:23:03.893277884 CET	192.168.2.6	206.238.43.118	93de	Echo
Nov 25, 2024 15:23:04.341402054 CET	206.238.43.118	192.168.2.6	9bde	Echo Reply
Nov 25, 2024 15:23:05.342885017 CET	192.168.2.6	206.238.43.118	3bbc	Echo
Nov 25, 2024 15:23:05.924839973 CET	206.238.43.118	192.168.2.6	43bc	Echo Reply
Nov 25, 2024 15:23:06.936722040 CET	192.168.2.6	206.238.43.118	8413	Echo
Nov 25, 2024 15:23:07.374867916 CET	206.238.43.118	192.168.2.6	8c13	Echo Reply
Nov 25, 2024 15:23:09.516308069 CET	192.168.2.6	206.238.43.118	9977	Echo
Nov 25, 2024 15:23:09.977802992 CET	206.238.43.118	192.168.2.6	a177	Echo Reply
Nov 25, 2024 15:23:10.983716965 CET	192.168.2.6	206.238.43.118	f387	Echo
Nov 25, 2024 15:23:11.443449020 CET	206.238.43.118	192.168.2.6	fb87	Echo Reply
Nov 25, 2024 15:23:12.452687979 CET	192.168.2.6	206.238.43.118	9a48	Echo
Nov 25, 2024 15:23:12.943892002 CET	206.238.43.118	192.168.2.6	a248	Echo Reply
Nov 25, 2024 15:23:13.952389956 CET	192.168.2.6	206.238.43.118	af16	Echo
Nov 25, 2024 15:23:14.374610901 CET	206.238.43.118	192.168.2.6	b716	Echo Reply
Nov 25, 2024 15:23:16.515749931 CET	192.168.2.6	206.238.43.118	6e6f	Echo
Nov 25, 2024 15:23:16.964230061 CET	206.238.43.118	192.168.2.6	766f	Echo Reply
Nov 25, 2024 15:23:17.967892885 CET	192.168.2.6	206.238.43.118	f742	Echo
Nov 25, 2024 15:23:18.420156956 CET	206.238.43.118	192.168.2.6	ff42	Echo Reply
Nov 25, 2024 15:23:19.421022892 CET	192.168.2.6	206.238.43.118	30a6	Echo
Nov 25, 2024 15:23:19.955658913 CET	206.238.43.118	192.168.2.6	38a6	Echo Reply
Nov 25, 2024 15:23:20.967784882 CET	192.168.2.6	206.238.43.118	f7bd	Echo
Nov 25, 2024 15:23:21.436558962 CET	206.238.43.118	192.168.2.6	ffbd	Echo Reply
Nov 25, 2024 15:23:23.578855038 CET	192.168.2.6	206.238.43.118	7e97	Echo
Nov 25, 2024 15:23:24.052144051 CET	206.238.43.118	192.168.2.6	8697	Echo Reply
Nov 25, 2024 15:23:25.061769009 CET	192.168.2.6	206.238.43.118	1498	Echo
Nov 25, 2024 15:23:25.600043058 CET	206.238.43.118	192.168.2.6	1c98	Echo Reply
Nov 25, 2024 15:23:26.608536005 CET	192.168.2.6	206.238.43.118	cc21	Echo
Nov 25, 2024 15:23:27.129286051 CET	206.238.43.118	192.168.2.6	d421	Echo Reply
Nov 25, 2024 15:23:28.139971018 CET	192.168.2.6	206.238.43.118	4c68	Echo
Nov 25, 2024 15:23:28.560578108 CET	206.238.43.118	192.168.2.6	5468	Echo Reply
Nov 25, 2024 15:23:30.714310884 CET	192.168.2.6	206.238.43.118	d63e	Echo
Nov 25, 2024 15:23:31.144090891 CET	206.238.43.118	192.168.2.6	de3e	Echo Reply
Nov 25, 2024 15:23:32.155450106 CET	192.168.2.6	206.238.43.118	77b4	Echo
Nov 25, 2024 15:23:32.635884047 CET	206.238.43.118	192.168.2.6	7fb4	Echo Reply
Nov 25, 2024 15:23:33.640033960 CET	192.168.2.6	206.238.43.118	ed2b	Echo
Nov 25, 2024 15:23:34.071526051 CET	206.238.43.118	192.168.2.6	f52b	Echo Reply
Nov 25, 2024 15:23:35.077481031 CET	192.168.2.6	206.238.43.118	6b84	Echo
Nov 25, 2024 15:23:35.564707041 CET	206.238.43.118	192.168.2.6	7384	Echo Reply
Nov 25, 2024 15:23:37.703430891 CET	192.168.2.6	206.238.43.118	874b	Echo
Nov 25, 2024 15:23:38.144702911 CET	206.238.43.118	192.168.2.6	8f4b	Echo Reply
Nov 25, 2024 15:23:39.155615091 CET	192.168.2.6	206.238.43.118	6efa	Echo
Nov 25, 2024 15:23:39.615629911 CET	206.238.43.118	192.168.2.6	76fa	Echo Reply
Nov 25, 2024 15:23:40.651074886 CET	192.168.2.6	206.238.43.118	a990	Echo
Nov 25, 2024 15:23:41.107988119 CET	206.238.43.118	192.168.2.6	b190	Echo Reply
Nov 25, 2024 15:23:42.158327103 CET	192.168.2.6	206.238.43.118	bc82	Echo
Nov 25, 2024 15:23:42.599347115 CET	206.238.43.118	192.168.2.6	c482	Echo Reply
Nov 25, 2024 15:23:44.757688999 CET	192.168.2.6	206.238.43.118	6083	Echo
Nov 25, 2024 15:23:45.217726946 CET	206.238.43.118	192.168.2.6	6883	Echo Reply
Nov 25, 2024 15:23:46.233592987 CET	192.168.2.6	206.238.43.118	d3a2	Echo
Nov 25, 2024 15:23:46.726114988 CET	206.238.43.118	192.168.2.6	dba2	Echo Reply
Nov 25, 2024 15:23:47.734448910 CET	192.168.2.6	206.238.43.118	f997	Echo
Nov 25, 2024 15:23:48.231937885 CET	206.238.43.118	192.168.2.6	198	Echo Reply
Nov 25, 2024 15:23:49.233732939 CET	192.168.2.6	206.238.43.118	559f	Echo
Nov 25, 2024 15:23:49.701641083 CET	206.238.43.118	192.168.2.6	5d9f	Echo Reply
Nov 25, 2024 15:23:51.846005917 CET	192.168.2.6	206.238.43.118	783b	Echo
Nov 25, 2024 15:23:52.419353962 CET	206.238.43.118	192.168.2.6	803b	Echo Reply
Nov 25, 2024 15:23:53.421489954 CET	192.168.2.6	206.238.43.118	4ac0	Echo
Nov 25, 2024 15:23:53.880127907 CET	206.238.43.118	192.168.2.6	52c0	Echo Reply
Nov 25, 2024 15:23:54.890008926 CET	192.168.2.6	206.238.43.118	41a	Echo
Nov 25, 2024 15:23:55.364434004 CET	206.238.43.118	192.168.2.6	c1a	Echo Reply
Nov 25, 2024 15:23:56.374133110 CET	192.168.2.6	206.238.43.118	b2bd	Echo
Nov 25, 2024 15:23:56.850455999 CET	206.238.43.118	192.168.2.6	babd	Echo Reply
Nov 25, 2024 15:23:58.985044956 CET	192.168.2.6	206.238.43.118	5ce5	Echo
Nov 25, 2024 15:23:59.515227079 CET	206.238.43.118	192.168.2.6	64e5	Echo Reply
Nov 25, 2024 15:24:00.530524015 CET	192.168.2.6	206.238.43.118	91d6	Echo
Nov 25, 2024 15:24:01.226105928 CET	206.238.43.118	192.168.2.6	99d6	Echo Reply
Nov 25, 2024 15:24:02.233634949 CET	192.168.2.6	206.238.43.118	4584	Echo
Nov 25, 2024 15:24:02.776904106 CET	206.238.43.118	192.168.2.6	4d84	Echo Reply
Nov 25, 2024 15:24:03.780637026 CET	192.168.2.6	206.238.43.118	15e7	Echo
Nov 25, 2024 15:24:04.266539097 CET	206.238.43.118	192.168.2.6	1de7	Echo Reply
Nov 25, 2024 15:24:06.407943964 CET	192.168.2.6	206.238.43.118	4a7c	Echo
Nov 25, 2024 15:24:07.188646078 CET	206.238.43.118	192.168.2.6	527c	Echo Reply
Nov 25, 2024 15:24:08.202269077 CET	192.168.2.6	206.238.43.118	99b1	Echo
Nov 25, 2024 15:24:08.665468931 CET	206.238.43.118	192.168.2.6	a1b1	Echo Reply
Nov 25, 2024 15:24:09.671118021 CET	192.168.2.6	206.238.43.118	5de1	Echo
Nov 25, 2024 15:24:10.180031061 CET	206.238.43.118	192.168.2.6	65e1	Echo Reply
Nov 25, 2024 15:24:11.186733007 CET	192.168.2.6	206.238.43.118	da97	Echo
Nov 25, 2024 15:24:11.703470945 CET	206.238.43.118	192.168.2.6	e297	Echo Reply
Nov 25, 2024 15:24:13.844644070 CET	192.168.2.6	206.238.43.118	8940	Echo
Nov 25, 2024 15:24:14.397788048 CET	206.238.43.118	192.168.2.6	9140	Echo Reply
Nov 25, 2024 15:24:15.405443907 CET	192.168.2.6	206.238.43.118	b3c3	Echo
Nov 25, 2024 15:24:15.908726931 CET	206.238.43.118	192.168.2.6	bbc3	Echo Reply
Nov 25, 2024 15:24:16.921036005 CET	192.168.2.6	206.238.43.118	64a2	Echo
Nov 25, 2024 15:24:17.401324987 CET	206.238.43.118	192.168.2.6	6ca2	Echo Reply
Nov 25, 2024 15:24:18.405833960 CET	192.168.2.6	206.238.43.118	f706	Echo
Nov 25, 2024 15:24:18.933948994 CET	206.238.43.118	192.168.2.6	ff06	Echo Reply
Nov 25, 2024 15:24:21.078411102 CET	192.168.2.6	206.238.43.118	103b	Echo
Nov 25, 2024 15:24:21.594345093 CET	206.238.43.118	192.168.2.6	183b	Echo Reply
Nov 25, 2024 15:24:22.608537912 CET	192.168.2.6	206.238.43.118	c8aa	Echo
Nov 25, 2024 15:24:23.126117945 CET	206.238.43.118	192.168.2.6	d0aa	Echo Reply
Nov 25, 2024 15:24:24.142498016 CET	192.168.2.6	206.238.43.118	8882	Echo
Nov 25, 2024 15:24:24.644324064 CET	206.238.43.118	192.168.2.6	9082	Echo Reply
Nov 25, 2024 15:24:25.655858040 CET	192.168.2.6	206.238.43.118	23ae	Echo
Nov 25, 2024 15:24:26.212923050 CET	206.238.43.118	192.168.2.6	2bae	Echo Reply
Nov 25, 2024 15:24:28.344392061 CET	192.168.2.6	206.238.43.118	8ad	Echo
Nov 25, 2024 15:24:39.376720905 CET	192.168.2.6	206.238.43.118	1c51	Echo
Nov 25, 2024 15:24:39.877592087 CET	206.238.43.118	192.168.2.6	2451	Echo Reply
Nov 25, 2024 15:24:40.890188932 CET	192.168.2.6	206.238.43.118	15a	Echo
Nov 25, 2024 15:24:41.621462107 CET	206.238.43.118	192.168.2.6	95a	Echo Reply
Nov 25, 2024 15:24:42.624639988 CET	192.168.2.6	206.238.43.118	aed5	Echo
Nov 25, 2024 15:24:43.066195011 CET	206.238.43.118	192.168.2.6	b6d5	Echo Reply
Nov 25, 2024 15:24:45.213267088 CET	192.168.2.6	206.238.43.118	f834	Echo
Nov 25, 2024 15:24:45.744054079 CET	206.238.43.118	192.168.2.6	35	Echo Reply
Nov 25, 2024 15:24:46.749213934 CET	192.168.2.6	206.238.43.118	62c8	Echo
Nov 25, 2024 15:24:47.242574930 CET	206.238.43.118	192.168.2.6	6ac8	Echo Reply
Nov 25, 2024 15:24:48.249367952 CET	192.168.2.6	206.238.43.118	9078	Echo
Nov 25, 2024 15:24:48.718947887 CET	206.238.43.118	192.168.2.6	9878	Echo Reply
Nov 25, 2024 15:24:49.734107971 CET	192.168.2.6	206.238.43.118	afb8	Echo
Nov 25, 2024 15:24:50.204425097 CET	206.238.43.118	192.168.2.6	b7b8	Echo Reply
Nov 25, 2024 15:24:52.344386101 CET	192.168.2.6	206.238.43.118	a561	Echo
Nov 25, 2024 15:24:52.847429037 CET	206.238.43.118	192.168.2.6	ad61	Echo Reply
Nov 25, 2024 15:24:53.859103918 CET	192.168.2.6	206.238.43.118	5d9f	Echo
Nov 25, 2024 15:24:54.349256992 CET	206.238.43.118	192.168.2.6	659f	Echo Reply
Nov 25, 2024 15:24:55.359867096 CET	192.168.2.6	206.238.43.118	c809	Echo
Nov 25, 2024 15:24:55.936038017 CET	206.238.43.118	192.168.2.6	d009	Echo Reply
Nov 25, 2024 15:24:56.936739922 CET	192.168.2.6	206.238.43.118	aadb	Echo
Nov 25, 2024 15:24:57.468302965 CET	206.238.43.118	192.168.2.6	b2db	Echo Reply
Nov 25, 2024 15:24:59.611079931 CET	192.168.2.6	206.238.43.118	a402	Echo
Nov 25, 2024 15:25:00.065093040 CET	206.238.43.118	192.168.2.6	ac02	Echo Reply
Nov 25, 2024 15:25:01.077511072 CET	192.168.2.6	206.238.43.118	ae0a	Echo
Nov 25, 2024 15:25:01.553262949 CET	206.238.43.118	192.168.2.6	b60a	Echo Reply
Nov 25, 2024 15:25:02.649657965 CET	192.168.2.6	206.238.43.118	4fdf	Echo
Nov 25, 2024 15:25:03.156493902 CET	206.238.43.118	192.168.2.6	57df	Echo Reply
Nov 25, 2024 15:25:04.171118975 CET	192.168.2.6	206.238.43.118	73bd	Echo
Nov 25, 2024 15:25:04.695242882 CET	206.238.43.118	192.168.2.6	7bbd	Echo Reply
Nov 25, 2024 15:25:06.829360962 CET	192.168.2.6	206.238.43.118	a246	Echo
Nov 25, 2024 15:25:07.303730965 CET	206.238.43.118	192.168.2.6	aa46	Echo Reply
Nov 25, 2024 15:25:08.311837912 CET	192.168.2.6	206.238.43.118	ced8	Echo
Nov 25, 2024 15:25:08.747729063 CET	206.238.43.118	192.168.2.6	d6d8	Echo Reply
Nov 25, 2024 15:25:09.749404907 CET	192.168.2.6	206.238.43.118	30e6	Echo
Nov 25, 2024 15:25:10.217283964 CET	206.238.43.118	192.168.2.6	38e6	Echo Reply
Nov 25, 2024 15:25:11.218033075 CET	192.168.2.6	206.238.43.118	b5ae	Echo
Nov 25, 2024 15:25:12.075740099 CET	206.238.43.118	192.168.2.6	bdae	Echo Reply
Nov 25, 2024 15:25:14.204051018 CET	192.168.2.6	206.238.43.118	62cc	Echo
Nov 25, 2024 15:25:14.658941984 CET	206.238.43.118	192.168.2.6	6acc	Echo Reply
Nov 25, 2024 15:25:15.671207905 CET	192.168.2.6	206.238.43.118	163e	Echo
Nov 25, 2024 15:25:16.180679083 CET	206.238.43.118	192.168.2.6	1e3e	Echo Reply
Nov 25, 2024 15:25:17.186795950 CET	192.168.2.6	206.238.43.118	a9bd	Echo
Nov 25, 2024 15:25:17.714705944 CET	206.238.43.118	192.168.2.6	b1bd	Echo Reply
Nov 25, 2024 15:25:18.718316078 CET	192.168.2.6	206.238.43.118	4d00	Echo
Nov 25, 2024 15:25:19.266134977 CET	206.238.43.118	192.168.2.6	5500	Echo Reply
Nov 25, 2024 15:25:21.407577038 CET	192.168.2.6	206.238.43.118	fdf1	Echo
Nov 25, 2024 15:25:21.851867914 CET	206.238.43.118	192.168.2.6	5f2	Echo Reply
Nov 25, 2024 15:25:22.858686924 CET	192.168.2.6	206.238.43.118	a2ae	Echo
Nov 25, 2024 15:25:23.290183067 CET	206.238.43.118	192.168.2.6	aaae	Echo Reply
Nov 25, 2024 15:25:24.296181917 CET	192.168.2.6	206.238.43.118	ac6e	Echo
Nov 25, 2024 15:25:24.871572018 CET	206.238.43.118	192.168.2.6	b46e	Echo Reply
Nov 25, 2024 15:25:25.874322891 CET	192.168.2.6	206.238.43.118	dbcf	Echo
Nov 25, 2024 15:25:26.296336889 CET	206.238.43.118	192.168.2.6	e3cf	Echo Reply
Nov 25, 2024 15:25:28.604871988 CET	192.168.2.6	206.238.43.118	9e95	Echo
Nov 25, 2024 15:25:29.050312042 CET	206.238.43.118	192.168.2.6	a695	Echo Reply
Nov 25, 2024 15:25:30.061963081 CET	192.168.2.6	206.238.43.118	1e0e	Echo
Nov 25, 2024 15:25:30.564033031 CET	206.238.43.118	192.168.2.6	260e	Echo Reply
Nov 25, 2024 15:25:31.577522039 CET	192.168.2.6	206.238.43.118	ca49	Echo
Nov 25, 2024 15:25:32.021032095 CET	206.238.43.118	192.168.2.6	d249	Echo Reply
Nov 25, 2024 15:25:33.030777931 CET	192.168.2.6	206.238.43.118	962f	Echo
Nov 25, 2024 15:25:33.486300945 CET	206.238.43.118	192.168.2.6	9e2f	Echo Reply
Nov 25, 2024 15:25:35.734750032 CET	192.168.2.6	206.238.43.118	8187	Echo
Nov 25, 2024 15:25:36.198149920 CET	206.238.43.118	192.168.2.6	8987	Echo Reply
Nov 25, 2024 15:25:37.202472925 CET	192.168.2.6	206.238.43.118	79d7	Echo
Nov 25, 2024 15:25:37.645880938 CET	206.238.43.118	192.168.2.6	81d7	Echo Reply

Target ID:	0
Start time:	09:21:29
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZwmyzMxFKL.exe"
Imagebase:	0xcd0000
File size:	58'031'336 bytes
MD5 hash:	2FA4F19F9FB9E7A71D85AAF34D318178
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:21:35
Start date:	25/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff796290000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	09:21:35
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 7E6189B68D04BCCC687811EFCABCB7B7 C
Imagebase:	0x8f0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:21:42
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZwmyzMxFKL.exe" /i "C:\Program Files (x86)\WindowsInstallerFQ\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\DnLIMGKCARTO" SECONDSEQUENCE="1" CLIENTPROCESSID="2488" AI_MORE_CMD_LINE=1
Imagebase:	0xcd0000
File size:	58'031'336 bytes
MD5 hash:	2FA4F19F9FB9E7A71D85AAF34D318178
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:21:44
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 2D3D4FA1C75486B2FBEFE9E283CEBF24
Imagebase:	0x8f0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:22:05
Start date:	25/11/2024
Path:	C:\Windows\Installer\MSIF1CE.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Installer\MSIF1CE.tmp"
Imagebase:	0x330000
File size:	175'328 bytes
MD5 hash:	BE4ED0D3AA0B2573927A046620106B13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:22:06
Start date:	25/11/2024
Path:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU" -o"C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73" -pe6ab90d5741a3329XSJ -aos -y
Imagebase:	0xe30000
File size:	710'888 bytes
MD5 hash:	FAE7D0A530279838C8A5731B086A081B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000003.2536019030.00000000034E6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:22:06
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:22:11
Start date:	25/11/2024
Path:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR" -o"C:\Program Files (x86)\DnLIMGKCARTO" -pd90abf5032721ffaBCX -aos -y
Imagebase:	0xe30000
File size:	710'888 bytes
MD5 hash:	FAE7D0A530279838C8A5731B086A081B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:22:11
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:22:13
Start date:	25/11/2024
Path:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX" -o"C:\Users\user\AppData\Roaming" -p5ccac7f27f4c789fFPK -aos -y
Imagebase:	0xe30000
File size:	710'888 bytes
MD5 hash:	FAE7D0A530279838C8A5731B086A081B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:22:13
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:22:14
Start date:	25/11/2024
Path:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe"
Imagebase:	0x400000
File size:	691'760 bytes
MD5 hash:	938C33C54819D6CE8D731B68D9C37E38
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000F.00000000.2588994186.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:22:14
Start date:	25/11/2024
Path:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe"
Imagebase:	0x400000
File size:	691'760 bytes
MD5 hash:	938C33C54819D6CE8D731B68D9C37E38
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000012.00000002.2632670760.000000000302C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:22:16
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\BD8094EB83814BB7B1A4099568EFED73\VGX\Haloonoroff.exe"
Imagebase:	0x830000
File size:	174'304 bytes
MD5 hash:	0D318144BD23BA1A72CC06FE19CB3F0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.1%
Total number of Nodes:	1730
Total number of Limit Nodes:	44

Executed Functions

Function 00E281C0 Relevance: 30.3, APIs: 14, Strings: 3, Instructions: 526
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00E2824E
GetLastError.KERNEL32 ref: 00E28254
GetUserNameW.ADVAPI32(00000000,?), ref: 00E2829C
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00E282D2
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 00E2831C
RegDeleteValueW.KERNEL32(?,?,00000000,80000001,00000001,00000000,93D979FF,00000000,?), ref: 00E28515
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,93D979FF,00000000,?), ref: 00E2854B
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E286A0
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,93D979FF,00000000), ref: 00E286E2
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,93D979FF,00000000), ref: 00E28727
RegDeleteKeyW.ADVAPI32(?,00000000), ref: 00E28749
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,93D979FF,00000000), ref: 00E28785
RegDeleteValueW.KERNEL32(?,?,00000000,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000,93D979FF,00000000), ref: 00E2888A
RegCloseKey.ADVAPI32(?,?,?,00000000,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000,93D979FF,00000000), ref: 00E288CC

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00E287AA
UserDomain, xrefs: 00E282CD, 00E28317
Software, xrefs: 00E2857E

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Close$Delete$EnvironmentNameUserValueVariable$ErrorInfoLastQuery
String ID: Software$Software\Microsoft\Windows\CurrentVersion\RunOnce$UserDomain
API String ID: 1615433478-4079418357
Opcode ID: 729505d1c3825828ffb472870b374d7c2e3e7fbcbc8405ae4f367e0b7340319d
Instruction ID: 5557ba382025a8c57ae23ba92820b887a87962f56c91556b39ce0c233c71c68d
Opcode Fuzzy Hash: 729505d1c3825828ffb472870b374d7c2e3e7fbcbc8405ae4f367e0b7340319d
Instruction Fuzzy Hash: 58229970A01258DBDF14DFA4DD99BEEBBB4FF04304F644159E405B7280EBB46A88DBA1

Function 00E04CA0 Relevance: 27.5, APIs: 11, Strings: 4, Instructions: 1259COMMON

Download Yara Rule

APIs

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

GetTickCount.KERNEL32 ref: 00E04D24
__Xtime_get_ticks.LIBCPMT ref: 00E04D2C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E04D76
__Init_thread_footer.LIBCMT ref: 00E04F64
GetCurrentProcess.KERNEL32(?,?,?), ref: 00E0517A
OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,?), ref: 00E05187
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?), ref: 00E051A7
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00E051D2

Strings

\\?\, xrefs: 00E05A9D
\/:*?"<>|, xrefs: 00E04F26
/uninstall, xrefs: 00E05383
VersionString, xrefs: 00E05454, 00E054A5

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footerProcess$Token$CloseCountCurrentHandleHeapInformationOpenTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
String ID: /uninstall$VersionString$\/:*?"<>|$\\?\
API String ID: 3363527671-654522458
Opcode ID: 4d7a68f1366dd0b96e2d771d1849b9455daa9d53ac03f93dd459aebaea712b56
Instruction ID: 9b757932c41af2dc0cc9b2ddd9b730089ae3dfd2a274443934b58429acb520d9
Opcode Fuzzy Hash: 4d7a68f1366dd0b96e2d771d1849b9455daa9d53ac03f93dd459aebaea712b56
Instruction Fuzzy Hash: 2BB2AB71A00A09DFDB14DFA8C848BAEBBB5FF44314F148269E415BB2D1DB74A985CF90

Function 6CA8D070 Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 400
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindClose.KERNEL32(00000000,?,?,6CB08D6C,?), ref: 6CA8D0CF
PathIsUNCW.SHLWAPI(?,*.*,?,6CB08D6C), ref: 6CA8D17F
FindFirstFileW.KERNEL32(?,?,*.*,?,6CB08D6C), ref: 6CA8D323
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,?,6CB08D6C), ref: 6CA8D33D
GetFullPathNameW.KERNEL32(00000000,00000000,?,00000000,?,6CB08D6C), ref: 6CA8D370
FindClose.KERNEL32(00000000,?,?,?,?,?,6CB08D6C), ref: 6CA8D3E1
SetLastError.KERNEL32(0000007B,?,?,?,?,?,6CB08D6C), ref: 6CA8D3EB
_wcsrchr.LIBVCRUNTIME ref: 6CA8D441
_wcsrchr.LIBVCRUNTIME ref: 6CA8D461

Strings

\\?\UNC\, xrefs: 6CA8D19F, 6CA8D2A0
\\?\, xrefs: 6CA8D2B3, 6CA8D30E, 6CA8D313
*.*, xrefs: 6CA8D0FA, 6CA8D128, 6CA8D14F, 6CA8D150

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: FindPath$CloseFullName_wcsrchr$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\
API String ID: 726989864-1700010636
Opcode ID: f06d80495de3a444f618c2b18c88cf72e8309ea10050d1e6f70fac138c533e6d
Instruction ID: 9b0355b5b80463d13b02433a9c2cb81cfa64922235d78d58b2dcf95a907072bd
Opcode Fuzzy Hash: f06d80495de3a444f618c2b18c88cf72e8309ea10050d1e6f70fac138c533e6d
Instruction Fuzzy Hash: 59E1E730A02602DFDB05DF68C944B9EB7B2FF45318F14826AE815DB790EB35E985CB50

Function 6CA7DB00 Relevance: 17.5, Strings: 13, Instructions: 1250COMMON

Download Yara Rule

Strings

Info 1720, xrefs: 6CA7E568
fatal error, xrefs: 6CA7DC1C
user abort, xrefs: 6CA7DBE1, 6CA7DC31
W, xrefs: 6CA7E776
Lifecycle: , xrefs: 6CA7DD64
Error: , xrefs: 6CA7E1D7
success, xrefs: 6CA7DBA6
Track screen: [, xrefs: 6CA7E8A0
-> , xrefs: 6CA7DD9B
Exception >> , xrefs: 6CA7E5BC
Warning: , xrefs: 6CA7DFB2
Action ended, xrefs: 6CA7E2D6
Crash >> , xrefs: 6CA7E367

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: #118#125#171Heap$#103AllocateProcess
String ID: -> $Action ended$Crash >> $Error: $Exception >> $Info 1720$Lifecycle: $Track screen: [$W$Warning: $fatal error$success$user abort
API String ID: 3131113549-1454030630
Opcode ID: 55d5f5da6970c65ae3798a48d17043b825bd15a0d6aff31d2988588d89378218
Instruction ID: a2f2db7a4d6c110757b76e39261306157126177de0ced592e24910fc74807bbe
Opcode Fuzzy Hash: 55d5f5da6970c65ae3798a48d17043b825bd15a0d6aff31d2988588d89378218
Instruction Fuzzy Hash: 0EB2F374E01248DFDB14CFA8C944BDEBBB1BF45318F28825DE411AB780D7759A89CBA1

Function 00E10640 Relevance: 15.8, APIs: 10, Instructions: 792COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$HeapProcess
String ID:
API String ID: 275895251-0
Opcode ID: 3b51c87627c36453b80375e73758dd4913123a6583f603a38c06aa9c40c29625
Instruction ID: 7624cc1de830fed182183bf2085b74f1a002be43b83d5f4b602636caeb656c3f
Opcode Fuzzy Hash: 3b51c87627c36453b80375e73758dd4913123a6583f603a38c06aa9c40c29625
Instruction Fuzzy Hash: 32729F70900649DFDB14DFA8C884BDDBBF0BF49314F148299E515AB292DBB0AE85CF90

Function 00DEE740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,93D979FF,?,00000000,00000000), ref: 00DEE77E
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00DEE7A1
LoadImageW.USER32(?,?,00000001,00000000,00000000,?), ref: 00DEE801
FreeLibrary.KERNEL32(00000000), ref: 00DEE81F

Strings

LoadIconMetric, xrefs: 00DEE79B
ComCtl32.dll, xrefs: 00DEE772

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: LibraryLoad$AddressFreeImageProc
String ID: ComCtl32.dll$LoadIconMetric
API String ID: 1597520822-764666640
Opcode ID: 7b288f8ebf70cf3c3c457f6b71ec8b4981ce257ebfba735cffab4fd53ca1d1c9
Instruction ID: 08e7c824c73d1a98690942630df5018501ca6db63e45f32ad4b404ab2123c682
Opcode Fuzzy Hash: 7b288f8ebf70cf3c3c457f6b71ec8b4981ce257ebfba735cffab4fd53ca1d1c9
Instruction Fuzzy Hash: E2319371A04259ABDF109FA5DC44BAFBFF8FB48750F04012AF915A3281D7B59900DBA1

Function 6CA97870 Relevance: 6.1, APIs: 4, Instructions: 84fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,461C95ED), ref: 6CA97906
FindClose.KERNEL32(00000000,?,?), ref: 6CA9793E

Part of subcall function 6CA77F30: RtlAllocateHeap.NTDLL(00000000,00000000,?,461C95ED,00000000,6CABED80,000000FF,?,?,6CAFD24C,?,6CA981AD,80004005), ref: 6CA77F7A

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID:
API String ID: 1673784098-0
Opcode ID: 5c3d9bc3f087e122153344d423759f9b3ce39982f64a5f25ea8c01cee263e80c
Instruction ID: eac71c95b3ceb875738ff38b7e7a96bf3e29516e5d1cd07c58a021a4662804cb
Opcode Fuzzy Hash: 5c3d9bc3f087e122153344d423759f9b3ce39982f64a5f25ea8c01cee263e80c
Instruction Fuzzy Hash: 5331EF31815218CADB289FA4894A7A9B7F4EF05328F10839DD929E3A90D73459C5CBA1

Function 00DA7A10 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00DA7A51

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

Part of subcall function 00CD92A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,00CD9418,-00000010,?,00000000), ref: 00CD92C3

LoadLibraryExW.KERNEL32(?,00000000,00000000,00EE0D6D,000000FF), ref: 00DA7B24

Strings

UxTheme.dll, xrefs: 00DA7A2C, 00DA7AFF, 00DA7B00, 00DA7B94

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$DirectoryFindHeapLibraryLoadProcessResourceSystem
String ID: UxTheme.dll
API String ID: 2586271605-352951104
Opcode ID: 40333fbf743ace560a7cdd755cb1987f47e61afaa2407b5fe205002007cf6083
Instruction ID: 1439eb3d808ca7db552004a267cfda18071065b7a138d19f11846a59d2908db4
Opcode Fuzzy Hash: 40333fbf743ace560a7cdd755cb1987f47e61afaa2407b5fe205002007cf6083
Instruction Fuzzy Hash: 81A189B0905649EFE714CF24C818B9ABBF4FF05308F24865DD8199B681D7BAA618DB90

Function 00E84245 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,00E135FE,?,?,?,?,?,?), ref: 00E8424A
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 00E84251
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 00E84297
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00E8429E

Part of subcall function 00E840E3: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00E8428D,?,?,?,?,?,?,?), ref: 00E84107
Part of subcall function 00E840E3: HeapAlloc.KERNEL32(00000000,?,00E8428D,?,?,?,?,?,?,?), ref: 00E8410E

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: e4a1aeda32fed7b0bfeca39fbc4c35ad82013f0423ce494a763a539aa9a42cc5
Instruction ID: be832af8a25b6dc6c6ccce742b31017f1e4b0b3f6427da3baf1263cec7ed3d34
Opcode Fuzzy Hash: e4a1aeda32fed7b0bfeca39fbc4c35ad82013f0423ce494a763a539aa9a42cc5
Instruction Fuzzy Hash: 00F0BBB2A4C71357C7657BF87C0CA5F3EA4EF807517115114F54DE61A0EE60C801A750

Function 00DEB1B0 Relevance: 4.6, APIs: 3, Instructions: 93fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,00000000,?,00000000), ref: 00DEB24D
FindClose.KERNEL32(00000000), ref: 00DEB2AC

Part of subcall function 00CD9980: RtlAllocateHeap.NTDLL(?,00000000,?,93D979FF,00000000,00EAC6B0,000000FF,?,?,00F8C42C,00000000,00E2ECDB,80004005,93D979FF,?,?), ref: 00CD99CA

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID:
API String ID: 1673784098-0
Opcode ID: 4a154810eae76f4157a0b64d6b21f63106c64532b8a7b8c9de91b02a52171a60
Instruction ID: 14059a2675c1a7d6f3d42033f221e222000b96e0851a1c4da5ae7e12db03a372
Opcode Fuzzy Hash: 4a154810eae76f4157a0b64d6b21f63106c64532b8a7b8c9de91b02a52171a60
Instruction Fuzzy Hash: BB31D2309042588BDB24EF56C848BAEB7F4FF45324F20416EDA19A7380D7716944CFA9

Function 00E298C0 Relevance: 3.1, APIs: 2, Instructions: 86filepipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,93D979FF,93D979FF,?,?,?,?,00000000), ref: 00E29949
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,93D979FF,93D979FF,?,?,?,?,00000000,00EF83A5), ref: 00E2996A

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Create$FileNamedPipe
String ID:
API String ID: 1328467360-0
Opcode ID: adcce5f7ced184fcee65f06dbfce36c0c5e6952dfbe2ada1dc673e71fd228e93
Instruction ID: 40873f8e43250082a6c0e2c79aab71628d672b4594aee0b131897d02927934e3
Opcode Fuzzy Hash: adcce5f7ced184fcee65f06dbfce36c0c5e6952dfbe2ada1dc673e71fd228e93
Instruction Fuzzy Hash: 0131D531A8874AAFE731CF14DC05B99BBA4EB01730F10866EF9A5A76D1D771A940CB40

Function 00D0AEA0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00D0AEB8
SetUnhandledExceptionFilter.KERNEL32(00DEA060), ref: 00D0AECE

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 8e507351af96fbf2a43abefbdb1f1fa6de8091c0a0b049ed22cc5dc51b7aa221
Instruction ID: 3f31e78034fcf490922a762236780a4b4d9528e2768e2b4743f6bd3bdbc9fc0b
Opcode Fuzzy Hash: 8e507351af96fbf2a43abefbdb1f1fa6de8091c0a0b049ed22cc5dc51b7aa221
Instruction Fuzzy Hash: 8DE02672A442446EC711B758AC0AF4A3FD4EB96710F06805AF10C231A1D7B09805E372

Function 6CA75B60 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetAdaptersInfo.IPHLPAPI(00000000,6CA75C87), ref: 6CA75BCB

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: AdaptersInfo
String ID:
API String ID: 3177971545-0
Opcode ID: aa9068bc79b06688e947bc833728f34299a46cae8db89be9451666209922eb95
Instruction ID: c2ff8332c8b8c70657634747b5e55b7a90e80a9e1b290485d3501d9a2adce038
Opcode Fuzzy Hash: aa9068bc79b06688e947bc833728f34299a46cae8db89be9451666209922eb95
Instruction Fuzzy Hash: D021C579605201AFD324CF69C994A6AB7E9FBC5314F448A3EE04687A80EB60A9848670

Function 00E33E80 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF0100: __Init_thread_footer.LIBCMT ref: 00DF01E0

CoCreateInstance.COMBASE(00F142C8,00000000,00000001,00F30CEC,000000B0), ref: 00E33EFE

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CreateInit_thread_footerInstance
String ID:
API String ID: 3436645735-0
Opcode ID: 8374dcf1f89ebf135ce60aa3ce9e16a5297b988450b5c31caec9eb4bbf8a626e
Instruction ID: 39a9cef6de8d645fe080957fc124e4d255ecc2d7ec1ec81b1782ad5062f79ee1
Opcode Fuzzy Hash: 8374dcf1f89ebf135ce60aa3ce9e16a5297b988450b5c31caec9eb4bbf8a626e
Instruction Fuzzy Hash: 7B11AD71604745ABD720CF59D805B8ABBF8EB45B20F10465EF861AB7C0C7B6A904CB90

Function 00E2F0D0 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

P, xrefs: 00E2F1F2

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$CreateHeapInstanceProcess
String ID: P
API String ID: 3807588171-1343716551
Opcode ID: 59ec466bfa6f309fa080be8378ae3d9d6abcebab3a3dd446ce7067d94fe46232
Instruction ID: 878ec45c4dbf86c4beb801910f958fb31187e8a63b465af3170ab13a9e185bfd
Opcode Fuzzy Hash: 59ec466bfa6f309fa080be8378ae3d9d6abcebab3a3dd446ce7067d94fe46232
Instruction Fuzzy Hash: 4C6135B0500744CFE710CF68C51838ABBF0EF45318F148A6DD58AAB792D7B9A509DB80

Function 00DD2DF0 Relevance: 112.3, APIs: 8, Strings: 56, Instructions: 327
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

MoveFileW.KERNEL32(?,?), ref: 00DD2F6A
GetModuleHandleW.KERNEL32(kernel32,?), ref: 00DD2FAC
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00DD2FF4
GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 00DD304C
__Init_thread_footer.LIBCMT ref: 00DD305C
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00DD30A4
__Init_thread_footer.LIBCMT ref: 00DD3004

Part of subcall function 00E84B58: EnterCriticalSection.KERNEL32(00F97FD8,93D979FF,?,00CD9DD7,00F98C04,00F07520), ref: 00E84B62
Part of subcall function 00E84B58: LeaveCriticalSection.KERNEL32(00F97FD8,?,00CD9DD7,00F98C04,00F07520), ref: 00E84B95
Part of subcall function 00E84B58: RtlWakeAllConditionVariable.NTDLL ref: 00E84C0C

__Init_thread_footer.LIBCMT ref: 00DD30B4

Part of subcall function 00DA7A10: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00DA7A51

Strings

lpk.dll, xrefs: 00DD31FF
msihnd.dll, xrefs: 00DD321D
msasn1.dll, xrefs: 00DD31D7
dwmapi.dll, xrefs: 00DD3123
wininet.dll, xrefs: 00DD317E
ws2_32.dll, xrefs: 00DD324F
propsys.dll, xrefs: 00DD31B9
gdi32.dll, xrefs: 00DD3154
shcore.dll, xrefs: 00DD3227
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00DD2E67, 00DD2E6F
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00DD2E62
SetDefaultDllDirectories, xrefs: 00DD309E
user32.dll, xrefs: 00DD315B
samcli.dll, xrefs: 00DD3245
uxtheme.dll, xrefs: 00DD3107, 00DD3193
kernel32, xrefs: 00DD2FA7
netapi32.dll, xrefs: 00DD3259
kernel32.dll, xrefs: 00DD31AF
usp10.dll, xrefs: 00DD3213
shell32.dll, xrefs: 00DD3146
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00DD2E80, 00DD2E8F
WindowsCodecs.dll, xrefs: 00DD30D6
setupapi.dll, xrefs: 00DD3209
rsaenh.dll, xrefs: 00DD31C3
shlwapi.dll, xrefs: 00DD31F5
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00DD2E87
version.dll, xrefs: 00DD30F9, 00DD3177
apphelp.dll, xrefs: 00DD31CD
comdlg32.dll, xrefs: 00DD3162
msls31.dll, xrefs: 00DD30F2
oleaut32.dll, xrefs: 00DD3138
cabinet.dll, xrefs: 00DD31A8
cryptsp.dll, xrefs: 00DD3231
crypt32.dll, xrefs: 00DD31E1
secur32.dll, xrefs: 00DD323B
psapi.dll, xrefs: 00DD30CC
profapi.dll, xrefs: 00DD310E
userenv.dll, xrefs: 00DD311C
USP10.dll, xrefs: 00DD30EB
mpr.dll, xrefs: 00DD3100, 00DD318C
ole32.dll, xrefs: 00DD3131
msi.dll, xrefs: 00DD30E4, 00DD319A
SetDllDirectory, xrefs: 00DD3046
SetSearchPathMode, xrefs: 00DD2FEE
dbghelp.dll, xrefs: 00DD3170
wkscli.dll, xrefs: 00DD3277
srvcli.dll, xrefs: 00DD326D
wintrust.dll, xrefs: 00DD31EB
comctl32.dll, xrefs: 00DD313F
davhlpr.dll, xrefs: 00DD312A
urlmon.dll, xrefs: 00DD3185
netutils.dll, xrefs: 00DD3263
bcrypt.dll, xrefs: 00DD30DD
gdiplus.dll, xrefs: 00DD3115, 00DD31A1
msimg32.dll, xrefs: 00DD3169
advapi32.dll, xrefs: 00DD314D

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$AddressProc$CriticalSection$ConditionDirectoryEnterFileHandleHeapLeaveModuleMoveProcessSystemVariableWake
String ID: @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$USP10.dll$WindowsCodecs.dll$advapi32.dll$apphelp.dll$bcrypt.dll$cabinet.dll$comctl32.dll$comdlg32.dll$crypt32.dll$cryptsp.dll$davhlpr.dll$dbghelp.dll$dwmapi.dll$gdi32.dll$gdiplus.dll$kernel32$kernel32.dll$lpk.dll$mpr.dll$msasn1.dll$msi.dll$msihnd.dll$msimg32.dll$msls31.dll$netapi32.dll$netutils.dll$ole32.dll$oleaut32.dll$profapi.dll$propsys.dll$psapi.dll$rsaenh.dll$samcli.dll$secur32.dll$setupapi.dll$shcore.dll$shell32.dll$shlwapi.dll$srvcli.dll$urlmon.dll$user32.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wininet.dll$wintrust.dll$wkscli.dll$ws2_32.dll
API String ID: 3437638698-2006426916
Opcode ID: d31a9b68afc699b7aa93054dec74b81adfb08f89a275dcd60d8a890e3b1d4099
Instruction ID: fb8a550c5130f33a3aa97f259b6122f6959b0f63592b8f3e885f4e07fd18ad2c
Opcode Fuzzy Hash: d31a9b68afc699b7aa93054dec74b81adfb08f89a275dcd60d8a890e3b1d4099
Instruction Fuzzy Hash: 2BE16DB0904299DFDF20DF58D849BDEBBE4EF15314F14811DE918AB392D7B09A08DBA1

Function 00DF0410 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 247
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00DF047E
RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00DF04C5
RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00DF04E4
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00DF0513
RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00DF0588
RegQueryValueExW.ADVAPI32(00000000,BuildBranch,00000000,00000000,?,?), ref: 00DF05F1
RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00DF0654
RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00DF06A6
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00DF0743
GetProcAddress.KERNEL32(00000000), ref: 00DF074A
__Init_thread_footer.LIBCMT ref: 00DF075E
GetCurrentProcess.KERNEL32(?), ref: 00DF0781
IsWow64Process.KERNEL32(00000000), ref: 00DF0788
RegCloseKey.ADVAPI32(00000000), ref: 00DF07C2

Strings

CurrentMinorVersionNumber, xrefs: 00DF04D9
co_release, xrefs: 00DF05F9
ReleaseId, xrefs: 00DF0649
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00DF0474
rs_prerelease, xrefs: 00DF0611
CurrentVersion, xrefs: 00DF0508
BuildBranch, xrefs: 00DF05E6
IsWow64Process, xrefs: 00DF0739
CurrentMajorVersionNumber, xrefs: 00DF04BA
kernel32, xrefs: 00DF073E
CurrentBuildNumber, xrefs: 00DF057D
CSDVersion, xrefs: 00DF069B

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleInit_thread_footerModuleOpenProcWow64
String ID: BuildBranch$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$co_release$kernel32$rs_prerelease
API String ID: 1906320730-525127412
Opcode ID: eb28f39ddf71fec13faf3bb5aeb378c8646298d0853ea4fa1e0c592ca1cfb94f
Instruction ID: ca5047095e7d7990529ef2f9910e3d42db08add754823a96e15a2639ed858705
Opcode Fuzzy Hash: eb28f39ddf71fec13faf3bb5aeb378c8646298d0853ea4fa1e0c592ca1cfb94f
Instruction Fuzzy Hash: 62A18F7190032CDBDB20DF64DC45BAABBF4FB04701F0581DAE949A7291EB74AA84DF90

Function 6CA96320 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 247
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?,?,?,?,?,?,?,00000000,6CAD1349,000000FF), ref: 6CA9638A
RegQueryValueExW.KERNEL32(?,CurrentMajorVersionNumber,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CAD1349,000000FF), ref: 6CA963BF
RegQueryValueExW.KERNEL32(?,CurrentMinorVersionNumber,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CAD1349,000000FF), ref: 6CA963D5
RegQueryValueExW.ADVAPI32(?,CurrentVersion,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CAD1349,000000FF), ref: 6CA963FB
RegQueryValueExW.KERNEL32(?,CurrentBuildNumber,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CAD1349,000000FF), ref: 6CA96464
RegQueryValueExW.ADVAPI32(?,BuildBranch,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CAD1349,000000FF), ref: 6CA964BD
RegQueryValueExW.KERNEL32(?,ReleaseId,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CAD1349,000000FF), ref: 6CA96514
RegQueryValueExW.KERNEL32(?,CSDVersion,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CAD1349,000000FF), ref: 6CA96553
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,?,?,?,?,00000000,6CAD1349,000000FF), ref: 6CA965EE
GetProcAddress.KERNEL32(00000000), ref: 6CA965F5
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000000,6CAD1349,000000FF), ref: 6CA96626
IsWow64Process.KERNEL32(00000000,?,?,?,?,?,?,00000000,6CAD1349,000000FF), ref: 6CA9662D
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00000000,6CAD1349,000000FF), ref: 6CA9665E

Strings

co_release, xrefs: 6CA964C5
kernel32, xrefs: 6CA965E9
ReleaseId, xrefs: 6CA9650C
CSDVersion, xrefs: 6CA9654B
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 6CA96380
CurrentMinorVersionNumber, xrefs: 6CA963CD
CurrentMajorVersionNumber, xrefs: 6CA963B7
rs_prerelease, xrefs: 6CA964DD
CurrentBuildNumber, xrefs: 6CA9645C
IsWow64Process, xrefs: 6CA965E4
BuildBranch, xrefs: 6CA964B5
CurrentVersion, xrefs: 6CA963F3

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleModuleOpenProcWow64
String ID: BuildBranch$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$co_release$kernel32$rs_prerelease
API String ID: 2654979339-525127412
Opcode ID: cc72ad9690980b05536dd535aee00d1aaee54950458e35f3a2465b91ffadf111
Instruction ID: a18f10ca2d4336aebcc84f6ce8bcbfb40ef43232cc8fb25950ebe4ff5a6c2c6a
Opcode Fuzzy Hash: cc72ad9690980b05536dd535aee00d1aaee54950458e35f3a2465b91ffadf111
Instruction Fuzzy Hash: 53A15FB19102099EDF54CFA4CD45BEE7BF8BF08314F14462AE911E7680E774AA85CFA4

Function 6CA96690 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 221
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,?,?,?,00000000,6CAD138D,000000FF), ref: 6CA966FC
RegQueryValueExW.KERNEL32(?,ProductType,00000000,00000000,?,?,?,?,00000000,6CAD138D,000000FF), ref: 6CA9672E
RegQueryValueExW.KERNEL32(?,ProductSuite,00000000,00000000,?,?,?,?,00000000,6CAD138D,000000FF), ref: 6CA9679D
RegCloseKey.ADVAPI32(?,?,?,00000000,6CAD138D,000000FF), ref: 6CA96968

Strings

Compute Server, xrefs: 6CA9690C
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 6CA966F2
CommunicationServer, xrefs: 6CA9681B
Blade, xrefs: 6CA968B0
BackOffice, xrefs: 6CA96802
Enterprise, xrefs: 6CA967E9
EmbeddedNT, xrefs: 6CA96866
ProductType, xrefs: 6CA96726
DataCenter, xrefs: 6CA9687F
Security Appliance, xrefs: 6CA968DE
Personal, xrefs: 6CA96899
ServerNT, xrefs: 6CA96757
ProductSuite, xrefs: 6CA96795
Embedded(Restricted), xrefs: 6CA968C7
Terminal Server, xrefs: 6CA96834
WinNT, xrefs: 6CA96734
Small Business, xrefs: 6CA967D0
Storage Server, xrefs: 6CA968F5
Small Business(Restricted), xrefs: 6CA9684D

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: fa9940acdeba4d80655174c93249c299f6d96a91209521cb1d3e6214f9ecabf9
Instruction ID: 61e4df24196df77ef6f36ad0950460e6f4385f87a244b52ace6a08e538b62ff2
Opcode Fuzzy Hash: fa9940acdeba4d80655174c93249c299f6d96a91209521cb1d3e6214f9ecabf9
Instruction Fuzzy Hash: 6C71B374B142468BDB808F69CD42BEA7EF6AF44348F048539A955DBB80EB34CDC987D0

Function 00DF07F0 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00DF0860
RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 00DF089B
RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 00DF0916
RegCloseKey.KERNEL32(00000000), ref: 00DF0AEE

Strings

Enterprise, xrefs: 00DF0969
Storage Server, xrefs: 00DF0A75
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 00DF0856
EmbeddedNT, xrefs: 00DF09E6
WinNT, xrefs: 00DF08A1
Small Business(Restricted), xrefs: 00DF09CD
Security Appliance, xrefs: 00DF0A5E
DataCenter, xrefs: 00DF09FF
Blade, xrefs: 00DF0A30
Embedded(Restricted), xrefs: 00DF0A47
ServerNT, xrefs: 00DF08C4
Small Business, xrefs: 00DF0950
Personal, xrefs: 00DF0A19
BackOffice, xrefs: 00DF0982
Terminal Server, xrefs: 00DF09B4
CommunicationServer, xrefs: 00DF099B
Compute Server, xrefs: 00DF0A8C
ProductSuite, xrefs: 00DF090B
ProductType, xrefs: 00DF0890

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: a4a5728a8a2c13bf602308d94f7433961631cfddbfdb35f8e0f0518feb49a2f5
Instruction ID: eb0ebd0a04ad85bb5d96d13845afa686f27a57e75a71dab2ac1d69daccdae77b
Opcode Fuzzy Hash: a4a5728a8a2c13bf602308d94f7433961631cfddbfdb35f8e0f0518feb49a2f5
Instruction Fuzzy Hash: A671C53474031C8ADB109B20DD40BBA7BA9EB80304F56C0B9AF55AF687EB74DE459B71

Function 00DFFE70 Relevance: 39.1, APIs: 12, Strings: 10, Instructions: 599libraryloaderCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,SystemFolder,0000000C,?,?,?), ref: 00E00075
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00E00170
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D,?,?,?), ref: 00E00270
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D,?,?,?), ref: 00E00355
GetTempPathW.KERNEL32(00000104,?,WindowsVolume,0000000D,?,?,?), ref: 00E003CB
GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D,?,?,?), ref: 00E00454
SHGetSpecialFolderLocation.SHELL32(00000000,?,WindowsVolume,0000000D,?,?,?), ref: 00E00532
__Init_thread_footer.LIBCMT ref: 00E005A6
LoadLibraryW.KERNEL32(shfolder.dll,?,?,?), ref: 00E005BC
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00E005EE
SHGetPathFromIDListW.SHELL32(?,?), ref: 00E0065C
SHGetMalloc.SHELL32(00000000), ref: 00E00675

Part of subcall function 00CD9980: RtlAllocateHeap.NTDLL(?,00000000,?,93D979FF,00000000,00EAC6B0,000000FF,?,?,00F8C42C,00000000,00E2ECDB,80004005,93D979FF,?,?), ref: 00CD99CA

Strings

WindowsFolder, xrefs: 00E001FD, 00E00212, 00E0021C
ProgramFiles64Folder, xrefs: 00DFFEAA
SETUPEXEDIR, xrefs: 00E00401
SHGetFolderPathW, xrefs: 00E005E8
shfolder.dll, xrefs: 00E005B7
System32Folder, xrefs: 00E000FD, 00E00112, 00E0011C
WindowsVolume, xrefs: 00E002E4, 00E002F9, 00E00303
TempFolder, xrefs: 00E00382
ProgramW6432, xrefs: 00DFFF05
SystemFolder, xrefs: 00DFFFE9, 00DFFFFE, 00E00008

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: DirectoryPath$FolderWindows$AddressAllocateFileFromHeapInit_thread_footerLibraryListLoadLocationMallocModuleNameProcSpecialSystemTemp
String ID: ProgramFiles64Folder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll
API String ID: 3671250-2142986682
Opcode ID: c1165ba86520adcd10b57e9f9e4d96d5086e0f7e76db511d075645afdf8a1cb5
Instruction ID: 7d716a0bc04cd92d400190f7641d14c90d92b3aa3c5f5f66a63bc001c48bf45a
Opcode Fuzzy Hash: c1165ba86520adcd10b57e9f9e4d96d5086e0f7e76db511d075645afdf8a1cb5
Instruction Fuzzy Hash: 0D2205706002198BDB24DF68CC45BBEB3B1EF54314F5442A9E60AA72E1EB71DE85DF90

Function 00E06470 Relevance: 25.3, APIs: 3, Strings: 11, Instructions: 773COMMON

Download Yara Rule

APIs

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00E0652E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00E06558

Part of subcall function 00CD92A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,00CD9418,-00000010,?,00000000), ref: 00CD92C3

Strings

%hu, xrefs: 00E06AD8
Software\Caphyon\Advanced Installer\, xrefs: 00E06C30
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00E06C44
Language of a related product is:, xrefs: 00E06CAC
Language selected programatically for UI:, xrefs: 00E06D62
Language used for UI:, xrefs: 00E06DDE
Advinst_Extract_, xrefs: 00E064C5, 00E064D7, 00E064E1
Code returned to Windows by setup:, xrefs: 00E068B1
A valid language was received from commnad line. This is:, xrefs: 00E06AAA
AI_BOOTSTRAPPERLANGS, xrefs: 00E07660, 00E07672, 00E0767C
Languages of setup:, xrefs: 00E078BB

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ByteCharInit_thread_footerMultiWide$FindHeapProcessResource
String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\
API String ID: 1419962739-297406034
Opcode ID: 4ecaf54f86462f326ed18789948f4db83f8ea809bc8bdf2a073753b88128ccfb
Instruction ID: 4ec2e610567c75563397bdac5ef62df7d780d2d9f19e649a3d4f6c0dda2afd27
Opcode Fuzzy Hash: 4ecaf54f86462f326ed18789948f4db83f8ea809bc8bdf2a073753b88128ccfb
Instruction Fuzzy Hash: 1952F371A002499FDB14DFA8CC55BAEBBF4EF44318F14816DE915AB2D2DB309E44CBA0

Function 00E06130 Relevance: 23.4, APIs: 10, Strings: 3, Instructions: 648threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00E06300
SetLastError.KERNEL32(0000000E), ref: 00E0631D
GetCurrentThreadId.KERNEL32 ref: 00E06335
EnterCriticalSection.KERNEL32(00F9957C), ref: 00E06352
LeaveCriticalSection.KERNEL32(00F9957C), ref: 00E06375
DialogBoxParamW.USER32(000007D0,00000000,00D46090,00000000), ref: 00E06392
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00E0652E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00E06558

Part of subcall function 00DD4B40: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,00000000,?,00000000,00EB6AAD,000000FF,?,80004005,?,?), ref: 00DD4B58
Part of subcall function 00DD4B40: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,00000000,00EB6AAD,000000FF,?,80004005,?,?,?,00000000), ref: 00DD4B8A

SetEvent.KERNEL32(?), ref: 00E06749

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

SetEvent.KERNEL32(?,?,00000000,?,00000001), ref: 00E066E8

Strings

Code returned to Windows by setup:, xrefs: 00E068B1
Advinst_Extract_, xrefs: 00E064C5, 00E064D7, 00E064E1
4w, xrefs: 00E06375

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ByteCharMultiWide$CriticalEventInit_thread_footerSection$ActiveCurrentDialogEnterErrorHeapLastLeaveParamProcessThreadWindow
String ID: 4w$Advinst_Extract_$Code returned to Windows by setup:
API String ID: 1170959282-637821447
Opcode ID: 0a68237f1821e7de0656e84fe6c82cb550c7c3410775439aa6ef03e70348f57b
Instruction ID: 6a860d7324615fca384c7e7f1c4b834c7f8c05f98490c1f13e224d9d696b8886
Opcode Fuzzy Hash: 0a68237f1821e7de0656e84fe6c82cb550c7c3410775439aa6ef03e70348f57b
Instruction Fuzzy Hash: 8E429D71901249DFDB00DFA8C848BAEBBF4FF45318F148169E915BB2D2DB749A44CBA1

Function 00E13590 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 179
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 00E135CA
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?), ref: 00E13607
GetCurrentThreadId.KERNEL32 ref: 00E13692
SetWindowTextW.USER32(?,?), ref: 00E1371C
GetDlgItem.USER32(?,000003E9), ref: 00E13726
SetWindowTextW.USER32(00000000,?), ref: 00E13732
GetDlgItem.USER32(?,00000002), ref: 00E1379F
SetWindowTextW.USER32(00000000,?), ref: 00E137A7

Part of subcall function 00E0C1B0: GetDlgItem.USER32(?,00000002), ref: 00E0C1D0
Part of subcall function 00E0C1B0: GetWindowRect.USER32(00000000,?), ref: 00E0C1E6
Part of subcall function 00E0C1B0: ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,00E135EA,?,?,?,?,?,?), ref: 00E0C1FF
Part of subcall function 00E0C1B0: InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,00E135EA,?,?), ref: 00E0C20A
Part of subcall function 00E0C1B0: GetDlgItem.USER32(?,000003E9), ref: 00E0C21C
Part of subcall function 00E0C1B0: GetWindowRect.USER32(00000000,?), ref: 00E0C232
Part of subcall function 00E0C1B0: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,?,?,?,00E135EA), ref: 00E0C275

Strings

4w, xrefs: 00E1366D

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Item$RectText$ActiveCurrentErrorInvalidateLastShowThread
String ID: 4w
API String ID: 127311041-3778465916
Opcode ID: 037e0abeeeeada65ab3dcf851d2948ad64441d514b2a5cf6d494244ae0b03e07
Instruction ID: 2476b99888e44a528945d87cb55791f7daefb082aa8b9a204e159b46033d9f2e
Opcode Fuzzy Hash: 037e0abeeeeada65ab3dcf851d2948ad64441d514b2a5cf6d494244ae0b03e07
Instruction Fuzzy Hash: E761B0B1905704EFDB11DF78CC48B9ABBA4FF04324F14825AE919AB2E2D7709A44DF90

Function 00D0B047 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 00D0B127
GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 00D0B13F
GetProcAddress.KERNEL32(00000000,ShutdownEmbeddedUI), ref: 00D0B149
GetProcAddress.KERNEL32(00000000,EmbeddedUIHandler), ref: 00D0B154

Strings

EmbeddedUIHandler, xrefs: 00D0B14B
tj, xrefs: 00D0B15D
ShutdownEmbeddedUI, xrefs: 00D0B141
InitializeEmbeddedUI, xrefs: 00D0B139
SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll', xrefs: 00D0B084
t7j, xrefs: 00D0B120

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: EmbeddedUIHandler$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI$tj$t7j
API String ID: 2238633743-2058300243
Opcode ID: e9be6fbce6e9f7b908b0f7002930cd6e8f6d70ba5d6330418be7acf0431a2bb1
Instruction ID: 1983922266a3467f906c31005e3cc855f957e217dce5635e3434516dc2afe713
Opcode Fuzzy Hash: e9be6fbce6e9f7b908b0f7002930cd6e8f6d70ba5d6330418be7acf0431a2bb1
Instruction Fuzzy Hash: 3D31B271A04309ABDB14DFA4DC95B9EBBF5FF04320F244219E519B72C0EB74A640CBA6

Function 6CA83B60 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 409
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6CA78270: GetProcessHeap.KERNEL32 ref: 6CA782CC

Part of subcall function 6CA77730: #17.MSI(00000002,?,00000000,?,461C95ED), ref: 6CA777E2
Part of subcall function 6CA77730: #125.MSI(00000000,00000000,[1],?,461C95ED), ref: 6CA777F9
Part of subcall function 6CA77730: #125.MSI(00000000,00000001,461C95ED,?,461C95ED), ref: 6CA77806
Part of subcall function 6CA77730: #103.MSI(00000000,04000000,00000000,?,461C95ED), ref: 6CA77818
Part of subcall function 6CA77730: #8.MSI(00000000,?,461C95ED), ref: 6CA77827

FindNextFileW.KERNELBASE(00000000,?,00000000,?,00000000,*.*,00000003,7FFFFFFE,?,6CB08D6C,?), ref: 6CA83E67
DeleteFileW.KERNEL32(00000000,?), ref: 6CA8408B

Strings

Logging is enabled, sending data ..., xrefs: 6CA83D62
!, xrefs: 6CA84091
session, xrefs: 6CA83FAA
., xrefs: 6CA83E8A
Logging is disabled, discard collected data., xrefs: 6CA83BF1
*.*, xrefs: 6CA83CB3

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: #125File$#103DeleteFindHeapNextProcess
String ID: !$*.*$.$Logging is disabled, discard collected data.$Logging is enabled, sending data ...$session
API String ID: 1195310492-2153466073
Opcode ID: 82c285701df2c83cccf4f3442a7f70c576d4285fd249db8e4cd02ff7fcdb8582
Instruction ID: a302439e38b9ad167339f0e45600cb14d39e20bc798bb76c892a1b88d07a3d72
Opcode Fuzzy Hash: 82c285701df2c83cccf4f3442a7f70c576d4285fd249db8e4cd02ff7fcdb8582
Instruction Fuzzy Hash: D4F19E30902248DFDB15DBA8C958BDEBBB4BF05318F148298D055A7791EB749BCCCBA1

Function 00DD3420 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DD3420: GetModuleFileNameW.KERNEL32(00000000,?,00000104,93D979FF,00000000,?,00EE83F6,000000FF), ref: 00DD3368

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

FreeLibrary.KERNEL32(00000001,93D979FF,?,00000001,?,?,?), ref: 00DD35B7
EnterCriticalSection.KERNEL32(00F99338), ref: 00DD35D2
DestroyWindow.USER32(00000000), ref: 00DD35F0
LeaveCriticalSection.KERNEL32(00F99338), ref: 00DD3639
CoUninitialize.COMBASE ref: 00DD3703

Strings

4w, xrefs: 00DD3639
%s%lu, xrefs: 00DD349D
.local, xrefs: 00DD33D4

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalInit_thread_footerSection$DestroyEnterFileFreeHeapLeaveLibraryModuleNameProcessUninitializeWindow
String ID: 4w$%s%lu$.local
API String ID: 605930860-1138740116
Opcode ID: 44eb65b1a524c1e5b0bd2f2616466caac2dd77bcb64dd7d996962c2d031c0ecc
Instruction ID: 0c58fc5819f0b2b94eaf62f2fca28acce0ea08f941d766f36558c6a6473c1fe0
Opcode Fuzzy Hash: 44eb65b1a524c1e5b0bd2f2616466caac2dd77bcb64dd7d996962c2d031c0ecc
Instruction Fuzzy Hash: 9A91DD71A016059FDB20DF68D844B6ABBF4FF45310F18456EE819AB391DB75EE00CBA2

Function 00E83FD7 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(?,?,?,00E84376,00F97F88,?,00000000,?,00E1361C,?,00000000,00000000,?,?), ref: 00E83FE9
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00E84376,00F97F88,?,00000000,?,00E1361C,?,00000000,00000000), ref: 00E83FFE
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E8407A

Strings

atlthunk.dll, xrefs: 00E83FF9
AtlThunk_InitData, xrefs: 00E84026
AtlThunk_DataToCode, xrefs: 00E8403D
AtlThunk_FreeData, xrefs: 00E84054
AtlThunk_AllocateData, xrefs: 00E8400F

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: b5dfda8d7994ba4976e0d743284e581bd1000230d7b3854502c1d2913e07803f
Instruction ID: 3ce92895e074e031ac7461824a7b168105b97dd6c3c387148a44097857a784d0
Opcode Fuzzy Hash: b5dfda8d7994ba4976e0d743284e581bd1000230d7b3854502c1d2913e07803f
Instruction Fuzzy Hash: 5F018BB16583066ADB11B7249E06BDB3B989F1170DF044094FE0D772D6EAE2CA08B387

Function 00DF4F80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 173
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DF0240: __Init_thread_footer.LIBCMT ref: 00DF0312

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,93D979FF,00000000,00000000,?), ref: 00DF4FD5
GetTempPathW.KERNEL32(00000104,?), ref: 00DF5069
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00DF509A
Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00DF512D
CopyFileW.KERNEL32(?,?,00000000), ref: 00DF514F
Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 00DF517E

Strings

shim_clone, xrefs: 00DF508E

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Wow64$FilePathRedirectionTemp$CopyDisableFolderInit_thread_footerNameRevert
String ID: shim_clone
API String ID: 4264308349-3944563459
Opcode ID: 1e8e305e2427bd9190f3f204f06430bb89ba68ac2be056e2d03b22993b6e1dad
Instruction ID: 4c9133c86db284420b05fdb6c258013a37209a0c31eb8d0b0c48aaced3c1e382
Opcode Fuzzy Hash: 1e8e305e2427bd9190f3f204f06430bb89ba68ac2be056e2d03b22993b6e1dad
Instruction Fuzzy Hash: 1551F474A0071C9EDB24DF64DC45BBAB7F9EF44700F4580A9EA09D7181EB719E85CBA0

Function 00E137D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69
threadsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,00E2EF30,00F30B08,00000000,?), ref: 00E1384D
GetLastError.KERNEL32 ref: 00E1385A
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 00E13883
GetExitCodeThread.KERNEL32(00000000,?), ref: 00E1389D
TerminateThread.KERNEL32(00000000,00000000), ref: 00E138B5
CloseHandle.KERNEL32(00000000), ref: 00E138BE

Strings

@, xrefs: 00E137FF, 00E13874

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleTerminateWait
String ID: @
API String ID: 1566822279-935976969
Opcode ID: 0b80eec890e88ec2740247f866b874b667a8127afcc56657ba9fa8411c3c698c
Instruction ID: 41edd61e5e05f94af547644e7a631c7fb111c8025425db45891d142d58cca182
Opcode Fuzzy Hash: 0b80eec890e88ec2740247f866b874b667a8127afcc56657ba9fa8411c3c698c
Instruction Fuzzy Hash: 1D31EA7190421DEBEF10DFA4CD48BDEBBB4FB08314F104219E910B62E0D7B99A44DBA4

Function 6CA96F60 Relevance: 10.8, APIs: 7, Instructions: 342fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,461C95ED,00000000,00000000), ref: 6CA96FEB
ReadFile.KERNEL32(?,00000000,00001000,?,00000000,00001000), ref: 6CA9705D
ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,00000000), ref: 6CA972EA
CloseHandle.KERNEL32(?), ref: 6CA9734B

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$Read$CloseCreateHandle
String ID:
API String ID: 1724936099-0
Opcode ID: 598e6338df6975622fc04f1b76f7b6e7752fe2aec40bec5af20c805fbac195fe
Instruction ID: cc87067cd71d184016a4111c54006cf45e8cbfda7be63585abb5fdd29307138e
Opcode Fuzzy Hash: 598e6338df6975622fc04f1b76f7b6e7752fe2aec40bec5af20c805fbac195fe
Instruction Fuzzy Hash: A3D18170E103089BDB14CFA4C959B9EBBF5FF45308F24861CE415EB690DB74A989CBA1

Function 00E04E40 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

APIs

Part of subcall function 00E04CA0: GetTickCount.KERNEL32 ref: 00E04D24
Part of subcall function 00E04CA0: __Xtime_get_ticks.LIBCPMT ref: 00E04D2C
Part of subcall function 00E04CA0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E04D76

Part of subcall function 00E281C0: GetUserNameW.ADVAPI32(00000000,?), ref: 00E2824E
Part of subcall function 00E281C0: GetLastError.KERNEL32 ref: 00E28254
Part of subcall function 00E281C0: GetUserNameW.ADVAPI32(00000000,?), ref: 00E2829C
Part of subcall function 00E281C0: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00E282D2
Part of subcall function 00E281C0: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 00E2831C

__Init_thread_footer.LIBCMT ref: 00E04F64

Strings

\/:*?"<>|, xrefs: 00E04F26

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: EnvironmentNameUserVariable$CountErrorInit_thread_footerLastTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
String ID: \/:*?"<>|
API String ID: 2099558200-3830478854
Opcode ID: aff33620633d24b886ecb398729ab71bae32a80a5e4286967bdbe3038d175776
Instruction ID: e6c25c35e2738e6db49047b331c7e5aa562ab6f88192a29495100822eb8f8b96
Opcode Fuzzy Hash: aff33620633d24b886ecb398729ab71bae32a80a5e4286967bdbe3038d175776
Instruction Fuzzy Hash: 18C1BC71A05749CFDB10DFA8C848B9EBBB0BF04304F14426DE505BB2D2EB75AA45DB91

Function 00E2D430 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00EF902D,-00000400,?,00000002,00000400,93D979FF,?,?,?), ref: 00E2D4D6
GetLastError.KERNEL32(?,?), ref: 00E2D4E4
ReadFile.KERNEL32(00EF902D,00000000,00000400,?,00000000,?,?), ref: 00E2D4FF

Strings

ADVINSTSFX, xrefs: 00E2D533, 00E2D5EE

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$ErrorLastPointerRead
String ID: ADVINSTSFX
API String ID: 64821003-4038163286
Opcode ID: c9e74b8b25cb2feee64776001e3ef32ece39de759efd949669fa54bf92ffde75
Instruction ID: 97cf63232223f1a18f5990d2fbb46b1a09aeb05271f9a7c1ee4aa75978262bdc
Opcode Fuzzy Hash: c9e74b8b25cb2feee64776001e3ef32ece39de759efd949669fa54bf92ffde75
Instruction Fuzzy Hash: CA61B3B1A08229DBDB00CF68DC84BBEBBB5FB45328F245255E615B7281D774ED41CBA0

Function 6CAA021B Relevance: 10.6, APIs: 7, Instructions: 136COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6CAA0262
___scrt_uninitialize_crt.LIBCMT ref: 6CAA027C

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 20e4a0b589a55dd5294c8fcba11a567db94c27405ba7d2669d3fbdbe1a8766f1
Instruction ID: 76a423db37ee7f1d4275d57f8f4c75e4033b57444d8001bb83ad074eb0c2647b
Opcode Fuzzy Hash: 20e4a0b589a55dd5294c8fcba11a567db94c27405ba7d2669d3fbdbe1a8766f1
Instruction Fuzzy Hash: 1B41D432E01798AFDB119FE5CD40BDF3AB5EB41B68F14451AE81667B40D7704D8B8BA0

Function 00CE83D1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,00000024), ref: 00CE8470
GetWindowLongW.USER32(?,000000FC), ref: 00CE8485
CallWindowProcW.USER32(?,?,00000082,?,00000024), ref: 00CE849B
GetWindowLongW.USER32(?,000000FC), ref: 00CE84B5
SetWindowLongW.USER32(?,000000FC,?), ref: 00CE84C5

Strings

$, xrefs: 00CE8419

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: bfa95e9fcb1a5ead6968ff9a6c3e80101ea87b30ab22276f8a0b27b280975d1d
Instruction ID: 787c805aac26c61d9b69c577665e04ba4d204924daebff64504ffb2c414c2205
Opcode Fuzzy Hash: bfa95e9fcb1a5ead6968ff9a6c3e80101ea87b30ab22276f8a0b27b280975d1d
Instruction Fuzzy Hash: 1A41F472108744AFD720DF1AC884A1BFBF5FB88710F504A1EF5AA826A0C772E9449F51

Function 00DD6C10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,93D979FF,00000000,?,75B4EB20,?,?,00EACB30,000000FF), ref: 00DD6C53
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00DD6C7C
RegCreateKeyExW.KERNEL32(?,00E2887A,00000000,00000000,00000000,00EACB30,00000000,00000000,00EACB30,93D979FF,00000000,?,75B4EB20,?,?,00EACB30), ref: 00DD6CC9
RegCloseKey.ADVAPI32(00000000,?,75B4EB20,?,?,00EACB30,000000FF), ref: 00DD6CDC

Strings

Advapi32.dll, xrefs: 00DD6C4E
RegCreateKeyTransactedW, xrefs: 00DD6C76

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddressCloseCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1765684683-2994018265
Opcode ID: fd702f55d239503a44b6fcf83c9a9ee3477de799b52b3ba9de34ee9fd0d54e28
Instruction ID: 0f08604771b62c8594259d9ae23be33da9e97c83898bbab00bb7ac5baedf6333
Opcode Fuzzy Hash: fd702f55d239503a44b6fcf83c9a9ee3477de799b52b3ba9de34ee9fd0d54e28
Instruction Fuzzy Hash: 5031A072644219AFEB208F59DC01FAABBA8FB48750F14812AF915D7380E775E810DAA0

Function 00E0C1B0 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 00E0C1D0
GetWindowRect.USER32(00000000,?), ref: 00E0C1E6
ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,00E135EA,?,?,?,?,?,?), ref: 00E0C1FF
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,00E135EA,?,?), ref: 00E0C20A
GetDlgItem.USER32(?,000003E9), ref: 00E0C21C
GetWindowRect.USER32(00000000,?), ref: 00E0C232
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,?,?,?,00E135EA), ref: 00E0C275

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID:
API String ID: 2147159307-0
Opcode ID: 2e0972004d3363c212bef0fc6896e3f9500d82536307daf055d01596299563e5
Instruction ID: 04e3d4dacfe10a0ac1b1f095ca43007af05701f42e8b05eb80876dc365154107
Opcode Fuzzy Hash: 2e0972004d3363c212bef0fc6896e3f9500d82536307daf055d01596299563e5
Instruction Fuzzy Hash: 5E216971618304AFD340EF24DD49A6B7BE8EF8C710F05865AF849D62A1E730ED818B96

Function 00E10160 Relevance: 9.4, APIs: 6, Instructions: 354fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,93D979FF,?,00000000,93D979FF,?,?,00000002,?,?,?,?,?,?,00000000,00EF32F2), ref: 00E101B7
GetLastError.KERNEL32(?,00000002), ref: 00E10449
GetLastError.KERNEL32(?,00000002), ref: 00E104F3
GetLastError.KERNEL32(?,00000002,?,?,?,?,?,?,00000000,00EF32F2,000000FF,?,00E0F05A,00000010), ref: 00E101C6

Part of subcall function 00DEE5B0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,93D979FF,?,00000000), ref: 00DEE5FB
Part of subcall function 00DEE5B0: GetLastError.KERNEL32(?,00000000), ref: 00DEE605

ReadFile.KERNEL32(?,00000000,00000008,80070057,00000000,?,00000002), ref: 00E10288
ReadFile.KERNEL32(?,93D979FF,00000000,00000000,00000000,00000001,?,00000002), ref: 00E10305

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorLast$File$Read$FormatMessagePointer
String ID:
API String ID: 3903527278-0
Opcode ID: 5a00c4d6a4fabec3ba8363f61c530fde0b08460317f65c13713596aab6050697
Instruction ID: 2091dfed15858fb349102a0409d51609b51667961ded6d72974098a86584e804
Opcode Fuzzy Hash: 5a00c4d6a4fabec3ba8363f61c530fde0b08460317f65c13713596aab6050697
Instruction Fuzzy Hash: 73D15171D00209DFDB10DFA8C885BEDB7B5FF44314F148269E925AB392E774A985CBA0

Function 6CA851A0 Relevance: 9.3, APIs: 6, Instructions: 251fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,461C95ED,?,00000000), ref: 6CA8524F
GetFileSize.KERNEL32(00000000,00000000), ref: 6CA8537B
WriteFile.KERNEL32(00000000,0000FEFF,00000002,?,00000000), ref: 6CA853A7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 6CA853BD
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 6CA85400
CloseHandle.KERNEL32(00000000), ref: 6CA85465

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$Write$CloseCreateHandlePointerSize
String ID:
API String ID: 3932932802-0
Opcode ID: b67ec8a0df0c6f4856859cd49c42290f13462492d3de5cf94ae32f79bcac1829
Instruction ID: eaab17a063fa59ee7fc34bd52b7d85c59dcf4a262e691faca7d93c1971489d79
Opcode Fuzzy Hash: b67ec8a0df0c6f4856859cd49c42290f13462492d3de5cf94ae32f79bcac1829
Instruction Fuzzy Hash: DFA19271D02208DFEB10CFA8C955BDEBBB5FF04304F248259E925A7681D774AA89CF91

Function 00DEB720 Relevance: 9.2, APIs: 6, Instructions: 233COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,93D979FF,00000000,93D979FF,?), ref: 00DEB76B
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00F24494,00000001,?,?,?,?,?,00000000,00EEC395,000000FF,?,00E2EC41), ref: 00DEB82A
GetLastError.KERNEL32(?,?,?,?,00000000,00EEC395,000000FF,?,00E2EC41,00000000,93D979FF,00000000), ref: 00DEB838

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID:
API String ID: 953296794-0
Opcode ID: 64ffb648ca983a61dfa282692540486c9935ea55c257f0401f60c8788d4d4c6d
Instruction ID: 763706796701c4e3198e5d8a214cf7b7ff25f0b9de724e12db13ba02349b7530
Opcode Fuzzy Hash: 64ffb648ca983a61dfa282692540486c9935ea55c257f0401f60c8788d4d4c6d
Instruction Fuzzy Hash: 0881B231904649DFDB10EFA9CC85B9EBBB4FF15320F24425AE920A72D1DB71A904CFA1

Function 00CE01A0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 335fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,?,00000000,?,93D979FF,?,00000004), ref: 00CE01FB
DeleteFileW.KERNEL32(?,?,00000004), ref: 00CE023E
CreateDirectoryW.KERNEL32(?,00000000,?,00000004), ref: 00CE024D

Strings

h_, xrefs: 00CE0575

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$CreateDeleteDirectoryNameTemp
String ID: h_
API String ID: 2411147693-1562359607
Opcode ID: c3af6c94d319cddc9b23f6a5bcbcbe98b94208b67d4ec1956a35976359d12018
Instruction ID: f8776cafb1e837c31b94f463f01822e747b8204c23f5b0da3c7b5130bf417008
Opcode Fuzzy Hash: c3af6c94d319cddc9b23f6a5bcbcbe98b94208b67d4ec1956a35976359d12018
Instruction Fuzzy Hash: 78D17C70D04249DBDB14DF69C9897EEBBB4FF44314F24429EE409A7291E7B86A84CF90

Function 00DF5480 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 196COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(80004005,00EF3C95,93D979FF,?,?,?,?,?,00000000,00EF3C95,000000FF,?,80004005,93D979FF,?), ref: 00DF54E5
GetFileVersionInfoW.KERNELBASE(80004005,?,00000000,000000FF,00000000,?,?,?,?,00000000,00EF3C95,000000FF,?,80004005,93D979FF,?), ref: 00DF5533

Strings

\VarFileInfo\Translation, xrefs: 00DF5567
ProductName, xrefs: 00DF5593
\StringFileInfo\%04x%04x\%s, xrefs: 00DF559D

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: FileInfoVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2104008232-2149928195
Opcode ID: 115ea30ffa18e5d3241f5dbdcbc61bfc0f665d10cff6fad70c8def9ff7740b16
Instruction ID: 3af714e1fcbada577da3f5029829269978bc7f10709350fa0d130195f378c257
Opcode Fuzzy Hash: 115ea30ffa18e5d3241f5dbdcbc61bfc0f665d10cff6fad70c8def9ff7740b16
Instruction Fuzzy Hash: FD61CF719016099FCB10DFA8D849ABEB7F8FF15315F19816AEA21E7291DB30DD00CBA0

Function 00DF5370 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF4F80: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,93D979FF,00000000,00000000,?), ref: 00DF4FD5
Part of subcall function 00DF4F80: GetTempPathW.KERNEL32(00000104,?), ref: 00DF5069
Part of subcall function 00DF4F80: GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00DF509A

GetFileVersionInfoSizeW.KERNELBASE(?,000000FF,Shlwapi.dll,93D979FF,00000000,?,?,00000000,00EED9C5,000000FF,Shlwapi.dll,00DF5326,?,?,?), ref: 00DF53BD
GetFileVersionInfoW.KERNELBASE(?,?,?,00000000,00000000,?,?), ref: 00DF53E9
GetLastError.KERNEL32(?,?), ref: 00DF542E
DeleteFileW.KERNEL32(?), ref: 00DF5441

Strings

Shlwapi.dll, xrefs: 00DF5370, 00DF53A8

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$InfoPathTempVersion$DeleteErrorFolderLastNameSize
String ID: Shlwapi.dll
API String ID: 2355151265-1687636465
Opcode ID: 6f44025a3e9681d6a3b50edf9af97ec008ebb6992e581d4c3e27d0faaff24aad
Instruction ID: 7a9b37df39c71ed42928e3d59b9e1b96c25f36364a184f59a8d4e8d342ccf1e5
Opcode Fuzzy Hash: 6f44025a3e9681d6a3b50edf9af97ec008ebb6992e581d4c3e27d0faaff24aad
Instruction Fuzzy Hash: 5431907190460DABDB10DFA5DC44BEEBBB8FF08311F19812AEA05A3290D7349940DBB1

Function 00DF30C0 Relevance: 7.8, APIs: 5, Instructions: 292COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000000,?,00000100), ref: 00DF31BC
LoadStringW.USER32(?,00000000,?,00000001), ref: 00DF3264

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 4ee8050fe0c58d9404d05927f8d0dc97feca469975ed6390ee0718c68ef0e3c6
Instruction ID: b48431c45600e50c1809807b58f4bb3c8b435f9b0b7b8e56b5431ebea11a47d3
Opcode Fuzzy Hash: 4ee8050fe0c58d9404d05927f8d0dc97feca469975ed6390ee0718c68ef0e3c6
Instruction Fuzzy Hash: 51B16BB1D0020DEBDB04DFA8D845BEEBBB5FF48314F15822AE515A7390EB746A44CB94

Function 00E2E990 Relevance: 7.8, APIs: 5, Instructions: 289threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,93D979FF,?,?,00000000,?,?,?,?,00EF941D,000000FF,?,00E10E0E), ref: 00E2E9D0
CreateThread.KERNEL32(00000000,00000000,00E2ECE0,?,00000000,?), ref: 00E2EA06
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00E2EB0F
GetExitCodeThread.KERNEL32(00000000,?), ref: 00E2EB1A
CloseHandle.KERNEL32(00000000), ref: 00E2EB3A

Part of subcall function 00CE8590: RaiseException.KERNEL32(?,?,00000000,00000000,00E2ED87,C000008C,00000001), ref: 00CE859C

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CreateThread$CloseCodeEventExceptionExitHandleObjectRaiseSingleWait
String ID:
API String ID: 3595790897-0
Opcode ID: 1697ac7720f5f1effe0c7561693a4fdc8979abc9bcf4871d9676f171228d0bde
Instruction ID: 95bc92058aa25fbbaa8a8f3812f204bc8cfc38edbb3bddf6752bf0a45590675f
Opcode Fuzzy Hash: 1697ac7720f5f1effe0c7561693a4fdc8979abc9bcf4871d9676f171228d0bde
Instruction Fuzzy Hash: E4B18F75A00629DFCB24CF68D885BAAB7F5FF49314F144669E916AB3A1D730ED00CB90

Function 00DEBFF0 Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00DEC011
PeekMessageW.USER32(?,00000000), ref: 00DEC057
TranslateMessage.USER32(00000000), ref: 00DEC062
DispatchMessageW.USER32(00000000), ref: 00DEC069
MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 00DEC07B

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
String ID:
API String ID: 4084795276-0
Opcode ID: 22f488e30b85a647dbd3376f0d3f27aac7f7385de639d792d24f280e6697dd0d
Instruction ID: 41925db3848130903a650d0008d697bbd70c8e195894cc7df80661908d86a3e8
Opcode Fuzzy Hash: 22f488e30b85a647dbd3376f0d3f27aac7f7385de639d792d24f280e6697dd0d
Instruction Fuzzy Hash: ED115972658309BEE220EB56AC81FA7B7DCEB88760F500226FA10920C0D730E9498731

Function 00E29FE0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 257filepipeCOMMON

Download Yara Rule

APIs

ConnectNamedPipe.KERNEL32(?,00000000,93D979FF,?,000000FF,?,?,00000000,00EF863E,000000FF,?,00E2A25A,000000FF,?,00000001), ref: 00E2A01C
GetLastError.KERNEL32(?,?,00000000,00EF863E,000000FF,?,00E2A25A,000000FF,?,00000001), ref: 00E2A026

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

ReadFile.KERNEL32(?,?,00007F90,?,00000000,93D979FF,?,000000FF,?,?,00000000,00EF863E,000000FF,?,00E2A25A,000000FF), ref: 00E2A073

Strings

\\.\pipe\ToServer, xrefs: 00E2A2E4, 00E2A2F5, 00E2A2FF

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$ConnectErrorFileHeapLastNamedPipeProcessRead
String ID: \\.\pipe\ToServer
API String ID: 2973225359-63420281
Opcode ID: e8757ee0ff5a995a41f100eeab3e573367d6bff4398341f0cffab915d2293d4e
Instruction ID: e32d58d20be0205c76286279f7ae912bdba716d9163b0382bec02050bfbd2df9
Opcode Fuzzy Hash: e8757ee0ff5a995a41f100eeab3e573367d6bff4398341f0cffab915d2293d4e
Instruction Fuzzy Hash: 8691F271A00219DFDB14CF68DC04BAEB7A4FF44728F14866EE915EB381DB75A900DB91

Function 6CA75E00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,461C95ED,00000034), ref: 6CA75E5C
GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 6CA75E7E

Strings

%08X, xrefs: 6CA75EB3
AABBCCDD, xrefs: 6CA75E9E

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: FolderInformationPathVolume
String ID: %08X$AABBCCDD
API String ID: 1564939276-726327320
Opcode ID: 97866c6d5e30041af16dc4f23ca64e49ae1be89622416ee750fd8172ad318663
Instruction ID: bac3655ec4339e57cd01b40274fdbc485d15d9b5d2978c3158d3086ad49cd35b
Opcode Fuzzy Hash: 97866c6d5e30041af16dc4f23ca64e49ae1be89622416ee750fd8172ad318663
Instruction Fuzzy Hash: F03139B49103499EDB30CF64CD04BEA7BF8FB04708F004A2EE955DB680E7B466488BA5

Function 00E049A0 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,93D979FF,?,00000010,?,00E07D90,?), ref: 00E04A06
SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 00E04A4F
ReadFile.KERNEL32(00000000,93D979FF,?,?,00000000,?), ref: 00E04A91
CloseHandle.KERNEL32(00000000), ref: 00E04B0A

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$CloseCreateHandlePointerRead
String ID:
API String ID: 4133201480-0
Opcode ID: b997bc25e2f52c8fd0a2ca649b17ca3e7df0dc1543756b66fa3bcc5e487bdd27
Instruction ID: 06a41aea690d6b12d9121f19f4600311a43b5d80bfbccbd60c533a4d1b8cbf06
Opcode Fuzzy Hash: b997bc25e2f52c8fd0a2ca649b17ca3e7df0dc1543756b66fa3bcc5e487bdd27
Instruction Fuzzy Hash: B1518EB0A006099BDB11CBA8CD48BEEFBB8FF45328F148259E511BB2D1E7749D44CB64

Function 00E0C140 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E0C149
DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EF12D0,000000FF), ref: 00E0C158
PostMessageW.USER32(?,00000401,00000000,00000000), ref: 00E0C176
IsWindow.USER32(?), ref: 00E0C185

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$CurrentDestroyMessagePostThread
String ID:
API String ID: 3186974096-0
Opcode ID: 6388084c26693e1cdb9f331535fa625ccfe4098d8c204acea6e236637158131e
Instruction ID: 7c10e6709d87c6156fcac43f43362f3d148d74e1a794a84e158a3efde37e2f3b
Opcode Fuzzy Hash: 6388084c26693e1cdb9f331535fa625ccfe4098d8c204acea6e236637158131e
Instruction Fuzzy Hash: ABF0897101AB409BD3719738EE08B43BFE56B55B14F141A4DE142965D1C3B1F441DB14

Function 6CA97A60 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 421COMMON

Download Yara Rule

APIs

Part of subcall function 6CA78270: GetProcessHeap.KERNEL32 ref: 6CA782CC

PathIsUNCW.SHLWAPI(00000010), ref: 6CA97CCD

Strings

\\?\UNC\, xrefs: 6CA97AF6, 6CA97BB9, 6CA97BBF
\\?\, xrefs: 6CA97C6E, 6CA97C74

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: HeapPathProcess
String ID: \\?\$\\?\UNC\
API String ID: 300331711-3019864461
Opcode ID: d54a92129496e640c6c8f55ae919cda9b1f65a08badfe60b0a58c05ba6e34b7e
Instruction ID: 526a5a251b5f9bc7f814e81e5f9f1b39f071a22ab910488447bd8fc856da6829
Opcode Fuzzy Hash: d54a92129496e640c6c8f55ae919cda9b1f65a08badfe60b0a58c05ba6e34b7e
Instruction Fuzzy Hash: 8BF19071A0150A9FDB00CFA8C985BAEF7F5FF45318F148269E425E7790DB34A949CBA0

Function 00DEB3A0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

PathIsUNCW.SHLWAPI(?,?), ref: 00DEB536

Strings

\\?\UNC\, xrefs: 00DEB431, 00DEB4A9, 00DEB4AF
\\?\, xrefs: 00DEB518, 00DEB51E

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$HeapPathProcess
String ID: \\?\$\\?\UNC\
API String ID: 806983814-3019864461
Opcode ID: f6d725645ac68cf42a4c5c9d37c3beb33fc7b32b768a5cb3ecfd177209bbd67d
Instruction ID: e88fb9e6d965ea11bd4043b2073a663fa8cc5606e2e0786fd59964d9a8a3559a
Opcode Fuzzy Hash: f6d725645ac68cf42a4c5c9d37c3beb33fc7b32b768a5cb3ecfd177209bbd67d
Instruction Fuzzy Hash: 52C1A2719006499FDB00EBA9CC45BAEFBF9FF44324F148269E515EB2D1DB74A904CBA0

Function 00E3F220 Relevance: 4.7, APIs: 3, Instructions: 214synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3F900: OpenEventW.KERNEL32(00000000,00000000,00000000,_pbl_evt,00000008,?,?,00F2BE58,00000001,93D979FF,00000000), ref: 00E3F9AE
Part of subcall function 00E3F900: CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 00E3F9CB

WaitForSingleObject.KERNEL32(00000000,00000000,00000001,93D979FF,?,00000000), ref: 00E3F26E
ResetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00EFB2E9,000000FF), ref: 00E3F283

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Event$CreateObjectOpenResetSingleWait
String ID:
API String ID: 2109722436-0
Opcode ID: 9d01c954007cdc94fe9f6182911eb2379f37d933edcf5514e90198c05199ad54
Instruction ID: 538dd58cd95137cc3ca28071d1391aef65028832634cd2c345afbd04e7f1036c
Opcode Fuzzy Hash: 9d01c954007cdc94fe9f6182911eb2379f37d933edcf5514e90198c05199ad54
Instruction Fuzzy Hash: 8381C1B1D00248DFDB00DFA8C84979EBBB0FF55314F24926AE418BB391D775AA46DB90

Function 00E9EA0C Relevance: 4.7, APIs: 3, Instructions: 202COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 00E9EBBB

Part of subcall function 00E9CA67: RtlAllocateHeap.NTDLL(00000000,00000000,00E9A813,?,00E9E9B8,?,00000000,?,00E8E5A5,00000000,00E9A813,?,?,?,?,00E9A60D), ref: 00E9CA99

__freea.LIBCMT ref: 00E9EBD0
__freea.LIBCMT ref: 00E9EBE0

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: 8f85165f2da995335a6ae939980209626b30a0f81ea9ee5285c13de5408dc828
Instruction ID: c008d7c49298fade1702c9cfbc56fd36a29b6629b0b01371d56cb8f0fc7e75c8
Opcode Fuzzy Hash: 8f85165f2da995335a6ae939980209626b30a0f81ea9ee5285c13de5408dc828
Instruction Fuzzy Hash: C851BFB260021AAFEF25DEA4CC82EBB76E9EF04758B151129FE09F6351F671CD508760

Function 00E0FC90 Relevance: 4.7, APIs: 3, Instructions: 191fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,93D979FF,?,00000000,93D979FF,?,?), ref: 00E0FCF7
ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00E0FE04

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: ba8ce4c33088a05e9ff91bbe330a55a95f6376fd64fb4d685f1d908c210c0a7b
Instruction ID: 00da69167c4239419a9f0245b71fff92a8ba5a9c6aacadb2cc81500bf0425bbb
Opcode Fuzzy Hash: ba8ce4c33088a05e9ff91bbe330a55a95f6376fd64fb4d685f1d908c210c0a7b
Instruction Fuzzy Hash: 02616071D00649AFDB10DFA8C945B9DFBB4FF09320F10826AE524A7390EB75AA54CB90

Function 00E0D040 Relevance: 4.7, APIs: 3, Instructions: 183fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,93D979FF,?,00000000,?,80004005,?,00000000), ref: 00E0D0DE
GetLastError.KERNEL32 ref: 00E0D116
GetLastError.KERNEL32(?), ref: 00E0D1AF

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID:
API String ID: 1722934493-0
Opcode ID: a222dca5e547875f02be54b4c550b63f2cab40de673cc6d0e3861cd40f788f84
Instruction ID: b251a436dce4a98780d34c432fb5c8a063741aa25a0adf23f253e40343efff8e
Opcode Fuzzy Hash: a222dca5e547875f02be54b4c550b63f2cab40de673cc6d0e3861cd40f788f84
Instruction Fuzzy Hash: FF51E471A04605DBDB20DFA9CC41BAAF7B1FF44324F108669E919E73E0EB31A941CB90

Function 00E3C670 Relevance: 4.7, APIs: 3, Instructions: 181fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,93D979FF,00000000,6D1C37E0,?), ref: 00E3C6D2
WriteFile.KERNEL32(00000000,?,0000C800,0000C800,00000000,?,?,0000C800), ref: 00E3C768
CloseHandle.KERNEL32(00000000,?,?,0000C800), ref: 00E3C7DC

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 1d1c0d87ccb48d3e9c6dfbd25a1d55c92a7ede082f93049dd96b4d144e9363bd
Instruction ID: c2e6b6050da450a43226450c900e45c1a3241e9d9fd0d64e6564e6670ab5642f
Opcode Fuzzy Hash: 1d1c0d87ccb48d3e9c6dfbd25a1d55c92a7ede082f93049dd96b4d144e9363bd
Instruction Fuzzy Hash: 48518F71A00219AFDB04DFA4CD49BEEBBB9FF48714F244259F800B7290DB75A900CBA4

Function 6CA97EB0 Relevance: 4.7, APIs: 3, Instructions: 175COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,461C95ED,00000000,00000000,?,?,00000000,6CAD16B5,000000FF,?,6CA86B67,?,00000000), ref: 6CA97EF9
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,6CAEA1AC,00000001,?), ref: 6CA97FAD
GetLastError.KERNEL32 ref: 6CA97FB7

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID:
API String ID: 953296794-0
Opcode ID: 05dc0bb1862f9dcb690015b1c9eaaaed4b47e98c6f11f1382bb8d15a7478bc36
Instruction ID: af53ce2e1b1475c368fb25cdb2d85096779bd7f975a8549582881aa3187c5801
Opcode Fuzzy Hash: 05dc0bb1862f9dcb690015b1c9eaaaed4b47e98c6f11f1382bb8d15a7478bc36
Instruction Fuzzy Hash: 04517D319006099FDB00DFA8C985B9DFBF4FF49324F24826AD421E76D0EB759989CB60

Function 00DE9470 Relevance: 4.6, APIs: 3, Instructions: 142fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,0000002A,00000000,?,93D979FF,?), ref: 00DE94E0
DeleteFileW.KERNEL32(?,?,00000000,0000002A,00000000,?,93D979FF,?), ref: 00DE957A
FindNextFileW.KERNEL32(?,?), ref: 00DE95BB

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$Delete$FindNext
String ID:
API String ID: 1410743141-0
Opcode ID: 610ad0e977b9fffd4b5a67790e70b9bb41f435c57ac5ee37310d257a0daab0f5
Instruction ID: 434ce86e5683ca144356cc22cb97243150999ea8ffda931de1e40a93ef4e6eb6
Opcode Fuzzy Hash: 610ad0e977b9fffd4b5a67790e70b9bb41f435c57ac5ee37310d257a0daab0f5
Instruction Fuzzy Hash: B951B330A026588FDF25EF19CC98BADF7B5EF05320F184299E819A72D1DB709E45CB60

Function 00E0BF40 Relevance: 4.6, APIs: 3, Instructions: 80COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00E0B881), ref: 00E0BF40
EnableWindow.USER32(?,00000000), ref: 00E0BFD1
DestroyWindow.USER32(?,?,?), ref: 00E0BFF7

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$DestroyEnableErrorLast
String ID:
API String ID: 2755773105-0
Opcode ID: b2dbbf70f3f65dbd8e9534b7cf2a9f93f72c5d0175795f8e5e043e42effb9b04
Instruction ID: ab0cc1879c05ea8c628f2c5406f52c7211bca459b2558a213f66c555962e5841
Opcode Fuzzy Hash: b2dbbf70f3f65dbd8e9534b7cf2a9f93f72c5d0175795f8e5e043e42effb9b04
Instruction Fuzzy Hash: AA21D57161020A9BDB20AF18EC41BAAB794EB54320F104267FD08D7791D776ECA0DBF1

Function 00E8FD83 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00E8FD7D,?,00E89912,?,?,93D979FF,00E89912,?), ref: 00E8FD94
TerminateProcess.KERNEL32(00000000,?,00E8FD7D,?,00E89912,?,?,93D979FF,00E89912,?), ref: 00E8FD9B
ExitProcess.KERNEL32 ref: 00E8FDAD

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bf4f4abf2a1402a3a0b3762c9b6a0a7128540fbfd11efd8f54d5924113a36a25
Instruction ID: 7cb233e43fdcd74edb3cfdf5f0319f8f53386495f5b8893aa8a9a1472917ba3b
Opcode Fuzzy Hash: bf4f4abf2a1402a3a0b3762c9b6a0a7128540fbfd11efd8f54d5924113a36a25
Instruction Fuzzy Hash: 75D06C31004108BFCF513FA1EC0D99A3F6ABE44359B145024FA0E6A072EBB199A2AB81

Function 00DEBB70 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,93D979FF), ref: 00DEBD10

Part of subcall function 00DEBDD0: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,?,?,80004005), ref: 00DEBDDD

Strings

USERPROFILE, xrefs: 00DEBBBE

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$EnvironmentFolderHeapPathProcessSpecialVariable
String ID: USERPROFILE
API String ID: 1777821646-2419442777
Opcode ID: 37abd023daa8159d99a715279d1d1fffc2e6a1def1b30ffc7f7e66fc01ac292a
Instruction ID: 9f83bf5c440183c4eebe8c85c4b6dcc1c205fac839379e0b352582adb6b11e4a
Opcode Fuzzy Hash: 37abd023daa8159d99a715279d1d1fffc2e6a1def1b30ffc7f7e66fc01ac292a
Instruction Fuzzy Hash: CB619271A006499FDB14EF69CC55BAEB7B4FF44320F14466EE916D7391DB30A900CBA0

Function 00E2A1A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,93D979FF,?,00000010,?,?,00EF868E,000000FF), ref: 00E2A228

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

Part of subcall function 00E29FE0: ConnectNamedPipe.KERNEL32(?,00000000,93D979FF,?,000000FF,?,?,00000000,00EF863E,000000FF,?,00E2A25A,000000FF,?,00000001), ref: 00E2A01C
Part of subcall function 00E29FE0: GetLastError.KERNEL32(?,?,00000000,00EF863E,000000FF,?,00E2A25A,000000FF,?,00000001), ref: 00E2A026

Strings

\\.\pipe\ToServer, xrefs: 00E2A2E4, 00E2A2F5, 00E2A2FF

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$ConnectErrorFileHeapLastNamedPipeProcessWrite
String ID: \\.\pipe\ToServer
API String ID: 3549655173-63420281
Opcode ID: a83bb8d44f8412995ff93b3d1e1ea1012bdd119d085ef50a704a7c45ba360c0e
Instruction ID: d635cabae32a865bc078af3d4e57f1afd8f8e55b2f27332764f176640216f27b
Opcode Fuzzy Hash: a83bb8d44f8412995ff93b3d1e1ea1012bdd119d085ef50a704a7c45ba360c0e
Instruction Fuzzy Hash: C0419072A04218EFDB04CF58D805BAEB7E8EF44724F14426EF915DB390DB76A900CB90

Function 00EA47BA Relevance: 3.2, APIs: 2, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 00EA42EA: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 00EA4315

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00EA4601,?,00000000,?,?,?), ref: 00EA481B
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EA4601,?,00000000,?,?,?), ref: 00EA485D

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 7a7021d5e4f413cf247765f02eda9bde912c512f641d2a42ba25161b33cd1755
Instruction ID: e9731a4f5d54736f74913999233dc8c388376b561cb3f60c5640d793b1597908
Opcode Fuzzy Hash: 7a7021d5e4f413cf247765f02eda9bde912c512f641d2a42ba25161b33cd1755
Instruction Fuzzy Hash: F55138B1A003868EDB24CF75C4516ABBBE5FFCA304F14506EE096AF191D7F4A906CB50

Function 00E2F3D0 Relevance: 3.1, APIs: 2, Instructions: 129COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00E2F421
EndDialog.USER32(00000000,00000001), ref: 00E2F430

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: DialogWindow
String ID:
API String ID: 2634769047-0
Opcode ID: b1ea7d82171625c86df98a94923f9883902c46bbb0ac25981bb79d67f1df89f4
Instruction ID: 693f2d511a7903d37617372e1099b9a09fc64de70cdebb4b0c62d09928975247
Opcode Fuzzy Hash: b1ea7d82171625c86df98a94923f9883902c46bbb0ac25981bb79d67f1df89f4
Instruction Fuzzy Hash: 55517A30A01745DFD711DF68C948B4AFBF4FF49314F1486A9D459EB2A1DB70AA04CB91

Function 6CA980B0 Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000,461C95ED,?,461C95ED,6CAD170E,000000FF), ref: 6CA98100

Part of subcall function 6CA78270: GetProcessHeap.KERNEL32 ref: 6CA782CC

FreeLibrary.KERNEL32(00000000,?,80004005), ref: 6CA981BB

Part of subcall function 6CA79680: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,6CA98135,-00000010), ref: 6CA796B8

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: FindFolderFreeHeapLibraryPathProcessResourceSpecial
String ID:
API String ID: 584424649-0
Opcode ID: 5e83ba3d97ce627320fff27de169ffa66ec8192e80e0d48e64b4a86f59d1655e
Instruction ID: d8559a1a8d8b307f0af2da2b58a090f6b1fb3b2276acaed557ea0cba5efd2a1e
Opcode Fuzzy Hash: 5e83ba3d97ce627320fff27de169ffa66ec8192e80e0d48e64b4a86f59d1655e
Instruction Fuzzy Hash: 523181756102059FEB24DF68C905BEE77F8FF04704F14851EE919DBA81DB709A48CB91

Function 00D8C500 Relevance: 3.1, APIs: 2, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 00D8C54A
DestroyWindow.USER32(00000004,?,?,?,?,?,?,?,?,000000FF), ref: 00D8C557

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Destroy
String ID:
API String ID: 3707531092-0
Opcode ID: 7ac13f5129bc7fd17241dc9c05660c4c731c32c85239e797748496b9be7f447e
Instruction ID: 9f9a5297024481fa43e6c4d57fc90543f2f9bd3de2c00ac54bef0eed02aebb3b
Opcode Fuzzy Hash: 7ac13f5129bc7fd17241dc9c05660c4c731c32c85239e797748496b9be7f447e
Instruction Fuzzy Hash: E1318D70814789EBCB01DF68C94878EFBF4FF11310F54429AE055A76D1EBB46A08EB91

Function 00DEF130 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DEE740: LoadLibraryW.KERNEL32(ComCtl32.dll,93D979FF,?,00000000,00000000), ref: 00DEE77E
Part of subcall function 00DEE740: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00DEE7A1
Part of subcall function 00DEE740: FreeLibrary.KERNEL32(00000000), ref: 00DEE81F

Part of subcall function 00DEE740: LoadImageW.USER32(?,?,00000001,00000000,00000000,?), ref: 00DEE801

SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00DEF174
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DEF17F

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: LibraryLoadMessageSend$AddressFreeImageProc
String ID:
API String ID: 2968665230-0
Opcode ID: ac1aab7f3af297752b73d9307efdd5775aaf8f83fcf3b33cfeaafe6876d1bae4
Instruction ID: c018c6fc5f136ba3e20ef2ade8f676d53bf6df6499c90d08d93fdf3292b6d4f3
Opcode Fuzzy Hash: ac1aab7f3af297752b73d9307efdd5775aaf8f83fcf3b33cfeaafe6876d1bae4
Instruction Fuzzy Hash: 3CF0393278531837F660315A5C47F67B64DDB81B64F144266FA98AB2D2ECC67C0002E9

Function 00E9E778 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

LCMapStringEx.KERNEL32(?,00E9EAFA,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00E9E7AC
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00E9EAFA,?,?,00000000,?,00000000), ref: 00E9E7CA

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: cd0ea35176bddb502d7ceb20ec45fdfb17cb33c25aa3f94e9ab1e2ab0bb618ea
Instruction ID: 81f1e5a5c3aa03bf5073f665612933f098fad0b014ac2f59ea178cc4274e39e4
Opcode Fuzzy Hash: cd0ea35176bddb502d7ceb20ec45fdfb17cb33c25aa3f94e9ab1e2ab0bb618ea
Instruction Fuzzy Hash: 59F0643200121AFBCF12AF91DC05ADE3F66BB483A0F099421FA1865220DA32D871AB91

Function 00DD4B40 Relevance: 2.6, APIs: 2, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,00000000,?,00000000,00EB6AAD,000000FF,?,80004005,?,?), ref: 00DD4B58
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,00000000,00EB6AAD,000000FF,?,80004005,?,?,?,00000000), ref: 00DD4B8A

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 76e96efe98f7c972be95eeba69371a68a3964439f10d427f2d125b876034de13
Instruction ID: cf410fdb3bb29789e5b3c4d72211d2863f305f00f0ac63311613163aca27e6df
Opcode Fuzzy Hash: 76e96efe98f7c972be95eeba69371a68a3964439f10d427f2d125b876034de13
Instruction Fuzzy Hash: B201C036301212AFD6109B59DC99F5AB759EF94321F21422BF314AB3D0CA71A8119BA0

Function 00E9CA2D Relevance: 2.5, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,00000000,?,00E9E9C9,00000000,00E9A813,00000000,?,00E8E5A5,00000000,00E9A813,?,?,?,?,00E9A60D), ref: 00E9CA43
GetLastError.KERNEL32(?,?,00E9E9C9,00000000,00E9A813,00000000,?,00E8E5A5,00000000,00E9A813,?,?,?,?,00E9A60D,?), ref: 00E9CA4E

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 54ed915b345983d67608f5342584db02ec7fcd0f615f285e4d78732ba56f47d9
Instruction ID: ba0f34bcd5fc0b30490a3fddc4da28ece1aa3c455bea227eb1afdc58441bf470
Opcode Fuzzy Hash: 54ed915b345983d67608f5342584db02ec7fcd0f615f285e4d78732ba56f47d9
Instruction Fuzzy Hash: D7E0C23250032CABDF117FF4FC0DB997B98AB40795F149020F60CA6062FAB08940EBA4

Function 00E2EB70 Relevance: 1.7, APIs: 1, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 233a8640ec8fe65263e968477593a7b11663090aa45185a7734416e2e93a5652
Instruction ID: 8ed3969d91a653a13602c9cf43348e6e4dbe2fbb826600dfb9dde39106c672f7
Opcode Fuzzy Hash: 233a8640ec8fe65263e968477593a7b11663090aa45185a7734416e2e93a5652
Instruction Fuzzy Hash: 4F61B0716006359FCB20DF68E885A6AF7E4FF48324F154669E915EB3A1DB30EC00CBA0

Function 00EA43BE Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,00EA460D,00EA4601,00000000), ref: 00EA43F0

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 7071219c156faaf26d544abafc0b30b800927fea4527cd1d3c1d33fa9764fcbb
Instruction ID: bc12d2cd109d1e7301ad0f725cbdfef271146652ba7953604f0609dd3b3d1cd4
Opcode Fuzzy Hash: 7071219c156faaf26d544abafc0b30b800927fea4527cd1d3c1d33fa9764fcbb
Instruction Fuzzy Hash: 3E516EB19041585BDB218A28CD80BE57BFCEB9F304F2415EDD5AAEB182D270BD45DF20

Function 00DEA540 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,93D979FF,?,93D979FF,00EEBFAE,000000FF), ref: 00DEA58F

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$HeapPathProcessTemp
String ID:
API String ID: 764064751-0
Opcode ID: 9f3f7f5b87cc7991943f724e8c1ec3dba4f32bb826e8d5f928c1bc19a2aaf2ac
Instruction ID: 907bbb2c19c395da27fa7890b8e5e1f1eb0f96c7ead3cfb8791051270fdef69b
Opcode Fuzzy Hash: 9f3f7f5b87cc7991943f724e8c1ec3dba4f32bb826e8d5f928c1bc19a2aaf2ac
Instruction Fuzzy Hash: 2C3190B450028A9FDB14EF6DC819BAE77E4FF44704F14892EE91ADB381EB749904CB51

Function 00E12F70 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,00E130A0,?), ref: 00E12FBB

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: EnumLanguagesResource
String ID:
API String ID: 4141015960-0
Opcode ID: a9986713dab8d674078afa55aaeaa6eef0b9a023f523448a7d9935ddf324e17a
Instruction ID: 1108a7ea91277ba759775f2a58fa56151cf46acbf1663a2fb68b132f60fad069
Opcode Fuzzy Hash: a9986713dab8d674078afa55aaeaa6eef0b9a023f523448a7d9935ddf324e17a
Instruction Fuzzy Hash: 7C41A67190024A9BDB10DF64C885BDEFBF4FF48714F10165AE425B7681DBB69A84CBA0

Function 00E2ECE0 Relevance: 1.6, APIs: 1, Instructions: 83synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,93D979FF,?,?,80004005,93D979FF,?,?,00000000), ref: 00E2ECF2

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: f3fcf83bba078a469413769d34d464f2ef80e13d93849a403ca1660eece208d6
Instruction ID: 1c6623dfe2c004782c995a0c5b806461b713d0d50a7432595f0c84026054c6f5
Opcode Fuzzy Hash: f3fcf83bba078a469413769d34d464f2ef80e13d93849a403ca1660eece208d6
Instruction Fuzzy Hash: 4F21DF71300A369FC720AFA8E884E46F7E9BF14710B065525EA14BB762DBA0EC5187D0

Function 00DF0100 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00DF0370: __Init_thread_footer.LIBCMT ref: 00DF03E6

Part of subcall function 00E84BA2: EnterCriticalSection.KERNEL32(00F97FD8,?,93D979FF,?,00CD9D66,00F98C04,93D979FF,93D979FF,?,00EACC0D,000000FF,?,00E2EBD6,93D979FF,?,?), ref: 00E84BAD
Part of subcall function 00E84BA2: LeaveCriticalSection.KERNEL32(00F97FD8,?,00CD9D66,00F98C04,93D979FF,93D979FF,?,00EACC0D,000000FF,?,00E2EBD6,93D979FF,?,?,00000000), ref: 00E84BEA

__Init_thread_footer.LIBCMT ref: 00DF01E0

Part of subcall function 00E84B58: EnterCriticalSection.KERNEL32(00F97FD8,93D979FF,?,00CD9DD7,00F98C04,00F07520), ref: 00E84B62
Part of subcall function 00E84B58: LeaveCriticalSection.KERNEL32(00F97FD8,?,00CD9DD7,00F98C04,00F07520), ref: 00E84B95
Part of subcall function 00E84B58: RtlWakeAllConditionVariable.NTDLL ref: 00E84C0C

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionVariableWake
String ID:
API String ID: 984842325-0
Opcode ID: 1777190cb7bf32f3daee4781b3fcb70c67d71fb54d43b4a7c3a45b537e797d1e
Instruction ID: 13f24d514c4517131a7df19680c00547a2c679eb672720d523f189a5f132886f
Opcode Fuzzy Hash: 1777190cb7bf32f3daee4781b3fcb70c67d71fb54d43b4a7c3a45b537e797d1e
Instruction Fuzzy Hash: 6331FF70548388DBEB20DF48EC86B68B7E0F705714F12861EE61597691D3FAB900DB68

Function 00CD90A0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00E83F72: EnterCriticalSection.KERNEL32(00F97F5C,00000000,?,?,00CD90D7,00000000,93D979FF,00000000,?,00000000,?,-00000010,00EACB30,000000FF,?,00CD92B0), ref: 00E83F7D
Part of subcall function 00E83F72: LeaveCriticalSection.KERNEL32(00F97F5C,?,00CD90D7,00000000,93D979FF,00000000,?,00000000,?,-00000010,00EACB30,000000FF,?,00CD92B0,00000000,00000000), ref: 00E83FA9

FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,93D979FF,00000000,?,00000000,?,-00000010,00EACB30,000000FF,?,00CD92B0,00000000), ref: 00CD90F6

Part of subcall function 00CD9160: LoadResource.KERNEL32(00000000,00000000,93D979FF,00000001,00000000,?,00000000,00EAC480,000000FF,?,00CD910C,?,?,00CD92B0,00000000,00000000), ref: 00CD918B
Part of subcall function 00CD9160: LockResource.KERNEL32(00000000,?,00CD910C,?,?,00CD92B0,00000000,00000000,00000000,00CD9418,-00000010,?,00000000), ref: 00CD9196
Part of subcall function 00CD9160: SizeofResource.KERNEL32(00000000,00000000,?,00CD910C,?,?,00CD92B0,00000000,00000000,00000000,00CD9418,-00000010,?,00000000), ref: 00CD91A4

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Resource$CriticalSection$EnterFindLeaveLoadLockSizeof
String ID:
API String ID: 529824247-0
Opcode ID: 4b96f2887ebf5dea21c4fb326d964c9a41237a3e7c0d48085ed756c35136e39a
Instruction ID: 7bce6fa757231706035be8c6231d34a66722ee73b2a7d3be457be6ed13a90634
Opcode Fuzzy Hash: 4b96f2887ebf5dea21c4fb326d964c9a41237a3e7c0d48085ed756c35136e39a
Instruction Fuzzy Hash: 9311EB36F046156BD7255B59AC42B7AB3F8E745B64F00027FFA0AD3381DA355D0042D0

Function 00DE9390 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00DE9470: DeleteFileW.KERNEL32(00000000,0000002A,00000000,?,93D979FF,?), ref: 00DE94E0

RemoveDirectoryW.KERNEL32(00000000,?,93D979FF,?,?,?,00000000,?,00000000,00EEBD13,000000FF,?,C000008C), ref: 00DE93EE

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: DeleteDirectoryFileRemove
String ID:
API String ID: 3325800564-0
Opcode ID: 58213e194788f25d525242069665b21678de734e0fef651011bce105083083b6
Instruction ID: fdae45a33906644df20ad78a6303feb5f695a5076c9dc5557a0b97e2e6886a10
Opcode Fuzzy Hash: 58213e194788f25d525242069665b21678de734e0fef651011bce105083083b6
Instruction Fuzzy Hash: C421B671900248CFCB25EF69C894A9EF7B4FB09320F44466AE8296B381D7309D01CBA0

Function 00CD92A0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00CD90A0: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,93D979FF,00000000,?,00000000,?,-00000010,00EACB30,000000FF,?,00CD92B0,00000000), ref: 00CD90F6

FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,00CD9418,-00000010,?,00000000), ref: 00CD92C3

Part of subcall function 00CD9160: LoadResource.KERNEL32(00000000,00000000,93D979FF,00000001,00000000,?,00000000,00EAC480,000000FF,?,00CD910C,?,?,00CD92B0,00000000,00000000), ref: 00CD918B
Part of subcall function 00CD9160: LockResource.KERNEL32(00000000,?,00CD910C,?,?,00CD92B0,00000000,00000000,00000000,00CD9418,-00000010,?,00000000), ref: 00CD9196
Part of subcall function 00CD9160: SizeofResource.KERNEL32(00000000,00000000,?,00CD910C,?,?,00CD92B0,00000000,00000000,00000000,00CD9418,-00000010,?,00000000), ref: 00CD91A4

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Resource$Find$LoadLockSizeof
String ID:
API String ID: 3127896203-0
Opcode ID: 82862d9a219c39038b7dd3e7c0738458c93fbb57768e75ea6c2b3d84115bc39f
Instruction ID: 720882d7360d7860c60c47aef46b521cbb65d1bdc134d0706a4f2bab350d63f0
Opcode Fuzzy Hash: 82862d9a219c39038b7dd3e7c0738458c93fbb57768e75ea6c2b3d84115bc39f
Instruction Fuzzy Hash: A311A07A3001256BD704AB69D8C497BB3DDEF88310B14806BF645CB351DB76DD11D7A0

Function 00DD0A10 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00E84BA2: EnterCriticalSection.KERNEL32(00F97FD8,?,93D979FF,?,00CD9D66,00F98C04,93D979FF,93D979FF,?,00EACC0D,000000FF,?,00E2EBD6,93D979FF,?,?), ref: 00E84BAD
Part of subcall function 00E84BA2: LeaveCriticalSection.KERNEL32(00F97FD8,?,00CD9D66,00F98C04,93D979FF,93D979FF,?,00EACC0D,000000FF,?,00E2EBD6,93D979FF,?,?,00000000), ref: 00E84BEA

__Init_thread_footer.LIBCMT ref: 00DD0A82

Part of subcall function 00E84B58: EnterCriticalSection.KERNEL32(00F97FD8,93D979FF,?,00CD9DD7,00F98C04,00F07520), ref: 00E84B62
Part of subcall function 00E84B58: LeaveCriticalSection.KERNEL32(00F97FD8,?,00CD9DD7,00F98C04,00F07520), ref: 00E84B95
Part of subcall function 00E84B58: RtlWakeAllConditionVariable.NTDLL ref: 00E84C0C

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID:
API String ID: 2296764815-0
Opcode ID: 858d40842e42d3ad27eefc30ec79b7c10d031c437d63b0b700a711f28718d58f
Instruction ID: aa6922f73679ffdbcb5da1678084f38af77511e3548862ed904eedbe7a0e334d
Opcode Fuzzy Hash: 858d40842e42d3ad27eefc30ec79b7c10d031c437d63b0b700a711f28718d58f
Instruction Fuzzy Hash: 4001D8B1948644DFD719DF9DE942B4877E0E748720F01427EE429933D1D671E8019A62

Function 00DF0370 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00E84BA2: EnterCriticalSection.KERNEL32(00F97FD8,?,93D979FF,?,00CD9D66,00F98C04,93D979FF,93D979FF,?,00EACC0D,000000FF,?,00E2EBD6,93D979FF,?,?), ref: 00E84BAD
Part of subcall function 00E84BA2: LeaveCriticalSection.KERNEL32(00F97FD8,?,00CD9D66,00F98C04,93D979FF,93D979FF,?,00EACC0D,000000FF,?,00E2EBD6,93D979FF,?,?,00000000), ref: 00E84BEA

Part of subcall function 00DF0410: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00DF047E
Part of subcall function 00DF0410: RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00DF04C5
Part of subcall function 00DF0410: RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00DF04E4
Part of subcall function 00DF0410: RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00DF0513
Part of subcall function 00DF0410: RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00DF0588

__Init_thread_footer.LIBCMT ref: 00DF03E6

Part of subcall function 00E84B58: EnterCriticalSection.KERNEL32(00F97FD8,93D979FF,?,00CD9DD7,00F98C04,00F07520), ref: 00E84B62
Part of subcall function 00E84B58: LeaveCriticalSection.KERNEL32(00F97FD8,?,00CD9DD7,00F98C04,00F07520), ref: 00E84B95
Part of subcall function 00E84B58: RtlWakeAllConditionVariable.NTDLL ref: 00E84C0C

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalQuerySectionValue$EnterLeave$ConditionInit_thread_footerOpenVariableWake
String ID:
API String ID: 3563064969-0
Opcode ID: 54cdcfa28bdc1650d571c54869ca06b87162ad5732aea38b7ffb2e25de99989d
Instruction ID: 00a390c39566ecce623771cef6d861d1559d9d8405119054da6937dcda60b041
Opcode Fuzzy Hash: 54cdcfa28bdc1650d571c54869ca06b87162ad5732aea38b7ffb2e25de99989d
Instruction Fuzzy Hash: 1501F2B1A48688DFDB10EF9CDD46B19B7E0E705B20F12472DFA25973C1C6B1A908DB61

Function 6CA77F30 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CAA1CAA: RaiseException.KERNEL32(E06D7363,00000001,00000003,6CA7ECF9,00000000,?,?,6CA9E125,6CA7ECF9,6CAFC84C,00000000,6CA7ECF9,00000000,-00000002), ref: 6CAA1D0A

RtlAllocateHeap.NTDLL(00000000,00000000,?,461C95ED,00000000,6CABED80,000000FF,?,?,6CAFD24C,?,6CA981AD,80004005), ref: 6CA77F7A

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: f21594450fca7ff02370293cbe5a296347e1962eceb3b3396100344205c0ca48
Instruction ID: 9376909621457c875cbe0b96103ba8ca7d6f0e44aedc25ba0701f0b90d6d4763
Opcode Fuzzy Hash: f21594450fca7ff02370293cbe5a296347e1962eceb3b3396100344205c0ca48
Instruction Fuzzy Hash: 78F08235A04248BFCB158F54CD00F59BBA9F709610F008969B91593A50D735A805CA94

Function 00CD9980 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8641A: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,80004005,93D979FF,?,?,00000000), ref: 00E8647A

RtlAllocateHeap.NTDLL(?,00000000,?,93D979FF,00000000,00EAC6B0,000000FF,?,?,00F8C42C,00000000,00E2ECDB,80004005,93D979FF,?,?), ref: 00CD99CA

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: 4166954b86a0e3ef09442423a879957fce73315f9834a703afb3e89794805801
Instruction ID: 471b497f8a9d9123cadcd9477196ac3dacacb0130a18efb0163758ca6d329b9c
Opcode Fuzzy Hash: 4166954b86a0e3ef09442423a879957fce73315f9834a703afb3e89794805801
Instruction Fuzzy Hash: 13F0A771644248BFC701DF54DC02F59BBB8F708B10F10852EFA1996790DB76A800DB44

Function 00E9CA67 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00E9A813,?,00E9E9B8,?,00000000,?,00E8E5A5,00000000,00E9A813,?,?,?,?,00E9A60D), ref: 00E9CA99

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7c60a5607a28fbcb981c2e275050e6454975a25c729422852a9379479d8b8119
Instruction ID: 40e1154248e7fe243e71fadb16628ec404ca8bed03b95c4985f844bf81aa7469
Opcode Fuzzy Hash: 7c60a5607a28fbcb981c2e275050e6454975a25c729422852a9379479d8b8119
Instruction Fuzzy Hash: 35E09B3160162D6AEE21B769DC05B9A7699AF463E4F353111EC07B60D1EFD0CC4091E9

Function 6CA77FA0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,461C95ED,?,Function_0006ED80,000000FF), ref: 6CA77FCF

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7a99260785bb581b23b57f8bb93dcfeb554c53f8574c023cbc7478e1401e783d
Instruction ID: 72c86d0d42a17abbee5a5ae6e3bd6c1702e73df9bc3b4329d62cfaa281f76b1e
Opcode Fuzzy Hash: 7a99260785bb581b23b57f8bb93dcfeb554c53f8574c023cbc7478e1401e783d
Instruction Fuzzy Hash: 72E09275604648AFD711CF04DD40F16BBFCF709B10F10866AF815D3B80D735A400CAA0

Function 6CAADE24 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CAADE2B

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: cc8c53aeb09dbf2a65984417bdf6fbff9c4a669332c97f401b6f2e1e0780a368
Instruction ID: b27a80843e6db5119ce1aa82a09d154d506760a23cb57b5e7aacd039f825ee3c
Opcode Fuzzy Hash: cc8c53aeb09dbf2a65984417bdf6fbff9c4a669332c97f401b6f2e1e0780a368
Instruction Fuzzy Hash: 59E09A72C0020D9FDB00DFD4C545BEFBBB8BB04304F504566A245E7640EB789789DBA1

Function 00E9A77B Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E9A782

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: e967cf4d48fb111ba3d9ad7a1cc2169c4bcc8586d93df44cab9766c0d2644dc2
Instruction ID: ff475af762a0bd81043e1eda169e790019c2160d54ee5755aec4cca1c05495ac
Opcode Fuzzy Hash: e967cf4d48fb111ba3d9ad7a1cc2169c4bcc8586d93df44cab9766c0d2644dc2
Instruction Fuzzy Hash: CFE0E572D4020E9ADB01EFD4C446BEFBBF8AB04300F504026A248F6141EB7463449BA1

Non-executed Functions

Function 00CD3010 Relevance: 170.0, Strings: 134, Instructions: 2486COMMON

Download Yara Rule

Strings

MsiConfigureServices, xrefs: 00CD566D, 00CD5693
Environment, xrefs: 00CD48B3, 00CD51EF
RegisterComPlus, xrefs: 00CD555C
RemoveFile, xrefs: 00CD4A45
UnregisterProgIdInfo, xrefs: 00CD45EF
RemoveIniValues, xrefs: 00CD46FB, 00CD4781
PatchSize, xrefs: 00CD4D14
AI_ExtractPrereq, xrefs: 00CD5A79
WriteRegistryValues, xrefs: 00CD50BD
RemoveDuplicateFiles, xrefs: 00CD4913
RegisterFonts, xrefs: 00CD524F
InstallFiles, xrefs: 00CD4C2E
PublishComponents, xrefs: 00CD5779
AI_XmlElement, xrefs: 00CD5C31, 00CD6190
Shortcut, xrefs: 00CD482D, 00CD4E63
Feature, xrefs: 00CD3F47, 00CD58A2
AI_AppSearchEx, xrefs: 00CD5F76, 00CD5F9C
Feature_, xrefs: 00CD3DF0, 00CD45A2, 00CD4F77, 00CD5836, 00CD5A2C, 00CD5AB2, 00CD5B38, 00CD5BBE
InstallODBC, xrefs: 00CD52CC, 00CD5352, 00CD53D8
AI_DownloadPrereq, xrefs: 00CD59F3
RegisterProgIdInfo, xrefs: 00CD4FBD
30000, xrefs: 00CD3DA1, 00CD5156, 00CD5812
Component_, xrefs: 00CD3ED4, 00CD3FE0, 00CD4075, 00CD40EC, 00CD41F8, 00CD427E, 00CD4318, 00CD4410, 00CD4496, 00CD4734, 00CD47BA, 00CD4840, 00CD48C6, 00CD494C, 00CD49D2, 00CD4AD5, 00CD4B5B, 00CD4BE1, 00CD4C67, 00CD4D73, 00CD4E76, 00CD50F6, 00CD517C, 00CD5202, 00CD5305, 00CD538B, 00CD5416, 00CD5497, 00CD559A, 00CD5620, 00CD56B5, 00CD572C, 00CD57B2
SelfReg, xrefs: 00CD415F, 00CD550A
AI_GxUninstall, xrefs: 00CD5EF9
UnpublishFeatures, xrefs: 00CD3F1C
MsiAssembly, xrefs: 00CD5825
1800, xrefs: 00CD5C1E, 00CD617D
AI_XmlUninstall, xrefs: 00CD616A, 00CD61F0
ServiceInstall, xrefs: 00CD560D
CreateShortcuts, xrefs: 00CD4E3D
SelfRegModules, xrefs: 00CD54E4
ServiceControl, xrefs: 00CD3FCD, 00CD4053, 00CD5719
3000, xrefs: 00CD3BBF, 00CD3EAE, 00CD3F34, 00CD40C6, 00CD43EA, 00CD4470, 00CD44F6, 00CD457C, 00CD4602, 00CD4688, 00CD48A0, 00CD4ED6, 00CD504D, 00CD5471, 00CD5574
20000, xrefs: 00CD5706
DuplicateFiles, xrefs: 00CD4D3A
100, xrefs: 00CD4CC7, 00CD4FD0, 00CD5F0C
CreateFolders, xrefs: 00CD4B22
MoveFile, xrefs: 00CD4BCE
120000, xrefs: 00CD481A
UnregisterClassInfo, xrefs: 00CD44E3
InstallFinalize, xrefs: 00CD5976
Complus, xrefs: 00CD40D9, 00CD5587
AI_InstallPostPrerequisite, xrefs: 00CD5B85
WriteIniValues, xrefs: 00CD5143
PublishFeatures, xrefs: 00CD587C
3000000, xrefs: 00CD51DC
WriteEnvironmentStrings, xrefs: 00CD51C9
1500000, xrefs: 00CD55FA
1500, xrefs: 00CD4709, 00CD4794, 00CD5C9B, 00CD6203
AI_GxInstall, xrefs: 00CD5D05
Options, xrefs: 00CD5B5F, 00CD5BE0
StopServices, xrefs: 00CD3FA7, 00CD402D
AppSearch, xrefs: 00CD321B, 00CD32A4
FileSize, xrefs: 00CD4C8E
AI_InstallPrerequisite, xrefs: 00CD5AFF
CostInitialize, xrefs: 00CD33FD
Font, xrefs: 00CD4377, 00CD5275
AppId, xrefs: 00CD4509, 00CD4EE9
100000, xrefs: 00CD5989
RemoveEnvironmentStrings, xrefs: 00CD488D
InstallServices, xrefs: 00CD55E7
~, xrefs: 00CD5B69
Location, xrefs: 00CD5A53, 00CD5AD9
2000, xrefs: 00CD3255, 00CD5D18, 00CD5D95, 00CD5E12, 00CD5E8F, 00CD6006, 00CD6083, 00CD6100
AI_UserGroups, xrefs: 00CD5E25, 00CD6019
AI_UninstallAccounts, xrefs: 00CD5D82
PublishComponent, xrefs: 00CD3EC1, 00CD579F
File, xrefs: 00CD3668, 00CD49BF, 00CD4C4F
15000, xrefs: 00CD3FBA, 00CD4040, 00CD4BBB, 00CD4D4D, 00CD4F53, 00CD5680, 00CD588F
RemoveFiles, xrefs: 00CD4999, 00CD4A1F
ODBCTranslator, xrefs: 00CD426B, 00CD5378
AI_ProcessGroups, xrefs: 00CD5FF3
AI_UninstallGroups, xrefs: 00CD5DFF
RegisterClassInfo, xrefs: 00CD4EC3
AI_ProcessTasks, xrefs: 00CD60ED
CostFinalize, xrefs: 00CD37AC
AI_UninstallTasks, xrefs: 00CD5E7C
UnregisterMIMEInfo, xrefs: 00CD4675
ProcessComponents, xrefs: 00CD3B70
RegisterTypeLibraries, xrefs: 00CD545E
UnpublishComponents, xrefs: 00CD3E9B
ODBCDataSource, xrefs: 00CD41E5, 00CD52F2
AI_UserAccounts, xrefs: 00CD5DA8, 00CD6096
AI_ProcessAccounts, xrefs: 00CD6070
RemoveIniFile, xrefs: 00CD4721
12000, xrefs: 00CD41D2, 00CD4258, 00CD42DE, 00CD4926, 00CD49AC, 00CD4A32, 00CD4AAF, 00CD4B35, 00CD4E50, 00CD52DF, 00CD5365, 00CD53EB
Registry, xrefs: 00CD43FD, 00CD50E3
MoveFiles, xrefs: 00CD4BA8
Extension, xrefs: 00CD458F, 00CD4F66
500, xrefs: 00CD5F89
UnregisterExtensionInfo, xrefs: 00CD4569
SelfUnregModules, xrefs: 00CD4139
CreateFolder, xrefs: 00CD4AC2, 00CD4B48
Patch, xrefs: 00CD4CDA
200000, xrefs: 00CD590C
IniFile, xrefs: 00CD47A7, 00CD5169
AI_DefaultActionCost, xrefs: 00CD6370
RemoveRegistry, xrefs: 00CD4483
AI_CountRowAction, xrefs: 00CD62F3
RemoveExistingProducts, xrefs: 00CD3034
DuplicateFile, xrefs: 00CD4939, 00CD4D60
8000, xrefs: 00CD414C, 00CD4364, 00CD5262, 00CD54F7
UnregisterComPlus, xrefs: 00CD40B3
MsiPublishAssemblies, xrefs: 00CD57FF
RegisterExtensionInfo, xrefs: 00CD4F40
AI_ChainProductsPseudo, xrefs: 00CD6276
5000, xrefs: 00CD4DD3
AI_Game, xrefs: 00CD5D2B, 00CD5F1F
StartServices, xrefs: 00CD56F3
InstallInitialize, xrefs: 00CD58F9
RemoveShortcuts, xrefs: 00CD4807
AI_ScheduledTasks, xrefs: 00CD6113
AI_XmlInstall, xrefs: 00CD5C0B, 00CD5C88
PatchFiles, xrefs: 00CD4CB4
MIME, xrefs: 00CD469B, 00CD5060
10000, xrefs: 00CD578C, 00CD6383
FileCost, xrefs: 00CD35E4
UnregisterFonts, xrefs: 00CD4351
RemoveODBC, xrefs: 00CD41BF, 00CD4245, 00CD42CB
AI_XmlAttribute, xrefs: 00CD5CAE, 00CD6211
ProgId, xrefs: 00CD4615, 00CD4FE3
6000, xrefs: 00CD50D0
RemoveRegistryValues, xrefs: 00CD43D7, 00CD445D
RegisterMIMEInfo, xrefs: 00CD503A
Component, xrefs: 00CD3486, 00CD384A, 00CD3A2C, 00CD3C0E
InstallValidate, xrefs: 00CD398E
RemoveFolders, xrefs: 00CD4A9C
TypeLib, xrefs: 00CD5484
AI_PreRequisite, xrefs: 00CD5A19, 00CD5A9F, 00CD5B25, 00CD5BAB
800, xrefs: 00CD39DD
MsiUnpublishAssemblies, xrefs: 00CD3D52
BindImage, xrefs: 00CD4DC0, 00CD4DE6
ODBCDriver, xrefs: 00CD42F1, 00CD53FE

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$800$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
API String ID: 0-2910470256
Opcode ID: 4bf8866a52f6e94a1842aa250110e784a1176d12bbe121584bc85fa8295b9743
Instruction ID: 738eae7e200a1da25b28693d7aadbd51d54dbdb1347ce651f4488183953c1d69
Opcode Fuzzy Hash: 4bf8866a52f6e94a1842aa250110e784a1176d12bbe121584bc85fa8295b9743
Instruction Fuzzy Hash: 82331B20A49388F9EB46EBF4AD1A76D39519F91714F50434EF2402B3D3DBB46A04B3A7

Function 00CD45FE Relevance: 141.6, Strings: 112, Instructions: 1550COMMON

Download Yara Rule

Strings

MsiConfigureServices, xrefs: 00CD566D, 00CD5693
Environment, xrefs: 00CD48B3, 00CD51EF
RegisterComPlus, xrefs: 00CD555C
RemoveFile, xrefs: 00CD4A45
RemoveIniValues, xrefs: 00CD46FB, 00CD4781
PatchSize, xrefs: 00CD4D14
AI_ExtractPrereq, xrefs: 00CD5A79
WriteRegistryValues, xrefs: 00CD50BD
RemoveDuplicateFiles, xrefs: 00CD4913
RegisterFonts, xrefs: 00CD524F
InstallFiles, xrefs: 00CD4C2E
PublishComponents, xrefs: 00CD5779
AI_XmlElement, xrefs: 00CD5C31, 00CD6190
Shortcut, xrefs: 00CD482D, 00CD4E63
Feature, xrefs: 00CD58A2
AI_AppSearchEx, xrefs: 00CD5F76, 00CD5F9C
Feature_, xrefs: 00CD4F77, 00CD5836, 00CD5A2C, 00CD5AB2, 00CD5B38, 00CD5BBE
InstallODBC, xrefs: 00CD52CC, 00CD5352, 00CD53D8
AI_DownloadPrereq, xrefs: 00CD59F3
RegisterProgIdInfo, xrefs: 00CD4FBD
30000, xrefs: 00CD5156, 00CD5812
Component_, xrefs: 00CD4734, 00CD47BA, 00CD4840, 00CD48C6, 00CD494C, 00CD49D2, 00CD4AD5, 00CD4B5B, 00CD4BE1, 00CD4C67, 00CD4D73, 00CD4E76, 00CD50F6, 00CD517C, 00CD5202, 00CD5305, 00CD538B, 00CD5416, 00CD5497, 00CD559A, 00CD5620, 00CD56B5, 00CD572C, 00CD57B2
SelfReg, xrefs: 00CD550A
AI_GxUninstall, xrefs: 00CD5EF9
MsiAssembly, xrefs: 00CD5825
1800, xrefs: 00CD5C1E, 00CD617D
AI_XmlUninstall, xrefs: 00CD616A, 00CD61F0
ServiceInstall, xrefs: 00CD560D
CreateShortcuts, xrefs: 00CD4E3D
SelfRegModules, xrefs: 00CD54E4
ServiceControl, xrefs: 00CD5719
3000, xrefs: 00CD4688, 00CD48A0, 00CD4ED6, 00CD504D, 00CD5471, 00CD5574
20000, xrefs: 00CD5706
DuplicateFiles, xrefs: 00CD4D3A
100, xrefs: 00CD4CC7, 00CD4FD0, 00CD5F0C
CreateFolders, xrefs: 00CD4B22
MoveFile, xrefs: 00CD4BCE
120000, xrefs: 00CD481A
InstallFinalize, xrefs: 00CD5976
Complus, xrefs: 00CD5587
AI_InstallPostPrerequisite, xrefs: 00CD5B85
WriteIniValues, xrefs: 00CD5143
PublishFeatures, xrefs: 00CD587C
3000000, xrefs: 00CD51DC
WriteEnvironmentStrings, xrefs: 00CD51C9
1500000, xrefs: 00CD55FA
1500, xrefs: 00CD4709, 00CD4794, 00CD5C9B, 00CD6203
AI_GxInstall, xrefs: 00CD5D05
Options, xrefs: 00CD5B5F, 00CD5BE0
FileSize, xrefs: 00CD4C8E
AI_InstallPrerequisite, xrefs: 00CD5AFF
Font, xrefs: 00CD5275
AppId, xrefs: 00CD4EE9
100000, xrefs: 00CD5989
RemoveEnvironmentStrings, xrefs: 00CD488D
~, xrefs: 00CD5B69
InstallServices, xrefs: 00CD55E7
Location, xrefs: 00CD5A53, 00CD5AD9
2000, xrefs: 00CD5D18, 00CD5D95, 00CD5E12, 00CD5E8F, 00CD6006, 00CD6083, 00CD6100
AI_UserGroups, xrefs: 00CD5E25, 00CD6019
AI_UninstallAccounts, xrefs: 00CD5D82
PublishComponent, xrefs: 00CD579F
File, xrefs: 00CD49BF, 00CD4C4F
15000, xrefs: 00CD4BBB, 00CD4D4D, 00CD4F53, 00CD5680, 00CD588F
RemoveFiles, xrefs: 00CD4999, 00CD4A1F
ODBCTranslator, xrefs: 00CD5378
AI_ProcessGroups, xrefs: 00CD5FF3
AI_UninstallGroups, xrefs: 00CD5DFF
RegisterClassInfo, xrefs: 00CD4EC3
AI_ProcessTasks, xrefs: 00CD60ED
AI_UninstallTasks, xrefs: 00CD5E7C
UnregisterMIMEInfo, xrefs: 00CD4675
RegisterTypeLibraries, xrefs: 00CD545E
ODBCDataSource, xrefs: 00CD52F2
AI_UserAccounts, xrefs: 00CD5DA8, 00CD6096
AI_ProcessAccounts, xrefs: 00CD6070
RemoveIniFile, xrefs: 00CD4721
12000, xrefs: 00CD4926, 00CD49AC, 00CD4A32, 00CD4AAF, 00CD4B35, 00CD4E50, 00CD52DF, 00CD5365, 00CD53EB
Registry, xrefs: 00CD50E3
MoveFiles, xrefs: 00CD4BA8
Extension, xrefs: 00CD4F66
500, xrefs: 00CD5F89
CreateFolder, xrefs: 00CD4AC2, 00CD4B48
Patch, xrefs: 00CD4CDA
200000, xrefs: 00CD590C
IniFile, xrefs: 00CD47A7, 00CD5169
AI_DefaultActionCost, xrefs: 00CD6370
AI_CountRowAction, xrefs: 00CD62F3
DuplicateFile, xrefs: 00CD4939, 00CD4D60
8000, xrefs: 00CD5262, 00CD54F7
MsiPublishAssemblies, xrefs: 00CD57FF
RegisterExtensionInfo, xrefs: 00CD4F40
AI_ChainProductsPseudo, xrefs: 00CD6276
5000, xrefs: 00CD4DD3
AI_Game, xrefs: 00CD5D2B, 00CD5F1F
StartServices, xrefs: 00CD56F3
InstallInitialize, xrefs: 00CD58F9
RemoveShortcuts, xrefs: 00CD4807
AI_ScheduledTasks, xrefs: 00CD6113
AI_XmlInstall, xrefs: 00CD5C0B, 00CD5C88
PatchFiles, xrefs: 00CD4CB4
MIME, xrefs: 00CD469B, 00CD5060
10000, xrefs: 00CD578C, 00CD6383
AI_XmlAttribute, xrefs: 00CD5CAE, 00CD6211
ProgId, xrefs: 00CD4615, 00CD4FE3
6000, xrefs: 00CD50D0
RegisterMIMEInfo, xrefs: 00CD503A
RemoveFolders, xrefs: 00CD4A9C
TypeLib, xrefs: 00CD5484
AI_PreRequisite, xrefs: 00CD5A19, 00CD5A9F, 00CD5B25, 00CD5BAB
BindImage, xrefs: 00CD4DC0, 00CD4DE6
ODBCDriver, xrefs: 00CD53FE

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$BindImage$Complus$Component_$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveShortcuts$SelfReg$SelfRegModules$ServiceControl$ServiceInstall$Shortcut$StartServices$TypeLib$UnregisterMIMEInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
API String ID: 0-1090619422
Opcode ID: b8b71cf97c56c83c6388ecca6c1f954c2db592b162656e697af312a5d2c20548
Instruction ID: 1fe855bd43e163537e10a0348960c3232762652f9ea13e52aa85677cc1be4dbd
Opcode Fuzzy Hash: b8b71cf97c56c83c6388ecca6c1f954c2db592b162656e697af312a5d2c20548
Instruction Fuzzy Hash: ECE22A10E4D385B9DB07EBF8291AB6D69124FA2724F545389F2912B3C3DAB07B017367

Function 00CFB461 Relevance: 64.6, APIs: 25, Strings: 11, Instructions: 1644memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

VariantClear.OLEAUT32 ref: 00CFB70F
VariantClear.OLEAUT32(?), ref: 00CFB86A
VariantClear.OLEAUT32(?), ref: 00CFB892
VariantClear.OLEAUT32(?), ref: 00CFBA1E
SysAllocString.OLEAUT32(00000000), ref: 00CFBA2F
VariantClear.OLEAUT32(?), ref: 00CFBA79
VariantClear.OLEAUT32(?), ref: 00CFBAA2
SysFreeString.OLEAUT32(00000000), ref: 00CFBAAD
VariantClear.OLEAUT32(?), ref: 00CFBBBB
VariantClear.OLEAUT32(?), ref: 00CFBBEC
VariantClear.OLEAUT32(?), ref: 00CFBC45
VariantClear.OLEAUT32(?), ref: 00CFBCF4
VariantClear.OLEAUT32(?), ref: 00CFB73D

Part of subcall function 00CD92A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,00CD9418,-00000010,?,00000000), ref: 00CD92C3

VariantClear.OLEAUT32(?), ref: 00CFB80E
VariantClear.OLEAUT32(?), ref: 00CFB836
VariantClear.OLEAUT32(?), ref: 00CFBE38
SysAllocString.OLEAUT32(00000000), ref: 00CFBE49
VariantClear.OLEAUT32(?), ref: 00CFBE93
VariantClear.OLEAUT32(?), ref: 00CFBEBC
SysFreeString.OLEAUT32(00000000), ref: 00CFBEC7
VariantClear.OLEAUT32(?), ref: 00CFBFD5
SysAllocString.OLEAUT32(00000000), ref: 00CFBFE2
VariantClear.OLEAUT32(?), ref: 00CFC02A
VariantClear.OLEAUT32(?), ref: 00CFC052
SysFreeString.OLEAUT32(00000000), ref: 00CFC05C

Part of subcall function 00CD9980: RtlAllocateHeap.NTDLL(?,00000000,?,93D979FF,00000000,00EAC6B0,000000FF,?,?,00F8C42C,00000000,00E2ECDB,80004005,93D979FF,?,?), ref: 00CD99CA

Strings

MsiResolveFormatted, xrefs: 00CFC361
MsiGetFormattedError, xrefs: 00CFC817
MsiEvaluateCondition, xrefs: 00CFC298
MessageBox, xrefs: 00CFC685
MsiGetBinaryPath, xrefs: 00CFC42A
GetFontHeight, xrefs: 00CFC8E0
MsiSetProperty, xrefs: 00CFC10D
MsiGetProperty, xrefs: 00CFC1CF
MsiGetBytesCountText, xrefs: 00CFC74E
MsiPublishEvents, xrefs: 00CFC5BC
MsiGetBinaryPathIndirect, xrefs: 00CFC4F3

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ClearVariant$String$AllocFree$HeapInit_thread_footer$AllocateFindProcessResource
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
API String ID: 3540692479-3153392536
Opcode ID: 7160c97cd18146e083e8ce1d7aa90dae39f03e1ba44dd74bf08b9296613dfb4d
Instruction ID: a0c2201cb982cea636e74437e7c0875f1680614c2c1b2c9de317a5f93f710b17
Opcode Fuzzy Hash: 7160c97cd18146e083e8ce1d7aa90dae39f03e1ba44dd74bf08b9296613dfb4d
Instruction Fuzzy Hash: 4EE28D71D0024DDFDB14DFA8C884BAEBBB4FF48314F208219E519A7391EB74AA45CB91

Function 00CEEAF0 Relevance: 26.1, APIs: 17, Instructions: 608COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00CEEB28
GetWindowLongW.USER32(?,000000EB), ref: 00CEEBA3
ShowWindow.USER32(00000000,?), ref: 00CEEBC2
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00CEEBD0
GetWindowRect.USER32(00000000,?), ref: 00CEEBE7
ShowWindow.USER32(00000000,?), ref: 00CEEC08
SetWindowLongW.USER32(?,000000EB,?), ref: 00CEEC1F

Part of subcall function 00CE8590: RaiseException.KERNEL32(?,?,00000000,00000000,00E2ED87,C000008C,00000001), ref: 00CE859C

GetClientRect.USER32(?,?), ref: 00CEECD8
ShowWindow.USER32(?,?), ref: 00CEED5D
GetWindowLongW.USER32(?,000000EB), ref: 00CEED8C
ShowWindow.USER32(?,?), ref: 00CEEDA9
GetWindowRect.USER32(?,?), ref: 00CEEDCE

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$LongRectShow$Client$ExceptionRaise
String ID:
API String ID: 3804784045-0
Opcode ID: c04eb1937a774b8ceb5bf283d1c715462791b17afe86dc49d8a1b7ed7bcf1338
Instruction ID: 8af06d52ed4a643d9f20931084d7b7aec9421b734e4c4fdcd5c31c5c6697ff87
Opcode Fuzzy Hash: c04eb1937a774b8ceb5bf283d1c715462791b17afe86dc49d8a1b7ed7bcf1338
Instruction Fuzzy Hash: 2F422871A04789DFCB24CFA9D884AAEBBF5FF88300F14456EE459A7260D730AA45CF51

Function 00CF0880 Relevance: 23.4, APIs: 10, Strings: 3, Instructions: 694fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,00000000,?,?,?,00DFB647), ref: 00CF09BF
PathIsUNCW.SHLWAPI(?,*.*,00000000), ref: 00CF0A77
FindFirstFileW.KERNEL32(00000000,00000000,*.*,00000000), ref: 00CF0BCC
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CF0BE6
GetFullPathNameW.KERNEL32(00000000,00000000,?,00000000), ref: 00CF0C19
FindClose.KERNEL32(00000000), ref: 00CF0C88
SetLastError.KERNEL32(0000007B), ref: 00CF0C96
_wcsrchr.LIBVCRUNTIME ref: 00CF0CEC
_wcsrchr.LIBVCRUNTIME ref: 00CF0D0C
PathIsUNCW.SHLWAPI(?,?,93D979FF), ref: 00CF0EE3

Strings

*.*, xrefs: 00CF09EA, 00CF0A47, 00CF0A48, 00CF0DD4
\\?\UNC\, xrefs: 00CF0A97, 00CF0B4E, 00CF0F03, 00CF0FB9
\\?\, xrefs: 00CF0B61, 00CF0BB6, 00CF0FCC, 00CF1020

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Path$Find$CloseFullName_wcsrchr$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\
API String ID: 1241272779-1700010636
Opcode ID: 7a0565e6295d13985b7dba6115c168b7fcbdc450bb679ca9400bd9690258cd91
Instruction ID: f0ad9340323ce5213141ad8a59971066ca9cda4f6b9e23d8566ea0ea1d3e538c
Opcode Fuzzy Hash: 7a0565e6295d13985b7dba6115c168b7fcbdc450bb679ca9400bd9690258cd91
Instruction Fuzzy Hash: 38420530600609DFDB54DF68C849B7AF7F5FF50714F248268EA25DB292EB71AA40DB81

Function 00CE4BC0 Relevance: 22.9, APIs: 15, Instructions: 390memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE5050: EnterCriticalSection.KERNEL32(00F9957C,93D979FF,00000000,?,?,?,?,?,?,00CE487E,00EAF9CD,000000FF), ref: 00CE508D
Part of subcall function 00CE5050: LoadCursorW.USER32(00000000,00007F00), ref: 00CE5108
Part of subcall function 00CE5050: LoadCursorW.USER32(00000000,00007F00), ref: 00CE51AE

SysFreeString.OLEAUT32(00000000), ref: 00CE4C63
SysAllocString.OLEAUT32(00000000), ref: 00CE4C94
GetWindowLongW.USER32(?,000000EC), ref: 00CE4D6B
GetWindowLongW.USER32(?,000000EC), ref: 00CE4D7B
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CE4D86
NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 00CE4D94
GetWindowLongW.USER32(?,000000EB), ref: 00CE4DA2
SetWindowTextW.USER32(?,00F1446C), ref: 00CE4E41
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00CE4E76
GlobalLock.KERNEL32(00000000), ref: 00CE4E84
GlobalUnlock.KERNEL32(?), ref: 00CE4ED8
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00CE4F63
SysFreeString.OLEAUT32(00000000), ref: 00CE4F7C
NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 00CE4FC3
SysFreeString.OLEAUT32(00000000), ref: 00CE4FE5

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Long$String$FreeGlobal$AllocCursorLoadNtdllProc_$CriticalEnterLockSectionTextUnlock
String ID:
API String ID: 4180125975-0
Opcode ID: 58408692b4c3e7fb0084c2e4f03e58f8f2f53245a7a8f2cd727df2ed2bfe375e
Instruction ID: 176951c29d1f38072db7dd93d7d96ddad2aeb88a190c64ba734ff9ed4b8b5a5a
Opcode Fuzzy Hash: 58408692b4c3e7fb0084c2e4f03e58f8f2f53245a7a8f2cd727df2ed2bfe375e
Instruction Fuzzy Hash: 53D1FF71A00389EFDB10DFA9CC48BAFBBB8EF45710F144159F821AB291D7759A00DBA1

Function 00DCA2A0 Relevance: 19.7, APIs: 13, Instructions: 155windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001036,00010000,00000000), ref: 00DCA30B
GetParent.USER32(00000000), ref: 00DCA35E
GetWindowRect.USER32(00000000), ref: 00DCA361
GetParent.USER32(00000000), ref: 00DCA370
GetDC.USER32(00000000), ref: 00DCA373
CreateCompatibleDC.GDI32(00000000), ref: 00DCA3A0
CreateCompatibleBitmap.GDI32(00000000), ref: 00DCA3DF
SelectObject.GDI32(?,00000000), ref: 00DCA3F0
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00DCA406

Part of subcall function 00D839A0: IsWindowVisible.USER32(?), ref: 00D83A1A
Part of subcall function 00D839A0: GetWindowRect.USER32(?,?), ref: 00D83A32
Part of subcall function 00D839A0: GetWindowRect.USER32(?,?), ref: 00D83A4A
Part of subcall function 00D839A0: IntersectRect.USER32(?,?,?), ref: 00D83A67
Part of subcall function 00D839A0: EqualRect.USER32(?,?), ref: 00D83A77
Part of subcall function 00D839A0: GetSysColorBrush.USER32(0000000F), ref: 00D83A8D

FillRect.USER32(?,?,00000000), ref: 00DCA41C
DeleteDC.GDI32(?), ref: 00DCA43C
SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 00DCA460
SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 00DCA473

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Rect$Window$MessageSend$CompatibleCreateParent$BitmapBrushColorDeleteEqualFillIntersectObjectPointsSelectVisible
String ID:
API String ID: 2161025992-0
Opcode ID: 6c61ce14a6a20396fd55c8fd8c4536ad61692e7d23e191bb98836c41c4251bee
Instruction ID: 629c7f7d943cde761791abb7fc5c7a05e12b461fae764b7bac09d035de2c5657
Opcode Fuzzy Hash: 6c61ce14a6a20396fd55c8fd8c4536ad61692e7d23e191bb98836c41c4251bee
Instruction Fuzzy Hash: BB514671D14748ABDB11DFA8CD45BDEBBF8EF59710F14431AE805A7290EB706A80CB60

Function 00DCAA20 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 373windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00DCACDA
RedrawWindow.USER32(?,00000000,00000000,00000541), ref: 00DCACEC
SendMessageW.USER32(?,00000443,00000000), ref: 00DCAD44
GetDC.USER32(00000000), ref: 00DCAD68
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DCAD73
MulDiv.KERNEL32(?,00000000), ref: 00DCAD7B
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 00DCADA0

Strings

NumberValidationTipTitle, xrefs: 00DCAA94
NumberValidationTipMsg, xrefs: 00DCABA1
Segoe UI, xrefs: 00DCAD52

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$CapsCreateDeviceFontMessageRedrawSend
String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
API String ID: 367477953-2319862951
Opcode ID: aa6b40eca438ad560294f30c6f52d0795c1f6115597fba21869d9e413aa3a431
Instruction ID: 748357e54a6be0ad5df39decf1447c8e30065039ff00436d40a47f616d49e296
Opcode Fuzzy Hash: aa6b40eca438ad560294f30c6f52d0795c1f6115597fba21869d9e413aa3a431
Instruction Fuzzy Hash: A8E1DD70A007099FEB14DF68CC49BEEB7B1EF88304F008259E559A72D1DB746A45CFA1

Function 00CE44A0 Relevance: 16.9, APIs: 11, Instructions: 417nativememoryCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00CE46CB
GetWindowLongW.USER32(00000000,000000EC), ref: 00CE46DB
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00CE46E6
NtdllDefWindowProc_W.NTDLL(00000000,00000000,00000001,?), ref: 00CE46F4
GetWindowLongW.USER32(00000000,000000EB), ref: 00CE4702
SetWindowTextW.USER32(00000000,00F1446C), ref: 00CE47A1
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00CE47D6
GlobalLock.KERNEL32(00000000), ref: 00CE47E4
GlobalUnlock.KERNEL32(?), ref: 00CE4838
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00CE489D
NtdllDefWindowProc_W.NTDLL(00000000,00000000,93D979FF,00000000), ref: 00CE48EF

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Long$Global$NtdllProc_$AllocLockTextUnlock
String ID:
API String ID: 3555041256-0
Opcode ID: 25f7a4fe78f0e3745c03b71f30e67980a6857c1a14d5905c725d3ffa3a12e000
Instruction ID: 69f9759c729f52d60ff2e65fb02d790ab4c96b178b48ca3bda62c89f703498c7
Opcode Fuzzy Hash: 25f7a4fe78f0e3745c03b71f30e67980a6857c1a14d5905c725d3ffa3a12e000
Instruction Fuzzy Hash: 7DE1E571A013859FDB24EFA9CC49BAFBBA8EF45314F140129F925E7291DB34DA00DB90

Function 00DD2AF0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 248fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000), ref: 00DD2BDF
CloseHandle.KERNEL32(00000000), ref: 00DD2C07
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?), ref: 00DD2C49
CloseHandle.KERNEL32(?), ref: 00DD2C9E
ShellExecuteExW.SHELL32 ref: 00DD2D33

Strings

.bat, xrefs: 00DD2B3E
EXE, xrefs: 00DD2B43
open, xrefs: 00DD2CC8
runas, xrefs: 00DD2D1B

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CloseFileHandle$CreateExecuteShellWrite
String ID: .bat$EXE$open$runas
API String ID: 548387358-1492471297
Opcode ID: 356417a21a7a6b7cce4054a051de0563856a7960ce00ff689ce7a41a73f9408c
Instruction ID: d6aa9d5c399ed72b5a6e7475af55f8eb26cf6cab1f503c25071bfaf91d4a2879
Opcode Fuzzy Hash: 356417a21a7a6b7cce4054a051de0563856a7960ce00ff689ce7a41a73f9408c
Instruction Fuzzy Hash: E3A18C70901648DBDB10CFA8CD48BADBBB5FF55314F28829AE415AB391DBB09D04CFA0

Function 00CFC116 Relevance: 13.1, Strings: 10, Instructions: 592COMMON

Download Yara Rule

Strings

MsiResolveFormatted, xrefs: 00CFC361
MsiGetFormattedError, xrefs: 00CFC817
MsiEvaluateCondition, xrefs: 00CFC298
MessageBox, xrefs: 00CFC685
MsiGetBinaryPath, xrefs: 00CFC42A
GetFontHeight, xrefs: 00CFC8E0
MsiGetProperty, xrefs: 00CFC1CF
MsiGetBytesCountText, xrefs: 00CFC74E
MsiPublishEvents, xrefs: 00CFC5BC
MsiGetBinaryPathIndirect, xrefs: 00CFC4F3

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted
API String ID: 0-2027876840
Opcode ID: 6e2ec3be178dee2850feba1d737a58c78f80f19bfd05817addd735158babf9e9
Instruction ID: 176f071c621b11e67f675a546144f53f03588036331e6c572b800a0812640384
Opcode Fuzzy Hash: 6e2ec3be178dee2850feba1d737a58c78f80f19bfd05817addd735158babf9e9
Instruction Fuzzy Hash: E0422BB1D1024D8FDB14DFA8C885BEEBBB1FF48314F20821AE119AB791E7746685CB45

Function 00CFC127 Relevance: 13.1, Strings: 10, Instructions: 591COMMON

Download Yara Rule

Strings

MsiResolveFormatted, xrefs: 00CFC361
MsiGetFormattedError, xrefs: 00CFC817
MsiEvaluateCondition, xrefs: 00CFC298
MessageBox, xrefs: 00CFC685
MsiGetBinaryPath, xrefs: 00CFC42A
GetFontHeight, xrefs: 00CFC8E0
MsiGetProperty, xrefs: 00CFC1CF
MsiGetBytesCountText, xrefs: 00CFC74E
MsiPublishEvents, xrefs: 00CFC5BC
MsiGetBinaryPathIndirect, xrefs: 00CFC4F3

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted
API String ID: 0-2027876840
Opcode ID: e132f93513767255951fe502958a97f1b00091e95989aa297e5914c932da11fd
Instruction ID: 8246359e25c41f27f8dca9c9c8b2546ddcb92377ee88f567c3ce7b1e8f1ecad8
Opcode Fuzzy Hash: e132f93513767255951fe502958a97f1b00091e95989aa297e5914c932da11fd
Instruction Fuzzy Hash: F5423CB1D1024D8FDB14DFA4C885BEEBBB1FF49314F20821AE119AB790E7746685CB45

Function 00E19310 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 410COMMON

Download Yara Rule

APIs

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

_wcsrchr.LIBVCRUNTIME ref: 00E1949D
_wcsrchr.LIBVCRUNTIME ref: 00E194C5
GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 00E1951E
GetDriveTypeW.KERNEL32(?), ref: 00E1953A
Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00E195C1
Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00E19821

Strings

]%!, xrefs: 00E194B9

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Wow64$DriveInit_thread_footerRedirection_wcsrchr$DisableHeapLogicalProcessRevertStringsType
String ID: ]%!
API String ID: 139206881-1069524040
Opcode ID: 0231689e5f51d4c0cd9077067bf57c636a108146a551843f0aa3abe073f24de1
Instruction ID: c164a5219f0cde16f51619bc2efd8878766cb67d6a8ea5c82d688fc3685a375e
Opcode Fuzzy Hash: 0231689e5f51d4c0cd9077067bf57c636a108146a551843f0aa3abe073f24de1
Instruction Fuzzy Hash: 2FF1A071900259CBDB24DF68C858BEDF7B5AF05314F1482E9E51AB7292EB709E84CF90

Function 6CAB9FE7 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6CABA1CB

Strings

1#INF, xrefs: 6CABA11D
1#IND, xrefs: 6CABA0EC
1#SNAN, xrefs: 6CABA0F3
1#QNAN, xrefs: 6CABA0FA

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 989d6a59c8dd288404ca09fd2725fc0765030d9870124b72560a245a415db3e4
Instruction ID: c85c8c99ce8c1eb2a06af606a2ada32a74a89880a774399b155f8e24dfb25cb4
Opcode Fuzzy Hash: 989d6a59c8dd288404ca09fd2725fc0765030d9870124b72560a245a415db3e4
Instruction Fuzzy Hash: F4D22871E092298FDB25CE28DD807DAB7BAEB45308F1442EAD40DE7640E775AEC58F41

Function 00EA7AA7 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00EA7C8B

Strings

1#SNAN, xrefs: 00EA7BB3
1#IND, xrefs: 00EA7BAC
1#INF, xrefs: 00EA7BDD
1#QNAN, xrefs: 00EA7BBA

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ef8aa1d5c53ac9eb3ab6e56909de42baab40e094b338e76cbfd5a3ccb7f17364
Instruction ID: 77294865e4c28c70c8f08103904da068466107fc5c8157881b27b99a3a64141c
Opcode Fuzzy Hash: ef8aa1d5c53ac9eb3ab6e56909de42baab40e094b338e76cbfd5a3ccb7f17364
Instruction Fuzzy Hash: 51D23971E086298FDB65CE28CD407EAB7B5EB49304F1455EAD44DFB240EB78AE818F41

Function 00E841D9 Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00E840F5,00000000,?,00E8428D,?,?,?,?,?,?,?), ref: 00E841DB
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,00E8428D,?,?,?,?,?,?,?), ref: 00E84202
HeapAlloc.KERNEL32(00000000,?,00E8428D,?,?,?,?,?,?,?), ref: 00E84209
InitializeSListHead.KERNEL32(00000000,?,00E8428D,?,?,?,?,?,?,?), ref: 00E84216
GetProcessHeap.KERNEL32(00000000,00000000,?,00E8428D,?,?,?,?,?,?,?), ref: 00E8422B
HeapFree.KERNEL32(00000000,?,00E8428D,?,?,?,?,?,?,?), ref: 00E84232

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 1c9f44c46957de56228815164974e03889e5cbe904e559077a445ebc36a0d14b
Instruction ID: 0a5bb2eed6c4cd94efa09bb801f8e81b5fcb0467a3308fcf1714c7acc13505c8
Opcode Fuzzy Hash: 1c9f44c46957de56228815164974e03889e5cbe904e559077a445ebc36a0d14b
Instruction Fuzzy Hash: E1F068756593069BD7106F799C08B1677F8FB98716F004429F54AE32A0EB70D401E760

Function 6CAB9A9E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,6CAB9DBC,00000002,00000000,?,?,?,6CAB9DBC,?,00000000), ref: 6CAB9B37
GetLocaleInfoW.KERNEL32(00000000,20001004,6CAB9DBC,00000002,00000000,?,?,?,6CAB9DBC,?,00000000), ref: 6CAB9B60
GetACP.KERNEL32(?,?,6CAB9DBC,?,00000000), ref: 6CAB9B75

Strings

ACP, xrefs: 6CAB9ABC
OCP, xrefs: 6CAB9AF2

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: f42a8e2ed965549c81119b06f4e78d43843d4f67e2002a7a3303cff25ca36e3c
Instruction ID: 676b18308aab7e9151ee6d24d609b258494dbb7d25dcb9bfe2e6d3a7a2399490
Opcode Fuzzy Hash: f42a8e2ed965549c81119b06f4e78d43843d4f67e2002a7a3303cff25ca36e3c
Instruction Fuzzy Hash: 0521D831714105AAD7149F75CB41A8773BEEF60B58B2E8528E905F7905E732DEC1C750

Function 00DEA850 Relevance: 7.7, APIs: 5, Instructions: 209COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00DEA8A8

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$HeapProcess_wcsrchr
String ID:
API String ID: 3663133277-0
Opcode ID: 929262975a06a006de2de559021f751c89b2e95bbc1bcbfd28277fb87c42a1d2
Instruction ID: 42acfd287e8c429af100acfd32313c0e8a223660cd629dd262cbde4738fac5ef
Opcode Fuzzy Hash: 929262975a06a006de2de559021f751c89b2e95bbc1bcbfd28277fb87c42a1d2
Instruction Fuzzy Hash: 3361E571A0068A9BDB10EF69CD44BAEB7F4FF45324F14422EE815D72C1D774A904CB61

Function 6CAB9C73 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 6CAAE502: GetLastError.KERNEL32(?,00000008,6CAB68CD), ref: 6CAAE506
Part of subcall function 6CAAE502: SetLastError.KERNEL32(00000000,00000001,FFFFFFFF,000000FF), ref: 6CAAE5A8

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6CAB9D7F
IsValidCodePage.KERNEL32(00000000), ref: 6CAB9DC8
IsValidLocale.KERNEL32(?,00000001), ref: 6CAB9DD7
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6CAB9E1F
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6CAB9E3E

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: f92f1e5bbb5c775c6c57e36d0a380581a00635f319f9bdffbaaf47fe866530ce
Instruction ID: f3ac727d53af7fed4a22e56c8a6a733589c73532d8bba2daa8e49cc1cd9e4890
Opcode Fuzzy Hash: f92f1e5bbb5c775c6c57e36d0a380581a00635f319f9bdffbaaf47fe866530ce
Instruction Fuzzy Hash: 8F519071A01206AFEF00DFB5CE40AEA77BCBF69305F144529A914F7550E770A989CB61

Function 00E9CBBA Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E9CC47

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: fcc137dfe0708e1f7a0708534d1b12ff6f576f64afdac42b5cb573f5b23bebeb
Instruction ID: 0a877d4e30d87dd4dcfb8886a32a8776e7bd2ea1d3d46d09dbbe21f38b973bec
Opcode Fuzzy Hash: fcc137dfe0708e1f7a0708534d1b12ff6f576f64afdac42b5cb573f5b23bebeb
Instruction Fuzzy Hash: DDB146729042499FDF15EF68C8817FEBFE5EF59304F24916AE905BB242D2349D01CBA0

Function 00E1A4B0 Relevance: 6.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842607414c6606cc414fb8bfe057da5500a86f4dd07f79b439b8e823723f4773
Instruction ID: 0083260e25e4a3ca219abfb6b4eb473fdb9740fc07f0b4e440abab91aa931d3b
Opcode Fuzzy Hash: 842607414c6606cc414fb8bfe057da5500a86f4dd07f79b439b8e823723f4773
Instruction Fuzzy Hash: 9081A070906218DFDB50DF28CC4DBA9B7B4EF45314F1882E9E818A7292DB709E84CF91

Function 00CF2390 Relevance: 6.1, APIs: 4, Instructions: 87timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00000003,00000001,93D979FF,?,?,?,?,00EB1D64,000000FF), ref: 00CF23D1
GetWindowLongW.USER32(00000003,000000FC), ref: 00CF23E6
SetWindowLongW.USER32(00000003,000000FC,?), ref: 00CF23F8
DeleteCriticalSection.KERNEL32(?,93D979FF,?,?,?,?,00EB1D64,000000FF), ref: 00CF2423

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: LongWindow$CriticalDeleteKillSectionTimer
String ID:
API String ID: 1032004442-0
Opcode ID: 345cd71c5926ab109c3099762d849139cd7072c3f042d0a0321bca921cfbda59
Instruction ID: 0730df00e9fd2ff8fd51e15f867e9988adfebd82d5b35f289c7c27eed7aca3bd
Opcode Fuzzy Hash: 345cd71c5926ab109c3099762d849139cd7072c3f042d0a0321bca921cfbda59
Instruction Fuzzy Hash: 8631907150474AABCB11DF28DC04B99BFF4FF05310F148259E928A36D1D7B5EA10EB90

Function 00CFDAC0 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 656COMMON

Download Yara Rule

APIs

Part of subcall function 00E84BA2: EnterCriticalSection.KERNEL32(00F97FD8,?,93D979FF,?,00CD9D66,00F98C04,93D979FF,93D979FF,?,00EACC0D,000000FF,?,00E2EBD6,93D979FF,?,?), ref: 00E84BAD
Part of subcall function 00E84BA2: LeaveCriticalSection.KERNEL32(00F97FD8,?,00CD9D66,00F98C04,93D979FF,93D979FF,?,00EACC0D,000000FF,?,00E2EBD6,93D979FF,?,?,00000000), ref: 00E84BEA

__Init_thread_footer.LIBCMT ref: 00CFDB5E

Part of subcall function 00E84B58: EnterCriticalSection.KERNEL32(00F97FD8,93D979FF,?,00CD9DD7,00F98C04,00F07520), ref: 00E84B62
Part of subcall function 00E84B58: LeaveCriticalSection.KERNEL32(00F97FD8,?,00CD9DD7,00F98C04,00F07520), ref: 00E84B95
Part of subcall function 00E84B58: RtlWakeAllConditionVariable.NTDLL ref: 00E84C0C

Strings

AiFeatIco, xrefs: 00CFDE4B
Icon, xrefs: 00CFDF23

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: AiFeatIco$Icon
API String ID: 2296764815-1280411655
Opcode ID: 93a8cc3501c15bf1714a31b16e049cde68eca8c8f266279b5dbaddc61beb27d1
Instruction ID: f9c0cb34bb279e7ffb4909f117bd4b2bdecb3933fc77bbd9087049b162199014
Opcode Fuzzy Hash: 93a8cc3501c15bf1714a31b16e049cde68eca8c8f266279b5dbaddc61beb27d1
Instruction Fuzzy Hash: 39528870A00658DFDB24DF68CC88BEDBBB1BB49304F104299E519AB391DB706E84DF91

Function 00CF4200 Relevance: 5.7, Strings: 4, Instructions: 720COMMON

Download Yara Rule

Strings

AI_CONTROL_VISUAL_STYLE_EX, xrefs: 00CF46F2
AI_NO_BORDER_HOVER, xrefs: 00CF43CF
AI_NO_BORDER_NORMAL, xrefs: 00CF430E
AI_CONTROL_VISUAL_STYLE, xrefs: 00CF426E

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
API String ID: 0-932585912
Opcode ID: 32869af93c2add7d7af5ca61670f6a45f9959fde86d32d5e43aeefbf3ae94cc7
Instruction ID: 49abf634c7746fc153286a8c454d626468b85aead057e866ea0478f5ab38e8e0
Opcode Fuzzy Hash: 32869af93c2add7d7af5ca61670f6a45f9959fde86d32d5e43aeefbf3ae94cc7
Instruction Fuzzy Hash: 3642E271D002188BDF18DF68CC94BAEBBF1FF85300F148259E555AB391D778AA05CBA2

Function 00E1A8B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?), ref: 00E1A96C
FindClose.KERNEL32(00000000), ref: 00E1AAB7

Part of subcall function 00CD9980: RtlAllocateHeap.NTDLL(?,00000000,?,93D979FF,00000000,00EAC6B0,000000FF,?,?,00F8C42C,00000000,00E2ECDB,80004005,93D979FF,?,?), ref: 00CD99CA

Strings

%d.%d.%d.%d, xrefs: 00E1AA49

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: %d.%d.%d.%d
API String ID: 1673784098-3491811756
Opcode ID: 939921181fff24a9594687e62b9e0a5ebcfde664fe22374fcbe66f222dd80edd
Instruction ID: 5c8dfae1927b1fba0f35f6f54c3c321f3af103a57091aff472f39f0e8f2615ad
Opcode Fuzzy Hash: 939921181fff24a9594687e62b9e0a5ebcfde664fe22374fcbe66f222dd80edd
Instruction Fuzzy Hash: 07617F70905219DFDF20DF28CD48BADBBB4EF44314F1482A9E918AB291DB759A84CF81

Function 00CF8080 Relevance: 5.4, Strings: 4, Instructions: 371COMMON

Download Yara Rule

Strings

OldProductCode, xrefs: 00CF8460
MultipleInstancesProps, xrefs: 00CF829D
MultipleInstances, xrefs: 00CF81B9
ProductCode, xrefs: 00CF83F0

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: MultipleInstances$MultipleInstancesProps$OldProductCode$ProductCode
API String ID: 0-469785651
Opcode ID: 134b32b48e518f0f830ad4795373dd60f0b204d292ac389bab4cc3f7e75a3352
Instruction ID: 056d66b9165f5c171baccdd9edfe3eade28dbae5d6843b04524f7ae32d94456e
Opcode Fuzzy Hash: 134b32b48e518f0f830ad4795373dd60f0b204d292ac389bab4cc3f7e75a3352
Instruction Fuzzy Hash: 66D12635A00209CBDB58DF18C851BBEB7B1FF54704F24865DDA12AB391EB30AE49CB91

Function 00E130D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

GetLocaleInfoW.KERNEL32(?,00000002,00F1446C,00000000), ref: 00E13141
GetLocaleInfoW.KERNEL32(?,00000002,00E12CC5,-00000001,00000078,-00000001), ref: 00E1317D

Strings

%d-%s, xrefs: 00E13187

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: InfoInit_thread_footerLocale$HeapProcess
String ID: %d-%s
API String ID: 1688948774-1781338863
Opcode ID: 083b9ebf8ee9693b0391a636740344371a69ddf1b04c8f63dd798adea75d96b9
Instruction ID: 615451fc2d995055e995030bf3b96e3b47e5a847db88e36c90ceb401bdb79c1c
Opcode Fuzzy Hash: 083b9ebf8ee9693b0391a636740344371a69ddf1b04c8f63dd798adea75d96b9
Instruction Fuzzy Hash: C5316B71A0120AABDB00DFA8CC49BAEFBB8FF44714F10856DF515A72D1DB759904DB90

Function 00E819D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00E81916,0000001C,00E81B0B,00000000,?,?,?,?,?,?,?,00E81916,00000004,00F97A44,00E81B9B), ref: 00E819E2
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00E81916,00000004,00F97A44,00E81B9B), ref: 00E819FD

Strings

D, xrefs: 00E819F1

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: acf7c47d5dc259ac3ac96dff70868e2f9864c707d52e22797304fb548599c25d
Instruction ID: 0459ccc76fe57d8d018224d63ab1db9c93aaca0f06f34bd0ad79bbbf77c9fa95
Opcode Fuzzy Hash: acf7c47d5dc259ac3ac96dff70868e2f9864c707d52e22797304fb548599c25d
Instruction Fuzzy Hash: 6301D4326001096BCB14EE29CC05BEE7BA9AFC4328F0CC265ED5DE7155EA74D8028780

Function 00CEE6B0 Relevance: 4.6, APIs: 3, Instructions: 93COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 00CEE6FE
GetWindowLongW.USER32(00000004,000000FC), ref: 00CEE717
SetWindowLongW.USER32(00000004,000000FC,?), ref: 00CEE729

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 10d1f79a4a30186364e90962fec261c2e1769d3364947f6c95f867ecd67b74af
Instruction ID: 8929fbb545481ed8dce4e42ae8412e5d8441e6d94d1e8976b0455e218658ead7
Opcode Fuzzy Hash: 10d1f79a4a30186364e90962fec261c2e1769d3364947f6c95f867ecd67b74af
Instruction Fuzzy Hash: B2417CB0604B86EFDB10DF69C908B5AFBE4FF05354F104269E428D7A90D776E924DB90

Function 6CAA4963 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 6CAA4A5B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 6CAA4A65
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000001), ref: 6CAA4A72

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6db87635e751b05b9720cca5b638162f75a9602ae3a491e0e04b69840d159ec5
Instruction ID: 34b4a5145f1529b39d3c87bbcdf40444c7600d0d1bd8a0d5d3f4d6d30455e279
Opcode Fuzzy Hash: 6db87635e751b05b9720cca5b638162f75a9602ae3a491e0e04b69840d159ec5
Instruction Fuzzy Hash: 5E31C67490122D9BCB21DF64D9887DCBBB8BF08314F5082DAE41DA7250EB709BC68F44

Function 00E89913 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00E89A0B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00E89A15
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00E89A22

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 99706ca3b76c55d4872c3fec8f75d66d471de7156905e45bbaf5282b1c6de5cc
Instruction ID: 0a9b26a802d9ec3799941470ef4bb83486dca6719e2e3a250e7088e60829405c
Opcode Fuzzy Hash: 99706ca3b76c55d4872c3fec8f75d66d471de7156905e45bbaf5282b1c6de5cc
Instruction Fuzzy Hash: C031C275901228ABCB21EF28D9887DCBBF4BF08310F5051EAE41CA7261EB709F819F45

Function 00CD9160 Relevance: 4.6, APIs: 3, Instructions: 65COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,93D979FF,00000001,00000000,?,00000000,00EAC480,000000FF,?,00CD910C,?,?,00CD92B0,00000000,00000000), ref: 00CD918B
LockResource.KERNEL32(00000000,?,00CD910C,?,?,00CD92B0,00000000,00000000,00000000,00CD9418,-00000010,?,00000000), ref: 00CD9196
SizeofResource.KERNEL32(00000000,00000000,?,00CD910C,?,?,00CD92B0,00000000,00000000,00000000,00CD9418,-00000010,?,00000000), ref: 00CD91A4

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 6588755dc1f6a37e3fb3147462252b764b684760b150981807607748f81c903f
Instruction ID: 53e2168bf54fc94604a5257c202918c08477e2da5d915a3a7f22d31bf1c9ac58
Opcode Fuzzy Hash: 6588755dc1f6a37e3fb3147462252b764b684760b150981807607748f81c903f
Instruction Fuzzy Hash: 5311E73AA046559BC7208F69DC44B7AF7ECF789720F004A2BED1AD3350E6759D008690

Function 00CE7190 Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(0000001B,000000FC), ref: 00CE71A9
SetWindowLongW.USER32(0000001B,000000FC,?), ref: 00CE71B7
DestroyWindow.USER32(0000001B), ref: 00CE71E3

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Long$Destroy
String ID:
API String ID: 3055081903-0
Opcode ID: 64b084f223e43721941790302b72ccae53b95af04acc2cd864f585422e6d5743
Instruction ID: de74d841fcdaf5e631f272d46518103c85f8315cfa61ad1ed6b9b5369bdb99f2
Opcode Fuzzy Hash: 64b084f223e43721941790302b72ccae53b95af04acc2cd864f585422e6d5743
Instruction Fuzzy Hash: BBF03A3100CF169BDB606F28ED05B86BBE0FF04721B108B5DE4BA825F0CB31A944EB00

Function 00E94860 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21bf8dacb9574699bfbd8f59c451f84edf4308d2cc6cd49f963e3ae839cbb09e
Instruction ID: 81b1f614e6c94684614beccb6d2486c2e18c296ff154f37d4e28cf5d89778ad0
Opcode Fuzzy Hash: 21bf8dacb9574699bfbd8f59c451f84edf4308d2cc6cd49f963e3ae839cbb09e
Instruction Fuzzy Hash: A9F12EB1E012199FDF14CF69D880AADF7F1EF88324F159269E815BB384D730AD428B94

Function 00CFF4E0 Relevance: 3.3, APIs: 2, Instructions: 257windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000102B,00000000,00000001), ref: 00CFF60B
SendMessageW.USER32(?,0000102B,?,-00000002), ref: 00CFF7F5

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f39b26467978861e7ca20af7c0595e600e1ad1d6cd0b37f3123d9d8deac31e3f
Instruction ID: 1bb4b37e28cd85250e8a49b4df63d3a166593ceaad7151232ac703e762e51691
Opcode Fuzzy Hash: f39b26467978861e7ca20af7c0595e600e1ad1d6cd0b37f3123d9d8deac31e3f
Instruction Fuzzy Hash: 15B1E171A0020A9FCB58DF24C995BB9FBF5FF05304F14826AE569DB291D730EA41CB91

Function 00DEE5B0 Relevance: 3.1, APIs: 2, Instructions: 134windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,93D979FF,?,00000000), ref: 00DEE5FB
GetLastError.KERNEL32(?,00000000), ref: 00DEE605

Part of subcall function 00CD9980: RtlAllocateHeap.NTDLL(?,00000000,?,93D979FF,00000000,00EAC6B0,000000FF,?,?,00F8C42C,00000000,00E2ECDB,80004005,93D979FF,?,?), ref: 00CD99CA

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AllocateErrorFormatHeapLastMessage
String ID:
API String ID: 4114510652-0
Opcode ID: 5cd7f985335e3566b254f460ceec20ae92993f65188bc6c7bb79ad7dad9bcabe
Instruction ID: 75cba9342f5d5ee700686f373568a21ddd0dac9915569da9b7ddc9242da58b13
Opcode Fuzzy Hash: 5cd7f985335e3566b254f460ceec20ae92993f65188bc6c7bb79ad7dad9bcabe
Instruction Fuzzy Hash: 9741E271A012599FDB14DFA9C8057AEFBF4EF44714F18066EE909EB381D7B55D008BA0

Function 00D410D0 Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 00D4113F
SetWindowLongW.USER32(00000000,000000FC,?), ref: 00D4114D

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2ee930346b619504dfe90945d5bcfe36017d9be082f4637ac6fcdedaeace6194
Instruction ID: 1d203e72815592026ada15b7b5e6061936a1ebf7e31a54b0c0ea9c459ae024d3
Opcode Fuzzy Hash: 2ee930346b619504dfe90945d5bcfe36017d9be082f4637ac6fcdedaeace6194
Instruction Fuzzy Hash: 9A316B7590470AEFCB10EF69C944B9AFBF4FF05320F144269E824A76E0D731AA54CBA0

Function 00D0D8C0 Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00D0D8C5
SetUnhandledExceptionFilter.KERNEL32(Function_0011A060), ref: 00D0D8DB

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: c1baa7bad3f3c04b016838b87bc06daebf2d16e595b94ee7f8c8a4719232b40b
Instruction ID: e7356d5bb03446f00e2605501b514526a68d845f60d23630b4be27eff4f32572
Opcode Fuzzy Hash: c1baa7bad3f3c04b016838b87bc06daebf2d16e595b94ee7f8c8a4719232b40b
Instruction Fuzzy Hash: FFD0126094C2899ED706A76C9C1A7543FE1BB50718F05815BD44E011E2EBE1A948F733

Function 00E9F711 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E9F70C,?,?,00000008,?,?,00EAA8F4,00000000), ref: 00E9F93E

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 47f68593e728eed8a536ef931e2ee43430c7d82d3ca61c6b6dfacb07b9694997
Instruction ID: 6a46547e3fffa273afbc44eb52d1c8e92dabaeb77a23d6e062f6716e80709602
Opcode Fuzzy Hash: 47f68593e728eed8a536ef931e2ee43430c7d82d3ca61c6b6dfacb07b9694997
Instruction Fuzzy Hash: 64B15F31620604DFDB29CF28C486BA57BE0FF45369F259668E899DF2A1C335E991CB40

Function 00D445B0 Relevance: 1.8, Strings: 1, Instructions: 521COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 00D44795, 00D44982

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ExceptionRaise__floor_pentium4
String ID: unordered_map/set too long
API String ID: 996205981-306623848
Opcode ID: 01bf9a40d089fac053a733035fc544e207d73d59f788995dcd2af5366203e1ca
Instruction ID: acc3a3e062e239d44b45d95aa2e9f46f74a7cb82c47055513a52462b0ffb31a1
Opcode Fuzzy Hash: 01bf9a40d089fac053a733035fc544e207d73d59f788995dcd2af5366203e1ca
Instruction Fuzzy Hash: 7412B171A002099FCB15DF68C881BADB7F5FF48310F14826AE859EB391D731E991CBA0

Function 6CAB6B85 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e399c7175687e1fd9ee9aeb15eb2dba532052890912f0d454230b896b202f4
Instruction ID: d88d94528aa5713c8347c45ec551ccf8358e926d9d1f05645fa9a94bfb4f293b
Opcode Fuzzy Hash: e4e399c7175687e1fd9ee9aeb15eb2dba532052890912f0d454230b896b202f4
Instruction Fuzzy Hash: 4741A2B5805219AEDB149F69CC88AEABBBDEB45304F1842D9E418E3700DA319A858F50

Function 6CAA788C Relevance: 1.6, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

0, xrefs: 6CAA7A1A

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 572964f219ed0248d18588d2585952b57359d40198ee0f026e579b24785c9fd9
Instruction ID: c70e5372841b0c5cdd62b8f63301d019cbbc5e5de28bcf5d7fdea1e4b7926f3a
Opcode Fuzzy Hash: 572964f219ed0248d18588d2585952b57359d40198ee0f026e579b24785c9fd9
Instruction Fuzzy Hash: 16C1F27060064A8FCB54CFE8C590BABB7B1AB09318F28465ED462D7B95D731E9CBCB40

Function 6CAB9975 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 6CAAE502: GetLastError.KERNEL32(?,00000008,6CAB68CD), ref: 6CAAE506
Part of subcall function 6CAAE502: SetLastError.KERNEL32(00000000,00000001,FFFFFFFF,000000FF), ref: 6CAAE5A8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6CAB99C9

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: e552c7b89ea15153e3256567c892bb1572fcaff2fe0267070506fa3354aa9021
Instruction ID: 057609df377171e301c775d94496cc85169670d55e101730bd016c54d866da6c
Opcode Fuzzy Hash: e552c7b89ea15153e3256567c892bb1572fcaff2fe0267070506fa3354aa9021
Instruction Fuzzy Hash: CC21F57161420AABDB189B69DE41ABA33BCEF55318F14407EE901E7641EB34E98AC750

Function 00DEABE0 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc5e14b88664240822d97892e2775d3a81aab57df606a82bef13bcfaa3846b6
Instruction ID: adb970c9adf1b43cd9eb0edfc9ef2336a8d96ea50e3c82832538c0110c2252ea
Opcode Fuzzy Hash: 5fc5e14b88664240822d97892e2775d3a81aab57df606a82bef13bcfaa3846b6
Instruction Fuzzy Hash: EE31EF3150128A9FCB24EF69CC55BEDB7B4FF44320F144269E829672D1EB706A04CB61

Function 6CAB9BA4 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 6CAAE502: GetLastError.KERNEL32(?,00000008,6CAB68CD), ref: 6CAAE506
Part of subcall function 6CAAE502: SetLastError.KERNEL32(00000000,00000001,FFFFFFFF,000000FF), ref: 6CAAE5A8

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6CAB993E,00000000,00000000,?), ref: 6CAB9BD0

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 1b0ad11b50b6d2274051107659a115a3b24904fbf2bb7ad2d3d30bff5f91353c
Instruction ID: 629be7248911f2c242121e6ca9e387d117faa4c895c7a35e74772e83de8b21b4
Opcode Fuzzy Hash: 1b0ad11b50b6d2274051107659a115a3b24904fbf2bb7ad2d3d30bff5f91353c
Instruction Fuzzy Hash: A8F0D6366402166FDB184635CE05BAA37BCEB51358F240829DD16B3540EA74FA81C590

Function 00CF7AC0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,00CF60F7,?,?,?,?,?,?,?,?,00CF5F68,?,?), ref: 00CF7B10

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 2a2dea8185896eedbf656132054a5d764c81310e0bea4efcdb91da6d9aea3a87
Instruction ID: c21577edd4913f6e602f5329ce165727788197a7149baa526be99d1b8b471198
Opcode Fuzzy Hash: 2a2dea8185896eedbf656132054a5d764c81310e0bea4efcdb91da6d9aea3a87
Instruction Fuzzy Hash: 7CF05E7000C145DFD3529B14D858BB9BBA6FB46305F4546E5E264C5460C2358E44DA12

Function 6CAB1A87 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,6CAAFAAB,?,20001004,00000000,00000002,?,?,6CAAF0AD), ref: 6CAB1ABB

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 68cd248a2f6649f1027232f3b2462953f8b9bd31869b9efafe27a906d2a55577
Instruction ID: e5265c4573566210ded001bcd5a26bbc0d9e4092a4e012dc83a4925115f889e1
Opcode Fuzzy Hash: 68cd248a2f6649f1027232f3b2462953f8b9bd31869b9efafe27a906d2a55577
Instruction Fuzzy Hash: B2E04F3664121DFBCF025F61DD44AEE3E29EF45750F048414FE0575610CB76E961AAD4

Function 6CAB3B89 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7f4e71e3aa52be8bcaba12987a9880ba87cfca8b444a77e18a8ff41fafc360
Instruction ID: 5f50f561f10ad0d1af22f0bf355129d7703fe223ce38e6e22417daa77064f638
Opcode Fuzzy Hash: ca7f4e71e3aa52be8bcaba12987a9880ba87cfca8b444a77e18a8ff41fafc360
Instruction Fuzzy Hash: 81322631E69F424DDB239535C822325A26CAFB73C8F19D727E82AB5E95EB39D4C34140

Function 00EA1639 Relevance: .6, Instructions: 637COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b754c932297aaa1fa271acf6b91787e57df27b5f4d4f345c00da7453d4129ffa
Instruction ID: cc1701063b39a8a64ee8d2ceb82d2c8fdbfdf42e87a97e2c72b80e33ef725f67
Opcode Fuzzy Hash: b754c932297aaa1fa271acf6b91787e57df27b5f4d4f345c00da7453d4129ffa
Instruction Fuzzy Hash: 36324521E68F054DD7279634C822336A74DAFBB3C5F15EB37F81AB99A5EB28D4835100

Function 6CAA7C1A Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f35f0e417a9a823da70e0e815d63561ab8313ccbcac27ae98bdc2122e71f5a0
Instruction ID: cd437db951effb4436f105b23201cc6214c88c41818ac8fb3def4f0cd055337d
Opcode Fuzzy Hash: 0f35f0e417a9a823da70e0e815d63561ab8313ccbcac27ae98bdc2122e71f5a0
Instruction Fuzzy Hash: DEE1AB306006459FCB24CFA8C580AAFB7F1FF49318B28865ED456DBA98D731A9C7CB51

Function 00E8D24E Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66813c293c91ca8816a7a52fcb68adfc1e0f50f0964537bdd8df5149e680607a
Instruction ID: 36ce5e5eb3875d36c74e0fe8b06d4b341063bbae47d8ee338b785ada61ddd95b
Opcode Fuzzy Hash: 66813c293c91ca8816a7a52fcb68adfc1e0f50f0964537bdd8df5149e680607a
Instruction Fuzzy Hash: 2DE16D70A086098FCB24EF68C980AAEB7F1FF45318B246659D45EBB2E1D730ED45CB51

Function 6CAB8DC0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: 73402f4abba4f4a54b1299a75a9d9b25ac467e407822e464a38775dfb8cb9945
Instruction ID: 4660a25b43805e805c4a2b069238d16e73200a24a815f1ac433b0c3b959f8608
Opcode Fuzzy Hash: 73402f4abba4f4a54b1299a75a9d9b25ac467e407822e464a38775dfb8cb9945
Instruction Fuzzy Hash: 9FB104755007068BD7289B79CD81AA7B3BDEF4430CF08452EEA46A6A80EB75E5C9CB10

Function 00CE5220 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359e0b8adb3a17eab4943a14f8603563417c3817bc4ba1646aec4e92a6ad3126
Instruction ID: 6f24d7e7c4cfedf9cdee053e73fc664443d00ea9fa6e50c497f3bc71db7fc3ca
Opcode Fuzzy Hash: 359e0b8adb3a17eab4943a14f8603563417c3817bc4ba1646aec4e92a6ad3126
Instruction Fuzzy Hash: AA7117B1801B48CFE761CF78C94478ABBF0BB05324F144A5ED4A99B3D1D3B96608CB91

Function 00D8C330 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d05def96663ba1ff8b14923452a0f074960e087aaf4cad261c8a8ca3b0995ff
Instruction ID: e7f77363fb366a1c20246aa8417b6f519f9bc0be24990ba86b448f324668a837
Opcode Fuzzy Hash: 3d05def96663ba1ff8b14923452a0f074960e087aaf4cad261c8a8ca3b0995ff
Instruction Fuzzy Hash: 1B4101B0905B49EED704CF69C10878AFBF0FB08318F208699C4589B781C3BAA618DB94

Function 00CEE540 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c6c4e7a9d45814723c37ba37029ff235253ea6bcef9abb651759cec3f6438f
Instruction ID: c52e69ac2540314b79755ab71fd6d2025f2d927b2fda394d088899003bd673cb
Opcode Fuzzy Hash: e4c6c4e7a9d45814723c37ba37029ff235253ea6bcef9abb651759cec3f6438f
Instruction Fuzzy Hash: 4C31D0B0409B84CEE321CF29C658787BFF0BB15718F104A4DD4A68BB91D3BAA548DB91

Function 00CE78B0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43062de89819eabf557b8ccac9f5dd2fa9fb2b81efcb0ad494a84b1a536b5bd3
Instruction ID: 6186ebad39c3bc989fedf30aa47e2169b8b47083bd6890883e3bb163dc1c4928
Opcode Fuzzy Hash: 43062de89819eabf557b8ccac9f5dd2fa9fb2b81efcb0ad494a84b1a536b5bd3
Instruction Fuzzy Hash: 8E215BB1804788DFD710CF58C90478ABBF4FF19314F1186AED455AB791D3B9AA48CB90

Function 00D058F0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ba4ed639ba9501ab4622e42a58c996726eff52c5067f07da21c0bdd4f635f6
Instruction ID: 5b92d07a3a72d9da049994ec7e47fd437b27b23d792b2684043c6ebf6085d1e3
Opcode Fuzzy Hash: 16ba4ed639ba9501ab4622e42a58c996726eff52c5067f07da21c0bdd4f635f6
Instruction Fuzzy Hash: B81100B1905748DFC740CF58C544789BBF4FB09328F2082AEE8189B381D3769A06DF84

Function 00E9E8FB Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7359e47b795db07c7c70e94887b4738e13c5e1f081f09a331a2f3ddb13a4b2
Instruction ID: 0b7b339ccc9b1a33ab3b0c615e3f96f6ef673f0a72354a4f2845b4e6626fbed5
Opcode Fuzzy Hash: 7c7359e47b795db07c7c70e94887b4738e13c5e1f081f09a331a2f3ddb13a4b2
Instruction Fuzzy Hash: 61F03031615224EBCF16D74CC405A5973A8EB45B55F116096E601E7361C6B4DE41C7D0

Function 6CAB68F9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f7c3a9c28ba902ead7bfae16d18044bdf2bb91cc3da091a84cf07b9e0d49cf
Instruction ID: b2f372087e6d0e6a60a9afcca83a9d0cb2887d0b5672193e9af6d3701b6503e7
Opcode Fuzzy Hash: 83f7c3a9c28ba902ead7bfae16d18044bdf2bb91cc3da091a84cf07b9e0d49cf
Instruction Fuzzy Hash: 3AE08C32912228EBCB14CBC8CA0499AB7FCFB49B14B1104AAF511E3600D670DE44CBC0

Function 00E9E93F Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
Instruction ID: aa364b0d3ee5a4294cf0c442a92454187ae3eb6592c9f1152a310140f4c7ba2b
Opcode Fuzzy Hash: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
Instruction Fuzzy Hash: 75E04632911228EBCB24DB98C90498AB2ECEB85F04B150896B601E3200D270DE00CBD0

Function 00CE71F0 Relevance: 32.0, APIs: 17, Strings: 1, Instructions: 460stringCOMMON

Download Yara Rule

APIs

RedrawWindow.USER32(?,00000000,00000000,00000507,93D979FF), ref: 00CE727E
IsWindow.USER32(?), ref: 00CE7290
GetParent.USER32(?), ref: 00CE72D1
lstrcmpW.KERNEL32(?,#32770), ref: 00CE72F1

Strings

#32770, xrefs: 00CE72E8

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$ParentRedrawlstrcmp
String ID: #32770
API String ID: 3033045798-463685578
Opcode ID: d6832254a83e027916036a338061db188d8afdfb24e196045bf4fe5f18ca5a44
Instruction ID: 42229efab35df6198cdb5574345782bf45ada132ee80a25cf56c24e3b399a692
Opcode Fuzzy Hash: d6832254a83e027916036a338061db188d8afdfb24e196045bf4fe5f18ca5a44
Instruction Fuzzy Hash: 48028F70A08389DFDB10DFA9C948BAEBBF5FF49314F144659F415A72A0DB35AA40DB20

Function 00DF69C0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DEE740: LoadLibraryW.KERNEL32(ComCtl32.dll,93D979FF,?,00000000,00000000), ref: 00DEE77E
Part of subcall function 00DEE740: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00DEE7A1
Part of subcall function 00DEE740: FreeLibrary.KERNEL32(00000000), ref: 00DEE81F

GetDlgItem.USER32(?,000001F4), ref: 00DF6A01
SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 00DF6A12
GetDC.USER32(00000000), ref: 00DF6A1A
GetDeviceCaps.GDI32(00000000), ref: 00DF6A21
MulDiv.KERNEL32(00000009,00000000), ref: 00DF6A2A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Courier New), ref: 00DF6A53
GetDlgItem.USER32(?,000001F6), ref: 00DF6A64
IsWindow.USER32(00000000), ref: 00DF6A6D
SendMessageW.USER32(00000000,00000030,?,00000000), ref: 00DF6A84
GetDlgItem.USER32(?,000001F8), ref: 00DF6A8E
GetWindowRect.USER32(?,?), ref: 00DF6A9F
GetWindowRect.USER32(?,?), ref: 00DF6AB2
GetWindowRect.USER32(00000000,?), ref: 00DF6AC2

Strings

Courier New, xrefs: 00DF6A30

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$ItemRect$LibraryMessageSend$AddressCapsCreateDeviceFontFreeLoadProc
String ID: Courier New
API String ID: 1731048342-2572734833
Opcode ID: a08a7bf7bb0b802eed5a7d0d7d726d6532c135acc93c88e299d6bcc428c56bda
Instruction ID: 683099f8b74b652edeee12022229fd27b70ef0e976876d1df73652f6f110c63f
Opcode Fuzzy Hash: a08a7bf7bb0b802eed5a7d0d7d726d6532c135acc93c88e299d6bcc428c56bda
Instruction Fuzzy Hash: B241A771B843087BEB14AF249D46FBE7BA9EF48B04F015519BB05BA1D1DAB0AC408B65

Function 00DF4730 Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 340threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00F9944C,93D979FF,?,?,00000000), ref: 00DF4852
EnterCriticalSection.KERNEL32(?,93D979FF,?,?,00000000,?,?,?,?,?,00000000,00EED8F7,000000FF), ref: 00DF4864
GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,00EED8F7,000000FF), ref: 00DF4871
GetCurrentThread.KERNEL32 ref: 00DF487C
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,00F1446C,00000000), ref: 00DF4AAE
LeaveCriticalSection.KERNEL32(?,00000000), ref: 00DF4BDC

Strings

^Y, xrefs: 00DF4A06
<--------------------MORE--FRAMES-------------------->, xrefs: 00DF4A52
MODULE_BASE_ADDRESS, xrefs: 00DF4AFB
4w, xrefs: 00DF4BDC
[0x%.8Ix] , xrefs: 00DF4550, 00DF4AB5
@Y, xrefs: 00DF4BBA
*** Stack Trace (x86) ***, xrefs: 00DF49AD

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
String ID: *** Stack Trace (x86) ***$ 4w$<--------------------MORE--FRAMES-------------------->$@Y$MODULE_BASE_ADDRESS$[0x%.8Ix] $^Y
API String ID: 3051236879-1236869914
Opcode ID: 4e053c9b0a59cd844608b2d398d566914b62420fb8c97855843474f09f8db0fa
Instruction ID: 37a8894473c48e79fab3053653de7380b8c3bb54b95b63eae208e87677a8d4a5
Opcode Fuzzy Hash: 4e053c9b0a59cd844608b2d398d566914b62420fb8c97855843474f09f8db0fa
Instruction Fuzzy Hash: C3D19C716043889FDF25DF68CC55BEE7BA8FF44308F108119EA09AB291D7B55B04DB61

Function 00DF47E0 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 265threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00F9944C,93D979FF,?,?,00000000), ref: 00DF4852
EnterCriticalSection.KERNEL32(?,93D979FF,?,?,00000000,?,?,?,?,?,00000000,00EED8F7,000000FF), ref: 00DF4864
GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,00EED8F7,000000FF), ref: 00DF4871
GetCurrentThread.KERNEL32 ref: 00DF487C
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,00F1446C,00000000), ref: 00DF4AAE
LeaveCriticalSection.KERNEL32(?,00000000), ref: 00DF4BDC

Strings

^Y, xrefs: 00DF4A06
<--------------------MORE--FRAMES-------------------->, xrefs: 00DF4A52
MODULE_BASE_ADDRESS, xrefs: 00DF4AFB
4w, xrefs: 00DF4BDC
[0x%.8Ix] , xrefs: 00DF4AB5
@Y, xrefs: 00DF4BBA
*** Stack Trace (x86) ***, xrefs: 00DF49AD

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
String ID: *** Stack Trace (x86) ***$ 4w$<--------------------MORE--FRAMES-------------------->$@Y$MODULE_BASE_ADDRESS$[0x%.8Ix] $^Y
API String ID: 3051236879-1236869914
Opcode ID: 1407aa3dced6419dbc9171ce2bd750148096d6e42c6594b60d85a0e1ba8ade69
Instruction ID: 6daee0a1d5ceb6a76079f3df6dba705f9a8ed357ebdc2acef01f6c3f9604e718
Opcode Fuzzy Hash: 1407aa3dced6419dbc9171ce2bd750148096d6e42c6594b60d85a0e1ba8ade69
Instruction Fuzzy Hash: BCB19B709043889FDF25DF68CC55BEE7BA8FF44308F408158EA09AB292D7B55B04DB61

Function 00D064D0 Relevance: 22.7, APIs: 15, Instructions: 178windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000318,00000000,00000004), ref: 00D06537
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00D06545
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00D0655F
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D06577
SendMessageW.USER32(?,0000130A,00000000,?), ref: 00D065A8
CreateRectRgn.GDI32(?,?,?,?), ref: 00D065E2
DeleteObject.GDI32(00000000), ref: 00D065F9
GetClientRect.USER32(?,?), ref: 00D06615
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 00D06640
CreateRectRgn.GDI32(?,?,?,?), ref: 00D0665D
SelectClipRgn.GDI32(00000000,00000000), ref: 00D06674
GetParent.USER32(?), ref: 00D06684
SendMessageW.USER32(00000000,00000136,?,?), ref: 00D06695
DeleteObject.GDI32(00000000), ref: 00D066AB
DeleteObject.GDI32(?), ref: 00D066B0

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageRectSend$Create$DeleteObject$ClientClipParentSelect
String ID:
API String ID: 1236051970-0
Opcode ID: d62dc9d0b51581b03aa371794e18b1d28ac038f1c5ee70fd939cfef4ca7cd9f3
Instruction ID: dd504b9c7d8f447886043343d6ef0cf439cf398155c7438f764e99745baff57c
Opcode Fuzzy Hash: d62dc9d0b51581b03aa371794e18b1d28ac038f1c5ee70fd939cfef4ca7cd9f3
Instruction Fuzzy Hash: 4C611772914718AFDB129FE8CD09FAEBBB9FF08710F14011AF619AB2A0D7706911DB50

Function 00E08270 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 439COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,93D979FF), ref: 00E082D9
IsWow64Process.KERNEL32(00000000), ref: 00E082E0

Part of subcall function 00DEAB00: _wcsrchr.LIBVCRUNTIME ref: 00DEAB39

_wcsrchr.LIBVCRUNTIME ref: 00E08361
_wcsrchr.LIBVCRUNTIME ref: 00E083F7

Strings

/p //, xrefs: 00E084A1
TRANSFORMS=":%d", xrefs: 00E08450
/i //, xrefs: 00E084AF
.x64, xrefs: 00E08342
%s AI_SETUPEXEPATH="%s" SETUPEXEDIR="%s", xrefs: 00E0862F
/fvomus //, xrefs: 00E084AA, 00E084FF, 00E08500
"%s" , xrefs: 00E0859D
EXE_CMD_LINE="%s ", xrefs: 00E08682

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: _wcsrchr$Process$CurrentWow64
String ID: "%s" $ /fvomus //$ /i //$ /p //$ EXE_CMD_LINE="%s "$ TRANSFORMS=":%d"$%s AI_SETUPEXEPATH="%s" SETUPEXEDIR="%s"$.x64
API String ID: 657290924-2074823060
Opcode ID: b0b825a8b3aaec8a1192230bad2fdf39d8e3d122f907dda02cd5235440bbcaa0
Instruction ID: 60adcfdb948d6a96fcb016e6b766a72de4867002b177c71c96850cdce4b09134
Opcode Fuzzy Hash: b0b825a8b3aaec8a1192230bad2fdf39d8e3d122f907dda02cd5235440bbcaa0
Instruction Fuzzy Hash: 38F1DF30A0060A9FDB04DF68CD54BAEBBA4FF45314F18826DE955AB2D2DB74DD40CBA0

Function 6CA9CE10 Relevance: 19.7, APIs: 13, Instructions: 219COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 6CA9CE44
DeleteObject.GDI32(?), ref: 6CA9CE90

Part of subcall function 6CA9C820: IsWindowVisible.USER32 ref: 6CA9C836
Part of subcall function 6CA9C820: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6CA9C852
Part of subcall function 6CA9C820: GetWindowLongW.USER32(?,000000F0), ref: 6CA9C858
Part of subcall function 6CA9C820: GetDlgItem.USER32(?,?), ref: 6CA9C8CA
Part of subcall function 6CA9C820: GetWindowRect.USER32(00000000,?), ref: 6CA9C8E2
Part of subcall function 6CA9C820: MapWindowPoints.USER32(00000000,?,00000002,00000002), ref: 6CA9C8F3

EndDialog.USER32(?,00000000), ref: 6CA9CF02

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Long$DeleteDialogItemMessageObjectPointsRectSendVisible
String ID:
API String ID: 2368538989-0
Opcode ID: 3ca786713c43e3f40a3ff8a809e47ff0e76352a286172f454ede386f841c4c0b
Instruction ID: 617c9cd327b70e71da105902760cfbe41218e13af3996b9d27a61aefb44884f1
Opcode Fuzzy Hash: 3ca786713c43e3f40a3ff8a809e47ff0e76352a286172f454ede386f841c4c0b
Instruction Fuzzy Hash: 4771C131A142069BDF14DF68CD89BAEBBF4FB09328F244618E512A7AD0C734E9C5CB51

Function 00DF9470 Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 410libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E13C70: GetSystemDefaultLangID.KERNEL32(93D979FF,?,?,?,?), ref: 00E13CA6

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 00DF95D3
GetProcAddress.KERNEL32(00000000), ref: 00DF95DA
__Init_thread_footer.LIBCMT ref: 00DF95F1
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000000), ref: 00DF9610

Strings

Searching for:, xrefs: 00DF96C9
IsWow64Process2, xrefs: 00DF95C9
Undefined, xrefs: 00DF98AA
Search result:, xrefs: 00DF9849
An acceptable version was found., xrefs: 00DF98C3, 00DF98C4
kernel32, xrefs: 00DF95CE
Wrong OS or Os language for:, xrefs: 00DF993B

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddressCurrentDefaultHandleInit_thread_footerLangModuleProcProcessSystem
String ID: An acceptable version was found.$IsWow64Process2$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$kernel32
API String ID: 52476621-1658165007
Opcode ID: 57afcdaf3884d5b3a50429305631ba6d05af45f320200941ffdf711e813ef0ae
Instruction ID: d6d50f404d3af115b29c0361c09ff6b6e95ba4642e12b9c4c36642adbf7eb227
Opcode Fuzzy Hash: 57afcdaf3884d5b3a50429305631ba6d05af45f320200941ffdf711e813ef0ae
Instruction Fuzzy Hash: E3F1BE70D006088FDB14DFA8C894BADB7F1FF44314F1A825DE566AB291DB70A946CF61

Function 00CEF8C0 Relevance: 18.3, APIs: 12, Instructions: 336windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CEF914
GetWindowRect.USER32(?,?), ref: 00CEF9F3
GetClientRect.USER32(?,?), ref: 00CEFA05
GetWindowDC.USER32(?), ref: 00CEFA17
CreateCompatibleDC.GDI32(00000000), ref: 00CEFA44
CreateCompatibleBitmap.GDI32(00000000), ref: 00CEFA86
SelectObject.GDI32(00000000,00000000), ref: 00CEFA95

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: RectWindow$CompatibleCreate$BitmapClientObjectSelect
String ID:
API String ID: 2032541772-0
Opcode ID: d1a0e0a7935e3e84c11130f63f27d98d1bfc399a8882ceafe404e093fdc1218e
Instruction ID: 0f11943ece6e73fa5c6b5017462824084ce14440de4fd353f15c50a29fbaa1a0
Opcode Fuzzy Hash: d1a0e0a7935e3e84c11130f63f27d98d1bfc399a8882ceafe404e093fdc1218e
Instruction Fuzzy Hash: 56E13971D04358DFDB21DFA9C948B9EBBF8FF09700F2442AAE809A7251D7706A84DB50

Function 00E29380 Relevance: 18.3, APIs: 12, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43499ca47c5419e236ee0615fdbd8f338020b7758ba09312dfb0335145088ee0
Instruction ID: 91a0b8947efe2dc458f9da3c9eb338417e2773d8353c6119ab6f7eef08fa89ca
Opcode Fuzzy Hash: 43499ca47c5419e236ee0615fdbd8f338020b7758ba09312dfb0335145088ee0
Instruction Fuzzy Hash: C4A12571600315AFDB10AF64EC85FAEBBA4FF44314F14616AF909AB292DB75D900DB60

Function 00CE54B0 Relevance: 16.6, APIs: 11, Instructions: 139windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00CE54EE
FillRect.USER32(00000000,?,00000000), ref: 00CE550D
DeleteObject.GDI32(00000000), ref: 00CE5514
GetClientRect.USER32(?,?), ref: 00CE556F
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00CE5588
CreateCompatibleDC.GDI32(00000000), ref: 00CE5595
SelectObject.GDI32(00000000,00000000), ref: 00CE55A7
FillRect.USER32(00000000,?,00000000), ref: 00CE55D0
DeleteObject.GDI32(?), ref: 00CE55DA
SelectObject.GDI32(00000000,?), ref: 00CE5622
DeleteDC.GDI32(00000000), ref: 00CE5629

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ObjectRect$Delete$ClientCompatibleCreateFillSelect$Bitmap
String ID:
API String ID: 441990398-0
Opcode ID: 17fb4013e3de57627f1a6661ee5541fa9d5fc828e4b5f7d92a9ebd8d922de425
Instruction ID: c49f9968b500847fb87045669cf7aeecb2fa80de67b30432c5928daa0b88e45b
Opcode Fuzzy Hash: 17fb4013e3de57627f1a6661ee5541fa9d5fc828e4b5f7d92a9ebd8d922de425
Instruction Fuzzy Hash: 04418072118745AFD311AF64DD49F6BBBECFB88704F00492AFA56C21A0DB71E904EB21

Function 00E1EAB0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 319synchronizationfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

DeleteFileW.KERNEL32(?,?,?,?,00000000,?,?,?), ref: 00E1EDBA

Part of subcall function 00CD92A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,00CD9418,-00000010,?,00000000), ref: 00CD92C3

Part of subcall function 00CD9980: RtlAllocateHeap.NTDLL(?,00000000,?,93D979FF,00000000,00EAC6B0,000000FF,?,?,00F8C42C,00000000,00E2ECDB,80004005,93D979FF,?,?), ref: 00CD99CA

ResetEvent.KERNEL32(00000000,93D979FF,?,?,00000000,00EF614D,000000FF,?,80004005), ref: 00E1EE4F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00EF614D,000000FF,?,80004005), ref: 00E1EE6F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00EF614D,000000FF,?,80004005), ref: 00E1EE7A

Strings

http://www.google.com, xrefs: 00E1EC0E
http://www.yahoo.com, xrefs: 00E1EC18
http://www.example.com, xrefs: 00E1EC1F
tin9999.tmp, xrefs: 00E1EC09
TEST, xrefs: 00E1EC02

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: HeapInit_thread_footerObjectSingleWait$AllocateDeleteEventFileFindProcessResetResource
String ID: TEST$http://www.example.com$http://www.google.com$http://www.yahoo.com$tin9999.tmp
API String ID: 3248508590-625802988
Opcode ID: 426dac15b1ebb0247134b6fae1a4eb7fa8b5bff70085a8f679c20011ca9bdce2
Instruction ID: 7e7f9b6036d0543bc7bdc6cd191fe56041f7bc7286b82802e357696e6ed36842
Opcode Fuzzy Hash: 426dac15b1ebb0247134b6fae1a4eb7fa8b5bff70085a8f679c20011ca9bdce2
Instruction Fuzzy Hash: 61C1CE719052499FDB10DB68CC05BEEBBB4FF45314F1486A9E81AA7391EB70AA44CB90

Function 00E006D0 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 00DF5290: LoadLibraryW.KERNEL32(Shlwapi.dll,?,?,?,?,00E00731,?,93D979FF,?,?), ref: 00DF52AB
Part of subcall function 00DF5290: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00DF52C1
Part of subcall function 00DF5290: FreeLibrary.KERNEL32(00000000), ref: 00DF52FA

GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104,93D979FF,?,?), ref: 00E00910

Strings

ProgramFiles, xrefs: 00E00810, 00E00825, 00E0082D
Shlwapi.dll, xrefs: 00E00727
AppDataFolder, xrefs: 00E00878, 00E008B5
PROGRAMFILES, xrefs: 00E008ED
APPDATA, xrefs: 00E00907, 00E0090F
AI_BOOTSTRAPPERLANGS, xrefs: 00E009E2, 00E00A2A
ProgramFilesFolder, xrefs: 00E00797
Shell32.dll, xrefs: 00E00753

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Library$AddressEnvironmentFreeLoadProcVariable
String ID: AI_BOOTSTRAPPERLANGS$APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFilesFolder$Shell32.dll$Shlwapi.dll
API String ID: 788177547-1020860216
Opcode ID: 73790f6d17a2c4b14c3b42a2db3e04592c7bbaeb9689f0580576256abbe52d05
Instruction ID: 354712dc1342c34292d1406e2b020340f3c0a293165fd7d5f6d3e838c6fe32cf
Opcode Fuzzy Hash: 73790f6d17a2c4b14c3b42a2db3e04592c7bbaeb9689f0580576256abbe52d05
Instruction Fuzzy Hash: EF9139716002059BDB18EF24D845BBAB3A5FFA0314F14966AE80AE73D5E731DD81DF90

Function 00D03970 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 00D039E5
lstrcpynW.KERNEL32(?,?,00000020), ref: 00D03A5B
GetDC.USER32(?), ref: 00D03A7E
GetDeviceCaps.GDI32(00000000), ref: 00D03A85
MulDiv.KERNEL32(?,00000048,00000000), ref: 00D03A98
SendMessageW.USER32(?,00000444,00000000,00000074), ref: 00D03ACA
DeleteObject.GDI32(?), ref: 00D03B06

Strings

t, xrefs: 00D03AA6
?, xrefs: 00D03A9E

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend$CapsDeleteDeviceObjectlstrcpyn
String ID: ?$t
API String ID: 2619291461-1995845436
Opcode ID: 1cb9a8e3cc96d70011489eb09a82fa27119a99b963e0a02530316a131cbebfeb
Instruction ID: 1d390f03371560fe1de3c65fe48ea91817f25b8d2c47a575528a3df80a4714a6
Opcode Fuzzy Hash: 1cb9a8e3cc96d70011489eb09a82fa27119a99b963e0a02530316a131cbebfeb
Instruction Fuzzy Hash: 58518CB1608340AFE721DF64DC49B9BBBE8EB48701F04492EF68DD6191D774E608CB62

Function 00CE5050 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 119COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00F9957C,93D979FF,00000000,?,?,?,?,?,?,00CE487E,00EAF9CD,000000FF), ref: 00CE508D
LoadCursorW.USER32(00000000,00007F00), ref: 00CE5108
LoadCursorW.USER32(00000000,00007F00), ref: 00CE51AE
LeaveCriticalSection.KERNEL32(00F9957C), ref: 00CE5203

Strings

WM_ATLGETCONTROL, xrefs: 00CE50A4
AtlAxWin140, xrefs: 00CE50BF, 00CE5123
4w, xrefs: 00CE5203
WM_ATLGETHOST, xrefs: 00CE5099
AtlAxWinLic140, xrefs: 00CE516F, 00CE51C5

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalCursorLoadSection$EnterLeave
String ID: 4w$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 3727441302-328521408
Opcode ID: fca0631090c4f9519a55d7e5c2c64ff4ecb4f12d968c347fec65c05cd708390e
Instruction ID: 21cef093a8e727413ea01ddb2c67680a54c8d152489ba38fec69eba44b08d259
Opcode Fuzzy Hash: fca0631090c4f9519a55d7e5c2c64ff4ecb4f12d968c347fec65c05cd708390e
Instruction Fuzzy Hash: D55103B1C55359ABDB01DFA9D848BDEBBF8BB08704F14011AE814B7280DBB55A059FA1

Function 00E2D8D0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,00E1098B,?,?,?,?,?), ref: 00E2D8E5

Strings

InitExtraction, xrefs: 00E2D91D
GetTotalFilesSize, xrefs: 00E2D925
EndExtraction, xrefs: 00E2D949
ExtractAllFiles, xrefs: 00E2D937

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: LibraryLoad
String ID: EndExtraction$ExtractAllFiles$GetTotalFilesSize$InitExtraction
API String ID: 1029625771-3462492388
Opcode ID: 0e47ee6748160e24ba033fb5f867c1da2a2de5a9efbc8042c1090e0727fbc76f
Instruction ID: c31efcbed1ec6e5921a10138ea137eac8a8b0eea6a8422880f3c13b66df6a42c
Opcode Fuzzy Hash: 0e47ee6748160e24ba033fb5f867c1da2a2de5a9efbc8042c1090e0727fbc76f
Instruction Fuzzy Hash: 29019A7990932EABCF94EB29FC1895D3BA0F718326701502BE90153222CBB58881FF80

Function 00DF6800 Relevance: 15.2, APIs: 10, Instructions: 155COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00DF6811
DeleteObject.GDI32(?), ref: 00DF6869
EndDialog.USER32(?,00000000), ref: 00DF68E9

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: DeleteDialogLongObjectWindow
String ID:
API String ID: 1328495006-0
Opcode ID: ba7d1bb1438be1f6346326ead9aba71b725ae04e0bdcf596a7f0e529c26d28bc
Instruction ID: 674522c713c9328496a228c450e4c4f9d554f19d1d2fc6f3e3c76f79810c95f5
Opcode Fuzzy Hash: ba7d1bb1438be1f6346326ead9aba71b725ae04e0bdcf596a7f0e529c26d28bc
Instruction Fuzzy Hash: ED41D63231431C57CA24AE2CAC09B7B77A8DB85731F05872BFE51DBAD0C6B2D81196B1

Function 00D839A0 Relevance: 15.1, APIs: 10, Instructions: 127windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00D83A1A
GetWindowRect.USER32(?,?), ref: 00D83A32
GetWindowRect.USER32(?,?), ref: 00D83A4A
IntersectRect.USER32(?,?,?), ref: 00D83A67
EqualRect.USER32(?,?), ref: 00D83A77
GetSysColorBrush.USER32(0000000F), ref: 00D83A8D
GetWindowRect.USER32(?,?), ref: 00D83AB6
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00D83ACB
GetWindowLongW.USER32(?,000000EC), ref: 00D83ADA
SetBrushOrgEx.GDI32(?,?,?,00000000), ref: 00D83AF8

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Rect$Brush$ColorEqualIntersectLongPointsVisible
String ID:
API String ID: 2158939716-0
Opcode ID: 20a94560ccb0032e845c1639f189cdb437312ebe0c843469f283665f25315ed5
Instruction ID: 740302e167e6e6067495e2e41fe40907bc5c595cd1b73bafd6892403f9da2c6b
Opcode Fuzzy Hash: 20a94560ccb0032e845c1639f189cdb437312ebe0c843469f283665f25315ed5
Instruction Fuzzy Hash: 574170326083099FC710EF25D944A6BB7E8EF99B14F05461EF989D7210E771EE448B62

Function 6CAA3876 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 6CAA3995
___TypeMatch.LIBVCRUNTIME ref: 6CAA3AA3
CatchIt.LIBVCRUNTIME ref: 6CAA3AF4
_UnwindNestedFrames.LIBCMT ref: 6CAA3BF5
CallUnexpected.LIBVCRUNTIME ref: 6CAA3C10

Strings

csm, xrefs: 6CAA39CC
csm, xrefs: 6CAA3920
csm, xrefs: 6CAA38B3

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 51dd48bbd12009cf2804b2e1d3cd2b6361229a6ca072f68949693a0d39f07a4b
Instruction ID: 1929fe95d151d58dfc6e469b988a69fd807b75d5e57fbcd9b6e66cd47af3b0f6
Opcode Fuzzy Hash: 51dd48bbd12009cf2804b2e1d3cd2b6361229a6ca072f68949693a0d39f07a4b
Instruction Fuzzy Hash: D3B16A71C02219EFCF05CFE5C980A9EBBB5FF04318B18415AE9516BA11D731DADACB91

Function 00CE32F0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00CE3335
SysAllocString.OLEAUT32(?), ref: 00CE3349
VariantInit.OLEAUT32(?), ref: 00CE3384
VariantClear.OLEAUT32(?), ref: 00CE33DA
VariantClear.OLEAUT32(?), ref: 00CE33E4
VariantClear.OLEAUT32(?), ref: 00CE33EE
VariantClear.OLEAUT32(?), ref: 00CE33FB

Part of subcall function 00CD9980: RtlAllocateHeap.NTDLL(?,00000000,?,93D979FF,00000000,00EAC6B0,000000FF,?,?,00F8C42C,00000000,00E2ECDB,80004005,93D979FF,?,?), ref: 00CD99CA

Strings

<body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>, xrefs: 00CE347B

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Variant$Clear$AllocAllocateHeapInitString
String ID: <body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>
API String ID: 1547307772-1571955069
Opcode ID: 400dd2ff67b116502fc62441bfa3bc890ae9248b6074bf1e10f0258a85fa68ea
Instruction ID: 6d1f96fda1472002180e0b228cec670aa7aac3f9fe02b240b341d5301c89f73d
Opcode Fuzzy Hash: 400dd2ff67b116502fc62441bfa3bc890ae9248b6074bf1e10f0258a85fa68ea
Instruction Fuzzy Hash: A9917D71904289DFDB01DFA8CC48BDEBBB8FF49314F148269E415E7290E775AA44CBA0

Function 00EAA63F Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00EAB3CF), ref: 00EAA658

Strings

log, xrefs: 00EAA6B5, 00EAA6C4
log10, xrefs: 00EAA69A, 00EAA6A9
sqrt, xrefs: 00EAA797
exp, xrefs: 00EAA6D7, 00EAA73C
pow, xrefs: 00EAA6F6, 00EAA7A0, 00EAA7ED
asin, xrefs: 00EAA785
acos, xrefs: 00EAA78E

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 5814795aab40b4a6ba9acbf169dd5b52e4bcb8149761b6e141298819a32f2903
Instruction ID: 4e9a2e0dd2746cb8a1f8b3a6ab8d694ccd7fad0c3c1766a6231a94493ea3cc46
Opcode Fuzzy Hash: 5814795aab40b4a6ba9acbf169dd5b52e4bcb8149761b6e141298819a32f2903
Instruction Fuzzy Hash: B1519C7080030ACBCF149F58E84C5FEBBB1FF4A308F195066E490BA295C774A925EF56

Function 00E88400 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E88437
___except_validate_context_record.LIBVCRUNTIME ref: 00E8843F
_ValidateLocalCookies.LIBCMT ref: 00E884C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00E884F3
_ValidateLocalCookies.LIBCMT ref: 00E88548
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00E8855E
___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00E88573

Strings

csm, xrefs: 00E884DD

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
String ID: csm
API String ID: 1385549066-1018135373
Opcode ID: f0986fd3a26deea5220d9604b290486fcdde05981a83a53ee10009a19dc8e19d
Instruction ID: d5931cc9237dc1f8602e595912bf567f152fc1cb6e3f2204c0d06191c64281bc
Opcode Fuzzy Hash: f0986fd3a26deea5220d9604b290486fcdde05981a83a53ee10009a19dc8e19d
Instruction Fuzzy Hash: 00419435A0020A9BCF10FF68C941AAE7BE5BF45328F549155EC2DBB293DB329905CB91

Function 6CA9C820 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 6CA9C836
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6CA9C852
GetWindowLongW.USER32(?,000000F0), ref: 6CA9C858
GetDlgItem.USER32(?,?), ref: 6CA9C8CA
GetWindowRect.USER32(00000000,?), ref: 6CA9C8E2
MapWindowPoints.USER32(00000000,?,00000002,00000002), ref: 6CA9C8F3
SetWindowPos.USER32(00000014,00000000,?,00000002,00000002,?,00000014,?,00000002,00000002,?,?,?,000000F0,?,00000000), ref: 6CA9C96F
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6CA9C9A3
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 6CA9C9B0

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$MessageSend$ItemLongPointsRectRedrawVisible
String ID:
API String ID: 3196996609-0
Opcode ID: 1aa4dcc3cc64c212c3ee4eb76330ad84f9b830cec14a876cd7b2aa8f8851b395
Instruction ID: 9c8133da5dcb3d7d8121faa89cc201dfdabe99fb95405b05b5a271e84c171ef2
Opcode Fuzzy Hash: 1aa4dcc3cc64c212c3ee4eb76330ad84f9b830cec14a876cd7b2aa8f8851b395
Instruction Fuzzy Hash: B651AE302147019FE714DF29C989B2ABBF1FF89708F148A1CF5969B691D731E884CB51

Function 6CA9B830 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 462COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,00000000), ref: 6CA9BD0C
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,00000000), ref: 6CA9BD13
GetStdHandle.KERNEL32(000000F5,0000000C,?,00000000), ref: 6CA9BD27
SetConsoleTextAttribute.KERNEL32(00000000,?,00000000), ref: 6CA9BD2E
GetStdHandle.KERNEL32(000000F5,?,?,00000000,00000000,00000000,6CAE9F9C,00000002,?,00000000), ref: 6CA9BDBD
SetConsoleTextAttribute.KERNEL32(00000000,?,00000000), ref: 6CA9BDC4

Strings

*** Stack Trace (x86) ***, xrefs: 6CA9B885

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: ConsoleHandle$AttributeText$BufferInfoScreen
String ID: *** Stack Trace (x86) ***
API String ID: 575076100-1035257212
Opcode ID: 37731e1dd32dd1127ac45bd836ee3c4879b76913d43c140f561ed027c7eb31b3
Instruction ID: 45912aa96850c827b794a2c7e289c0626603e649f85f0c1aa4e6ca1f4a0f0af9
Opcode Fuzzy Hash: 37731e1dd32dd1127ac45bd836ee3c4879b76913d43c140f561ed027c7eb31b3
Instruction Fuzzy Hash: 8C125970A10208DFDB24CFA8C945BDEBBF0FB09318F24465DE415A7690DB74AA89CF61

Function 00CE8680 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 151threadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,93D979FF,?,?,00000000,?), ref: 00CE86BE
GetCurrentThreadId.KERNEL32 ref: 00CE86FF
EnterCriticalSection.KERNEL32(00F9957C), ref: 00CE871F
LeaveCriticalSection.KERNEL32(00F9957C), ref: 00CE8743
CreateWindowExW.USER32(00000000,00000000,00000000,00F9957C,?,80000000,00000000,80000000,00000000,00000000,00000000), ref: 00CE879E

Part of subcall function 00E84245: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00E135FE,?,?,?,?,?,?), ref: 00E8424A
Part of subcall function 00E84245: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 00E84251

Strings

AXWIN UI Window, xrefs: 00CE8815
4w, xrefs: 00CE8743

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalHeapSection$AllocCreateCurrentEnterErrorLastLeaveProcessThreadWindow
String ID: 4w$AXWIN UI Window
API String ID: 213679520-1054236765
Opcode ID: 8dd5d1ec9ca4dac11b7f7efd0f55ef6c04de51a1516f8e649afc969a015a903f
Instruction ID: 211689e3f80a96983303f4463a45c76b99188129baa38f496bec85a63d60e4cc
Opcode Fuzzy Hash: 8dd5d1ec9ca4dac11b7f7efd0f55ef6c04de51a1516f8e649afc969a015a903f
Instruction Fuzzy Hash: 26510531A04349AFEB10CF69DD05B9ABBF8FB48710F10411AF918A7290D7B1A914DBA0

Function 00CEC6D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 150fileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00CEC7BF

Part of subcall function 00E84B58: EnterCriticalSection.KERNEL32(00F97FD8,93D979FF,?,00CD9DD7,00F98C04,00F07520), ref: 00E84B62
Part of subcall function 00E84B58: LeaveCriticalSection.KERNEL32(00F97FD8,?,00CD9DD7,00F98C04,00F07520), ref: 00E84B95
Part of subcall function 00E84B58: RtlWakeAllConditionVariable.NTDLL ref: 00E84C0C

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,93D97A01), ref: 00CEC813
CloseHandle.KERNEL32(00000000), ref: 00CEC870

Part of subcall function 00E84BA2: EnterCriticalSection.KERNEL32(00F97FD8,?,93D979FF,?,00CD9D66,00F98C04,93D979FF,93D979FF,?,00EACC0D,000000FF,?,00E2EBD6,93D979FF,?,?), ref: 00E84BAD
Part of subcall function 00E84BA2: LeaveCriticalSection.KERNEL32(00F97FD8,?,00CD9D66,00F98C04,93D979FF,93D979FF,?,00EACC0D,000000FF,?,00E2EBD6,93D979FF,?,?,00000000), ref: 00E84BEA

WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,?), ref: 00CEC8D4
CloseHandle.KERNEL32(00000000,7644E610), ref: 00CEC8FA

Strings

html, xrefs: 00CEC7CC
aix, xrefs: 00CEC7D1

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
String ID: aix$html
API String ID: 2030708724-2369804267
Opcode ID: f0d6de600a91862ac3ce772ede847923bdc11bad8f535e8d16b778b0de1b962d
Instruction ID: 3709c0a20d08f600d431ff32bd5ec90f9cad84302fe3843f6b3cdb90a3b2b73a
Opcode Fuzzy Hash: f0d6de600a91862ac3ce772ede847923bdc11bad8f535e8d16b778b0de1b962d
Instruction Fuzzy Hash: BD618CB0905248DFEB11CFA8DD89B9EBBF4FB44308F15411EE001AB291E7F66909DB61

Function 00CDD970 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 139COMMON

Download Yara Rule

Strings

RoGetActivationFactory, xrefs: 00CDD603
DllGetActivationFactory, xrefs: 00CDD7C2
combase.dll, xrefs: 00CDD608, 00CDD63E
CoIncrementMTAUsage, xrefs: 00CDD639
Windows.Foundation.Uri, xrefs: 00CDDA3A
.dll, xrefs: 00CDD766

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$Windows.Foundation.Uri$combase.dll
API String ID: 0-3956872289
Opcode ID: 68e77c908edcf3d066260a7d5ceec7a22a9e1edba010c89f4f81e8a023bca016
Instruction ID: cdc43e9f70bd9a6988ce4bd734300511a7d83bc13d3ab114811329f7438780bd
Opcode Fuzzy Hash: 68e77c908edcf3d066260a7d5ceec7a22a9e1edba010c89f4f81e8a023bca016
Instruction Fuzzy Hash: D1519CB1D01219EFDB04DFA4C945BEEBBB4FF05314F10452AEA15AB380CBB56A05DBA1

Function 00CD2860 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00F99358,00000000,93D979FF,00000000,00EE84A3,000000FF,?,93D979FF), ref: 00CD29D3
GetLastError.KERNEL32(?,93D979FF), ref: 00CD29DD

Strings

VolumeCostAvailable, xrefs: 00CD28A0
VolumeCostDifference, xrefs: 00CD28B3
VolumeCostSize, xrefs: 00CD2897
VolumeCostVolume, xrefs: 00CD288D, 00CD2945
VolumeCostRequired, xrefs: 00CD28A9

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: VolumeCostAvailable$VolumeCostDifference$VolumeCostRequired$VolumeCostSize$VolumeCostVolume
API String ID: 439134102-34576578
Opcode ID: dd0e38a04c7cea1e0dd60e519d6615db038adbcae20dad5a6e6ae1a63bdd6407
Instruction ID: c55c349fbb2bc554cb34ced15b4321352465cbe3dc023295338cb098681db0cf
Opcode Fuzzy Hash: dd0e38a04c7cea1e0dd60e519d6615db038adbcae20dad5a6e6ae1a63bdd6407
Instruction Fuzzy Hash: BF51E1B1904259DBDB10DFA8D905B9EBBF8FB04714F01022EE929E73D0E7B55A04EB51

Function 00DCA4D0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderwindowCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00DCA560

Part of subcall function 00E84B58: EnterCriticalSection.KERNEL32(00F97FD8,93D979FF,?,00CD9DD7,00F98C04,00F07520), ref: 00E84B62
Part of subcall function 00E84B58: LeaveCriticalSection.KERNEL32(00F97FD8,?,00CD9DD7,00F98C04,00F07520), ref: 00E84B95
Part of subcall function 00E84B58: RtlWakeAllConditionVariable.NTDLL ref: 00E84C0C

GetProcAddress.KERNEL32(SetWindowTheme), ref: 00DCA59D
__Init_thread_footer.LIBCMT ref: 00DCA5B4
SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 00DCA5DF

Part of subcall function 00E84BA2: EnterCriticalSection.KERNEL32(00F97FD8,?,93D979FF,?,00CD9D66,00F98C04,93D979FF,93D979FF,?,00EACC0D,000000FF,?,00E2EBD6,93D979FF,?,?), ref: 00E84BAD
Part of subcall function 00E84BA2: LeaveCriticalSection.KERNEL32(00F97FD8,?,00CD9D66,00F98C04,93D979FF,93D979FF,?,00EACC0D,000000FF,?,00E2EBD6,93D979FF,?,?,00000000), ref: 00E84BEA

Part of subcall function 00DA7A10: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00DA7A51

Strings

explorer, xrefs: 00DCA5C7
UxTheme.dll, xrefs: 00DCA531
SetWindowTheme, xrefs: 00DCA592

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$AddressConditionDirectoryMessageProcSendSystemVariableWake
String ID: SetWindowTheme$UxTheme.dll$explorer
API String ID: 3410024541-3123591815
Opcode ID: 3c8ead0197bf233162e2e40ce11f444191e9bf1d3897b8efc48798f179c7b8ef
Instruction ID: f59f951366420571c4d5866d81e4f9b983c34743e092d23bf789d7eb271ffabc
Opcode Fuzzy Hash: 3c8ead0197bf233162e2e40ce11f444191e9bf1d3897b8efc48798f179c7b8ef
Instruction Fuzzy Hash: A221B670A44709EBD714EF9CEC06F5977E0E706721F55421EF538A72D0D7B0A900AB62

Function 00CEF720 Relevance: 12.1, APIs: 8, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CEF74A
GetWindow.USER32(?,00000005), ref: 00CEF757
GetWindow.USER32(00000000,00000002), ref: 00CEF892

Part of subcall function 00CEF5A0: GetWindowRect.USER32(?,?), ref: 00CEF5CC
Part of subcall function 00CEF5A0: GetWindowRect.USER32(?,?), ref: 00CEF5DC

GetWindowRect.USER32(?,?), ref: 00CEF7EB
GetWindowRect.USER32(00000000,?), ref: 00CEF7FB
GetWindowRect.USER32(00000000,?), ref: 00CEF815

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Rect
String ID:
API String ID: 3200805268-0
Opcode ID: 6d1365956e01ef10839e4b17ed4e1947416544481753a5e43ec957ce7480989f
Instruction ID: ca823e533576d610a8c487a08ef6bdd0ac28216ce4d18c1e564a44fe528e896e
Opcode Fuzzy Hash: 6d1365956e01ef10839e4b17ed4e1947416544481753a5e43ec957ce7480989f
Instruction Fuzzy Hash: 9A41BF319047849FC321DF2AC980A6BF7F9BF9A704F504A2DF09593561EB30E985CB52

Function 00E840E3 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00E8428D,?,?,?,?,?,?,?), ref: 00E84107
HeapAlloc.KERNEL32(00000000,?,00E8428D,?,?,?,?,?,?,?), ref: 00E8410E

Part of subcall function 00E841D9: IsProcessorFeaturePresent.KERNEL32(0000000C,00E840F5,00000000,?,00E8428D,?,?,?,?,?,?,?), ref: 00E841DB

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,00E8428D,?,?,?,?,?,?,?), ref: 00E8411E
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00E8428D,?,?,?,?,?,?,?), ref: 00E84145
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,00E8428D,?,?,?,?,?,?,?), ref: 00E84159
InterlockedPopEntrySList.KERNEL32(00000000,?,00E8428D,?,?,?,?,?,?,?), ref: 00E8416C
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00E8428D,?,?,?,?,?,?,?), ref: 00E8417F

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 1f7844866b05b15301ae5fb98add4b6e5a72f35c1fc39eb4578bca4c5c4429f5
Instruction ID: 906edb7b1a76f20cbedb7f9d9c27867269cee210cf0aaaa9b35bdf1fd54eb7c6
Opcode Fuzzy Hash: 1f7844866b05b15301ae5fb98add4b6e5a72f35c1fc39eb4578bca4c5c4429f5
Instruction Fuzzy Hash: BB1186B2A463177BE7217B649C4CFAA769CFB54799F111021F90EF61A1E750CC40A7A0

Function 00DEEA80 Relevance: 10.9, APIs: 7, Instructions: 413fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,93D979FF), ref: 00DEEBC9
ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 00DEEC3B
ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,00000000,00000000), ref: 00DEEEDC
CloseHandle.KERNEL32(?), ref: 00DEEF3A

Part of subcall function 00DEEA80: LoadStringW.USER32(000000A1,?,00000514,93D979FF), ref: 00DEE9E6

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$Init_thread_footerRead$CloseCreateHandleHeapLoadProcessString
String ID:
API String ID: 1714711150-0
Opcode ID: 506e49b4e7475901d11949185c96079ba9d4d119e9a29efc0e2508f2c68c53c8
Instruction ID: 7f65cac3ab39fceab485aebd861acf3fe55c26bdbf55409be532c65bf97257e4
Opcode Fuzzy Hash: 506e49b4e7475901d11949185c96079ba9d4d119e9a29efc0e2508f2c68c53c8
Instruction Fuzzy Hash: 96F19E71E00358DBDB10DFA9CC49BAEBBF5FF45714F248219E415AB281D774AA44CBA0

Function 6CA9A9A0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 344COMMON

Download Yara Rule

APIs

SymGetLineFromAddr.DBGHELP(?,00000000,?,00000000,461C95ED), ref: 6CA9AA51

Part of subcall function 6CA9A650: LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 6CA9A6B5
Part of subcall function 6CA9A650: GetProcAddress.KERNEL32(00000000), ref: 6CA9A6BC

Strings

%hs:%ld, xrefs: 6CA9AC20
[0x%.8Ix] , xrefs: 6CA9AD5A
-> , xrefs: 6CA9AE97
-----, xrefs: 6CA9AE08
%hs(), xrefs: 6CA9ADE8

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddrAddressFromLibraryLineLoadProc
String ID: -> $%hs()$%hs:%ld$-----$[0x%.8Ix]
API String ID: 2196328783-2864510326
Opcode ID: 4d1d9a897db00bb74d830c01daefa53965df5e1f18de136dc45a383ce2fe5a77
Instruction ID: 318fe4cd65952e349e7d573ab048da56275086734a5784f5a9269221a78d0b68
Opcode Fuzzy Hash: 4d1d9a897db00bb74d830c01daefa53965df5e1f18de136dc45a383ce2fe5a77
Instruction Fuzzy Hash: 14E169709102589BEB24CF64CD987DEBBF5FF44318F104699E419AB680D7799B88CFA0

Function 6CA9C9E0 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 327COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000080,00000001,Close,50000001,?,00000128,00000025,00000032,0000000E,00000082,000001F5,00000000,50000000,?,00000026), ref: 6CA9CCCB
DialogBoxIndirectParamW.USER32(00000000,00000000,?,6CA9CE10,6CA9C04A), ref: 6CA9CD1A

Strings

Details >>, xrefs: 6CA9CC51
Copy, xrefs: 6CA9CCB2
Send Error Report, xrefs: 6CA9CC2D
Close, xrefs: 6CA9CBE4

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: DialogHandleIndirectModuleParam
String ID: Close$Copy$Details >>$Send Error Report
API String ID: 279259766-113472931
Opcode ID: a7051a7b57499c7a3556ee1fb463b24bd418b94e5d187191da8886ebd3af8b66
Instruction ID: 5f4a12f45a6ad59b1ece03c11b8fb6c9a223d17114cb41c8a6449df0a10ed09e
Opcode Fuzzy Hash: a7051a7b57499c7a3556ee1fb463b24bd418b94e5d187191da8886ebd3af8b66
Instruction Fuzzy Hash: 75C1C070A11609AFEB14DF68CD46BAEB7B5FF08718F104219F511BB6D0E770A985CBA0

Function 00CEC940 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 284registryCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,93D979FF), ref: 00CEC9CE
GetLastError.KERNEL32 ref: 00CEC9ED
RegCloseKey.ADVAPI32(?,Function_0024446C,00000000,Function_0024446C,00000000,00000000,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 00CECC7D
CloseHandle.KERNEL32(00000005,93D979FF,?,?,00000000,00EB0F5D,000000FF,?,Function_0024446C,00000000,Function_0024446C,00000000,00000000,80000001,00000001,00000000), ref: 00CECD0E

Strings

AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00CECA35
Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00CEC9C3

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Close$CreateErrorEventHandleLast
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
API String ID: 1253123496-2079760225
Opcode ID: a9491e1fbeea3dc45e99694491ef0cffd95a61ef4836bd731c6ec34028dac5b7
Instruction ID: 00b18e250839135a72774ed200abe531703e306dc8d7c2686b064c989a944a9f
Opcode Fuzzy Hash: a9491e1fbeea3dc45e99694491ef0cffd95a61ef4836bd731c6ec34028dac5b7
Instruction Fuzzy Hash: 00C18B70A00388DFDB14DFA8C989BAEBBF4FF44304F24425DE459A7681D774AA49CB91

Function 00CEAAC0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00F99338,93D979FF,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00EB0855), ref: 00CEAB2A
GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00EB0855), ref: 00CEABAA
EnterCriticalSection.KERNEL32(00F99354,?,?,?,?,?,?,?,?,?,?,?,00000000,00EB0855,000000FF), ref: 00CEAD63
LeaveCriticalSection.KERNEL32(00F99354,?,?,?,?,?,?,?,?,?,?,00000000,00EB0855,000000FF), ref: 00CEAD84

Strings

4w, xrefs: 00CEAD7D

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$Enter$FileLeaveModuleName
String ID: 4w
API String ID: 1807155316-3778465916
Opcode ID: 843ef3deecfd27cf5ab4a72150a166405ad3cb500cd0f1721fd1170d35cb02af
Instruction ID: deb5366e6fa81c5d08fdce48341432eb661d5faa9984befffc89cd5c562c562c
Opcode Fuzzy Hash: 843ef3deecfd27cf5ab4a72150a166405ad3cb500cd0f1721fd1170d35cb02af
Instruction Fuzzy Hash: BBB19170A04289DFDB10CFA5CC88BAEBBF5BF49304F244159E414EB291DB75AE44DB61

Function 00DE88D0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 212registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,93D979FF), ref: 00DE8ACE
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00DE8ADE
RegOpenKeyExW.ADVAPI32(?,?,00000000,000000FF,00000000,?,93D979FF), ref: 00DE8B13
RegCloseKey.ADVAPI32(00000000), ref: 00DE8B27

Strings

Advapi32.dll, xrefs: 00DE8AC9
RegOpenKeyTransactedW, xrefs: 00DE8AD8

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: f57c4f011e1d9557078fc5bfe1f7c6bbf34245c5e88296d75185954b086a6877
Instruction ID: 79821e6c542f67db8ade905c61589a66518ac059844955ccbb4bfb87cd7ec333
Opcode Fuzzy Hash: f57c4f011e1d9557078fc5bfe1f7c6bbf34245c5e88296d75185954b086a6877
Instruction Fuzzy Hash: FC914AB0D04348DFDB14DFA9C949B9EBBF4BF44300F14456AE419AB391EB74A904DBA0

Function 00CE6950 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 194comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(00F16214,00000000,00000001,Function_0024689C,?), ref: 00CE6A20

Strings

{, xrefs: 00CE6A80
:, xrefs: 00CE6A0A

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CreateInstance
String ID: :${
API String ID: 542301482-3766677574
Opcode ID: c89666027c1ad07c24a91cbdff7a9e69240ab247200520632c612a39821da758
Instruction ID: 3de6ca2c08af612b5a4380f5bf16394a5b92751a01d3cb7190024aa4b0c25420
Opcode Fuzzy Hash: c89666027c1ad07c24a91cbdff7a9e69240ab247200520632c612a39821da758
Instruction Fuzzy Hash: 8161B170A103859BCF249F5AC885BBE7BB4EF19790F14406AE812FB280D775DE80E725

Function 00DCB730 Relevance: 10.7, APIs: 7, Instructions: 189windowCOMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00DCB7B6
SelectObject.GDI32(00000000,?), ref: 00DCB834
SetBkMode.GDI32(00000000,00000001), ref: 00DCB842
SetTextColor.GDI32(00000000), ref: 00DCB887
GetWindowLongW.USER32(00000000), ref: 00DCB89B
SendMessageW.USER32(00000000), ref: 00DCB8B9
SelectObject.GDI32(00000000,?), ref: 00DCB914

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ObjectSelectWindow$CallColorLongMessageModeProcSendText
String ID:
API String ID: 2603541667-0
Opcode ID: b52ad3d42849889c6ae673c94fb94f04802f36b87d9fb08f2591e91ad5c7fdd6
Instruction ID: aa76d60636528852f268b7edea83f1a5a7396e03293d3aaa72d177fbc97e08db
Opcode Fuzzy Hash: b52ad3d42849889c6ae673c94fb94f04802f36b87d9fb08f2591e91ad5c7fdd6
Instruction Fuzzy Hash: 8D716971A00349AFEB05DFA8CC49FADBBB5FF48310F148219F915AB2A5CB71A815DB50

Function 00DEC870 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00DEC9E6
GetLastError.KERNEL32 ref: 00DEC9F7
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00DECA13
GetExitCodeProcess.KERNEL32(00000000,00EEC5B7), ref: 00DECA24
CloseHandle.KERNEL32(00000000), ref: 00DECA32

Strings

open, xrefs: 00DEC907

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CloseCodeErrorExecuteExitHandleLastObjectProcessShellSingleWait
String ID: open
API String ID: 1481985272-2758837156
Opcode ID: e1ed00b0771a8a84c8eef9057ad3ee27f0c453abbcc2781165cf29171046e68b
Instruction ID: f75da1407ad9dd7861d59becad44484b28f23d455ecf9839006e6944c8bb2e2e
Opcode Fuzzy Hash: e1ed00b0771a8a84c8eef9057ad3ee27f0c453abbcc2781165cf29171046e68b
Instruction Fuzzy Hash: 89615C71D006899FDB10DF69C84479EBBB4FF45325F18826AE825AB391D7749D01CFA0

Function 00CE8120 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00F9957C,93D979FF,00000000,00F99598), ref: 00CE8193
LeaveCriticalSection.KERNEL32(00F9957C), ref: 00CE81F8
LoadCursorW.USER32(00CD0000,000000FF), ref: 00CE8254
LeaveCriticalSection.KERNEL32(00F9957C), ref: 00CE82EB

Strings

ATL:%p, xrefs: 00CE8274
4w, xrefs: 00CE81F8, 00CE82EB

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$Leave$CursorEnterLoad
String ID: 4w$ATL:%p
API String ID: 2080323225-2526386464
Opcode ID: 062caf7c572077971ba5426f489dece88c8b068081991d7c5ce9b4570fb717c7
Instruction ID: 0ef02ffe7000eed67fa32907b1e1cb6e1f9c87e34d2002ec3492c4359828b8e9
Opcode Fuzzy Hash: 062caf7c572077971ba5426f489dece88c8b068081991d7c5ce9b4570fb717c7
Instruction Fuzzy Hash: 6E51D171D04B488BDB21CF69C9457AAF7F4FF18714F00461DE9AAA3690EB71BA84CB50

Function 00CDF7D8 Relevance: 10.6, APIs: 7, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00CDF804
SysFreeString.OLEAUT32(00000000), ref: 00CDF879
GetProcessHeap.KERNEL32(?,?), ref: 00CDF8E9
HeapFree.KERNEL32(00000000,?,?), ref: 00CDF8EF
GetProcessHeap.KERNEL32(?,00000000,?,00000000), ref: 00CDF91C
HeapFree.KERNEL32(00000000,?,00000000,?,00000000), ref: 00CDF922
SysFreeString.OLEAUT32(00000000), ref: 00CDF93A

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Free$Heap$String$Process
String ID:
API String ID: 2680101141-0
Opcode ID: f59ea368e5403680fac55bd00fca973f738e8200da8f4ef9cc2337feacb3d5df
Instruction ID: 6402fa9c826a868912f0705b6767bfd33b598760fd2b80024546e9efd34eb945
Opcode Fuzzy Hash: f59ea368e5403680fac55bd00fca973f738e8200da8f4ef9cc2337feacb3d5df
Instruction Fuzzy Hash: F151AC70D002599FDF10EFA4C854BAEBBB8BF05310F14416EE526BB381C7389A02DBA1

Function 00CF7950 Relevance: 10.6, APIs: 7, Instructions: 125COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(?,93D979FF,?,00000000,?,?,?,?,?,00000000,00EB2BE5,000000FF,?,00CF7692,?,?), ref: 00CF7992
GetWindowRect.USER32(?,?), ref: 00CF79B1
IsWindowEnabled.USER32(?), ref: 00CF79C0
SelectObject.GDI32(00000000,00000000), ref: 00CF7A1E
SelectObject.GDI32(?,?), ref: 00CF7A62
DeleteObject.GDI32(00000000), ref: 00CF7A71
DeleteDC.GDI32(?), ref: 00CF7A94

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ObjectWindow$DeleteSelect$EnabledRect
String ID:
API String ID: 2818206005-0
Opcode ID: 795bea1593602ffdec87a56ecd5c7a44ddb95bd5c31bfd3bc0d72405d6ae080a
Instruction ID: 359f9806be3924bf10707dfe261374b05d700d9c1d95fe248c8656852e536abe
Opcode Fuzzy Hash: 795bea1593602ffdec87a56ecd5c7a44ddb95bd5c31bfd3bc0d72405d6ae080a
Instruction Fuzzy Hash: C2416F71A04319AFDB14DFA5DD88BAEBBB9FF88710F10426AF905A3290D7746D00DB60

Function 6CAA0F20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6CAA0F57
___except_validate_context_record.LIBVCRUNTIME ref: 6CAA0F5F
_ValidateLocalCookies.LIBCMT ref: 6CAA0FE8
__IsNonwritableInCurrentImage.LIBCMT ref: 6CAA1013
_ValidateLocalCookies.LIBCMT ref: 6CAA1068

Strings

csm, xrefs: 6CAA0FFD

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: dc8438458ef141b44e7a02f89a15bf0e6ea340292ebc27d991c7317a70ee76eb
Instruction ID: 3bb91d22208d3fc75054069b959c6672a4a113355a13f757b301391cd1cd4ff4
Opcode Fuzzy Hash: dc8438458ef141b44e7a02f89a15bf0e6ea340292ebc27d991c7317a70ee76eb
Instruction Fuzzy Hash: F3419334A01249EFCF00CFA9C980A9EBBB5FF4931CF148155E915AB751D731EA9ACB90

Function 00DEC720 Relevance: 10.6, APIs: 7, Instructions: 108processsynchronizationCOMMON

Download Yara Rule

APIs

Wow64DisableWow64FsRedirection.KERNEL32(00000000,93D979FF,00000010), ref: 00DEC767
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,93D979FF,00EEC52D), ref: 00DEC7DF
GetLastError.KERNEL32 ref: 00DEC7F0
WaitForSingleObject.KERNEL32(00EEC52D,000000FF), ref: 00DEC80C
GetExitCodeProcess.KERNEL32(00EEC52D,00000000), ref: 00DEC81D
CloseHandle.KERNEL32(00EEC52D), ref: 00DEC827
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00DEC842

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
String ID:
API String ID: 1153077990-0
Opcode ID: 342dd5bc8269d714272b33d24d1569672fcad27217532d001434957a0493b3e7
Instruction ID: 76a6bfb984d115306a37a3f86cce9c31abcc151876f7d10f228e4c0ee002d713
Opcode Fuzzy Hash: 342dd5bc8269d714272b33d24d1569672fcad27217532d001434957a0493b3e7
Instruction Fuzzy Hash: 16417E31E04389ABDB10CFA5CD487AEBBF8BF49314F145259E824A6290E7749940CBA0

Function 00DF5290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,?,?,?,?,00E00731,?,93D979FF,?,?), ref: 00DF52AB
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00DF52C1
FreeLibrary.KERNEL32(00000000), ref: 00DF52FA
FreeLibrary.KERNEL32(00000000,?,?,?,?,00E00731,?,93D979FF,?,?), ref: 00DF5316

Strings

DllGetVersion, xrefs: 00DF52BB
Shlwapi.dll, xrefs: 00DF52AA

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll
API String ID: 1386263645-2240825258
Opcode ID: 470cb3f0deae15365058f57f6a794e51621d264dae7c742e8b9320f11ea6f453
Instruction ID: 824ce440cba96f0da2c62bbc871ff723dd0bbe161fae98cb49109715cb81fdab
Opcode Fuzzy Hash: 470cb3f0deae15365058f57f6a794e51621d264dae7c742e8b9320f11ea6f453
Instruction Fuzzy Hash: 34219F726047068BC700AF29E84167BB7E4FFDA710B80092DF689D3251FBB599049BA3

Function 00E9E202 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00E9E30F,0000000C,00E9A813,?,00000000,00000000,?,00E9E579,00000021,FlsSetValue,00F0E06C,00F0E074,?), ref: 00E9E2C3

Strings

api-ms-, xrefs: 00E9E259
ext-ms-, xrefs: 00E9E26D

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: b664da742ee82258364ffc5266cf14c6ee6b42d1ea188e8aaa74e2988ccc0b13
Instruction ID: 56ec9fd7e55229c0e98e2bce8d4b39b1b414a25782b1d9368d15b644dc774162
Opcode Fuzzy Hash: b664da742ee82258364ffc5266cf14c6ee6b42d1ea188e8aaa74e2988ccc0b13
Instruction Fuzzy Hash: 0721DA31A01219E7CF22DBA5EC41A9A375DAB427A4F252110FF15B73E1EB70ED01E6D1

Function 00E8191C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00E81997,00E818FA,00E81B9B), ref: 00E81933
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00E81949
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00E8195E

Strings

AcquireSRWLockExclusive, xrefs: 00E81943
KERNEL32.DLL, xrefs: 00E8192E
ReleaseSRWLockExclusive, xrefs: 00E81953

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 07dd8977cd7743a7c37d3fde9ba9c30a89d381b8471ce4d293c68f6d7b299a0a
Instruction ID: 5dde76d2a2052ef3d2b87fc1e70fdc47d088b4eedfa60f96807167f5be38698d
Opcode Fuzzy Hash: 07dd8977cd7743a7c37d3fde9ba9c30a89d381b8471ce4d293c68f6d7b299a0a
Instruction Fuzzy Hash: 3FF0C8316193219B8F217FB45CA067BB2EE6A8135830420BAD44EF3561E695CD43F7D1

Function 00D0DAC0 Relevance: 9.1, APIs: 6, Instructions: 140COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D0DAFD
std::_Lockit::_Lockit.LIBCPMT ref: 00D0DB1F
std::_Lockit::~_Lockit.LIBCPMT ref: 00D0DB47
__Getcoll.LIBCPMT ref: 00D0DC11
std::_Facet_Register.LIBCPMT ref: 00D0DC56
std::_Lockit::~_Lockit.LIBCPMT ref: 00D0DC8E

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: 2c2b36820e787a6903a512ecd5b89ff4f477c7f0b9cad48993c74314fd99070b
Instruction ID: c9ff886466f469660f8bc4de5af5fb04937fc2cad3fcd4d247fee65bff1257b0
Opcode Fuzzy Hash: 2c2b36820e787a6903a512ecd5b89ff4f477c7f0b9cad48993c74314fd99070b
Instruction Fuzzy Hash: 6E51ABB0805208EFDB01DF98E981B9DBBF1FF44310F24415EE819AB291DB74AA05DBA1

Function 00E21670 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00E216D1

Strings

Local Network Server, xrefs: 00E21E58, 00E21E6A, 00E21E74
FTP Server, xrefs: 00E220B8, 00E220CA, 00E220D4
HTTP/1.0, xrefs: 00E224C8
*/*, xrefs: 00E22450
GET, xrefs: 00E21859

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorLast
String ID: */*$FTP Server$GET$HTTP/1.0$Local Network Server
API String ID: 1452528299-1822174798
Opcode ID: 4ea1650d93aa0e2da9d3832653ab7e60658df4ec5b43037748fa4be99bee7218
Instruction ID: 85fb0f7886a3866c5f4223ab0171d3c570e8cfcee02d91e03507c6b9509ba199
Opcode Fuzzy Hash: 4ea1650d93aa0e2da9d3832653ab7e60658df4ec5b43037748fa4be99bee7218
Instruction Fuzzy Hash: 2641C371A002199BDB10EFA4DC45BAEB7F8EF55314F10456AE914B7281DB749A00CBA1

Function 00E86303 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E862FA,00E862C6,?,?,00D0AEBD,00DE9A40,?,00000008), ref: 00E86311
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E8631F
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E86338
SetLastError.KERNEL32(00000000,00E862FA,00E862C6,?,?,00D0AEBD,00DE9A40,?,00000008), ref: 00E8638A

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7e59c1ebd0cb22dc36ece59c84a6fee1e65125b28e79e49446426ff9a437b4f5
Instruction ID: 7231f709144ff4441284aed83b1ae2c24d73a120f25444541dce36994057cb73
Opcode Fuzzy Hash: 7e59c1ebd0cb22dc36ece59c84a6fee1e65125b28e79e49446426ff9a437b4f5
Instruction Fuzzy Hash: 2201D4326096165EAB2537F4BCC56BA3698FB817B8320223AF52CB51F2FE524C606350

Function 00CD87E0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 238COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00CD88C5
__Init_thread_footer.LIBCMT ref: 00CD893F

Strings

<a>, xrefs: 00CD8AF1
</a>, xrefs: 00CD8A49
<a href=", xrefs: 00CD8887

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer
String ID: </a>$<a href="$<a>
API String ID: 1385522511-4210067781
Opcode ID: 7094d77811d4d9757f8af5d32c61e9a9bad480b560ec14e3969d1f5d1e46cf5f
Instruction ID: 86a87e176c8e1d13e860c91a7e1569bd6c04a2e35886c8ee56ea7fd2036f1097
Opcode Fuzzy Hash: 7094d77811d4d9757f8af5d32c61e9a9bad480b560ec14e3969d1f5d1e46cf5f
Instruction Fuzzy Hash: FEA1F1B0A04304EFCB15DFA8D845BADB7B1FB44310F15421EE129AB3D1EB70AA45EB51

Function 00D062C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 182windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,SysTabControl32,?,46010000,?,?,?,?,00000000,00000309,00000000), ref: 00D063BD
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00D063D2
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00D063DA

Part of subcall function 00CD9980: RtlAllocateHeap.NTDLL(?,00000000,?,93D979FF,00000000,00EAC6B0,000000FF,?,?,00F8C42C,00000000,00E2ECDB,80004005,93D979FF,?,?), ref: 00CD99CA

Part of subcall function 00D08190: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D081D8

Strings

SysTabControl32, xrefs: 00D063B5
TabHost, xrefs: 00D06349, 00D0635B, 00D06365

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend$AllocateCreateHeapWindow
String ID: SysTabControl32$TabHost
API String ID: 2359350451-2872506973
Opcode ID: 9456e2895882d69148355c6e837d9c5cfcbffc00b531785cc84fb6047015c2f4
Instruction ID: 7cc828bcac00abcdac0050c7a8c44f3804b8be6382345fcf7f52feb4ec25a80b
Opcode Fuzzy Hash: 9456e2895882d69148355c6e837d9c5cfcbffc00b531785cc84fb6047015c2f4
Instruction Fuzzy Hash: 2F518D75A00605AFDB14DF68C844BAEBBF5FF49710F14426EE919A7391DB71E900CBA0

Function 00CF2650 Relevance: 7.7, APIs: 5, Instructions: 237windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000001), ref: 00CF26C2
GetParent.USER32(00000001), ref: 00CF26ED
SendMessageW.USER32(00000000,00000138,?,00000001), ref: 00CF26FD
FillRect.USER32(?,?,00000000), ref: 00CF270B
ReleaseDC.USER32(00000001,00000000), ref: 00CF28E1

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: FillMessageParentRectReleaseSend
String ID:
API String ID: 2215362955-0
Opcode ID: 9f9867b3abd7ec8362719b4b23191b5ee96002f15e559c26ac0c51a79800c4dd
Instruction ID: bd08008321868ccd2dc11d3d0e95fe7d726669b9311d4b11f5889ac5716eab62
Opcode Fuzzy Hash: 9f9867b3abd7ec8362719b4b23191b5ee96002f15e559c26ac0c51a79800c4dd
Instruction Fuzzy Hash: AF9138B1A00709AFDB15DFA5CD48BAEBBB4FF08300F14412AEA15E7290D731A915DB90

Function 00DCB3E0 Relevance: 7.7, APIs: 5, Instructions: 151windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(?,93D979FF,?,?,00000000,?,?,?,?,?,?,?,?,00000000,00EE6F5D,000000FF), ref: 00DCB410
GetWindowRect.USER32(?,?), ref: 00DCB430
IsWindowEnabled.USER32(?), ref: 00DCB461
GetFocus.USER32 ref: 00DCB46F
DeleteDC.GDI32(?), ref: 00DCB585

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$DeleteEnabledFocusRect
String ID:
API String ID: 733580484-0
Opcode ID: 8dad7abe82cc47a8fcf903d71abf51bf92b552061eda735896e55be6a80ecb05
Instruction ID: 2207a9a07481fbd1868f0f5bb5bd06d17e7c07c5f2ea6e9cb693e857ef8730ac
Opcode Fuzzy Hash: 8dad7abe82cc47a8fcf903d71abf51bf92b552061eda735896e55be6a80ecb05
Instruction Fuzzy Hash: 9B514471A04709EFDB24DFA4D949BEEBBF8FF08310F24415AE446A3290DB71A944DB24

Function 00CEB240 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00CEB31C
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CEB32B
ReleaseDC.USER32(00000000), ref: 00CEB372

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-0
Opcode ID: 018b6925a5e9d963e9fad1a5aeb0235dfefc64643b161e1b012db9b6a7a6d9b8
Instruction ID: 329dcf96ebb55f48c6a9c3789a1e33864090c4a264a758735219e6a9caa9b59c
Opcode Fuzzy Hash: 018b6925a5e9d963e9fad1a5aeb0235dfefc64643b161e1b012db9b6a7a6d9b8
Instruction Fuzzy Hash: 865109B5904749EFDB14DFA9C889BAE7BF8EF08311F10412AF915E7291DB349A04DB60

Function 00CE5780 Relevance: 7.6, APIs: 5, Instructions: 125windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00CE57DE
GetDlgItem.USER32(?,?), ref: 00CE5803
SendMessageW.USER32(?,?,?,?), ref: 00CE58CD

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ItemMessageSendWindow
String ID:
API String ID: 799199299-0
Opcode ID: 058f7608355d91d961dbc85e1a52993778ae1fea27835b7627ff862150a1f23e
Instruction ID: 9a9279d9f38a496eaa91ab94a2e2a0ce89b6035776a5f1295a116daad665bd4a
Opcode Fuzzy Hash: 058f7608355d91d961dbc85e1a52993778ae1fea27835b7627ff862150a1f23e
Instruction Fuzzy Hash: E141F032340B85EFC728CF1AD894A76B7E9FB44315F14892AE556CA1A1C732ED10EB60

Function 00DCB5B0 Relevance: 7.6, APIs: 5, Instructions: 124windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00DCB60E

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

IsWindowEnabled.USER32(?), ref: 00DCB644
GetFocus.USER32 ref: 00DCB654
GetDC.USER32(?), ref: 00DCB684

Part of subcall function 00DF0B20: SelectObject.GDI32(?,?), ref: 00DF0B83
Part of subcall function 00DF0B20: SetTextColor.GDI32(?,?), ref: 00DF0BCF
Part of subcall function 00DF0B20: SelectObject.GDI32(?,?), ref: 00DF0BF9

CallWindowProcW.USER32(?,?,?,?,?), ref: 00DCB6B3

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footerObjectSelectWindow$CallClientColorEnabledFocusHeapProcProcessRectText
String ID:
API String ID: 1237246694-0
Opcode ID: 844d10aa9bcad9f831ebb3a2cbfa0f37d034f2c167df5fa854b99a83af082667
Instruction ID: baad9c6d3410396d0db09a81b97ec496495a15fcebf1eafd17732f78f17adfd3
Opcode Fuzzy Hash: 844d10aa9bcad9f831ebb3a2cbfa0f37d034f2c167df5fa854b99a83af082667
Instruction Fuzzy Hash: 5F410A7190020ADFDF01DF64C985BE9BBB8FF08320F18816AE915AB2A1DB31D954DF60

Function 00DE5610 Relevance: 7.6, APIs: 5, Instructions: 122COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00DE5644
std::_Lockit::_Lockit.LIBCPMT ref: 00DE5666
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE568E
std::_Facet_Register.LIBCPMT ref: 00DE5777
std::_Lockit::~_Lockit.LIBCPMT ref: 00DE57A1

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: cef1d61f627996ac701bf8dc4f6b461e79c4f582d28352988a48526283392274
Instruction ID: 4fac13653b3a1daffd422a9ed2a05cc18cc41d89751b9530b16c0d02be860711
Opcode Fuzzy Hash: cef1d61f627996ac701bf8dc4f6b461e79c4f582d28352988a48526283392274
Instruction Fuzzy Hash: 3F51D170904649DFDB11EF98E84079EBBF0EF01358F24815DD849AB381D7B5AA05DBA0

Function 00CEE7F0 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000FC,00000000), ref: 00CEE839
GetClientRect.USER32(?,?), ref: 00CEE85F
GetParent.USER32(?), ref: 00CEE86D

Part of subcall function 00E84245: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00E135FE,?,?,?,?,?,?), ref: 00E8424A
Part of subcall function 00E84245: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 00E84251

SetWindowLongW.USER32(?,000000EB), ref: 00CEE8A0
ShowWindow.USER32(?,00000000), ref: 00CEE8B6

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$HeapLong$AllocClientParentProcessRectShow
String ID:
API String ID: 3563161840-0
Opcode ID: 843b31b40153196fd888ec205ce942b32837f0c190b913434c3ada2eeaecfccd
Instruction ID: 8a6bd659f446a35042f5139116f1b55f492535f58ef9b17e3222ffdad3383cc2
Opcode Fuzzy Hash: 843b31b40153196fd888ec205ce942b32837f0c190b913434c3ada2eeaecfccd
Instruction Fuzzy Hash: 1C2185745047469FD720EF29D904D2BBBE8FF59750B404A2EF49AD36A1EB30E804CB61

Function 6CA9EA99 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CA9EAA0
std::_Lockit::_Lockit.LIBCPMT ref: 6CA9EAAA

Part of subcall function 6CA8C9B0: std::_Lockit::_Lockit.LIBCPMT ref: 6CA8C9E0
Part of subcall function 6CA8C9B0: std::_Lockit::~_Lockit.LIBCPMT ref: 6CA8CA08

codecvt.LIBCPMT ref: 6CA9EAE4
std::_Facet_Register.LIBCPMT ref: 6CA9EAFB
std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9EB1B

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: d914f299e33017790902b2cdcaf1bbc701bcacc6d735687f5653259aab055153
Instruction ID: 1e039af6024d6dc4f50f0ad1634d9b116e91830ba5f065bd01c629e021f0cae2
Opcode Fuzzy Hash: d914f299e33017790902b2cdcaf1bbc701bcacc6d735687f5653259aab055153
Instruction Fuzzy Hash: 8E210732A10114AFDB00DF98D541AEEB7F4BF45328F144119E405AB781DB70ED8D8BD1

Function 00CDF230 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CDF27A
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00CDF280
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00CDF2A3
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00EAE1F6,000000FF), ref: 00CDF2CB
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,00EAE1F6,000000FF), ref: 00CDF2D1

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Heap$FreeProcess$FormatMessage
String ID:
API String ID: 1606019998-0
Opcode ID: 00bcda696ecaf6dee00790373ed8c80f2db402571057e8273c1b4b2ba2184fbe
Instruction ID: 49c13b73b1074f5533c093a17a2ea53d2fe617fc048c28985098cc26ea205120
Opcode Fuzzy Hash: 00bcda696ecaf6dee00790373ed8c80f2db402571057e8273c1b4b2ba2184fbe
Instruction Fuzzy Hash: A1111FB1A44259AAEB10EF94CC05BAFBBFCFB04704F10055AF515BB281D7B555048791

Function 00CF71B0 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00CF71BB
SendMessageW.USER32(?,?,?,0000102B), ref: 00CF7218
SendMessageW.USER32(?,?,?,0000102B), ref: 00CF7267
SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00CF7278
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00CF7285

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: a37c3dd850fae1f7c1e85f689c0ba6d295bb95f3fdcca22db02f4dc32aee8d30
Instruction ID: 3c7ec9dea353e4380bcbe4bfad5b8ea429ab5a84a259aa616d88c843469ab000
Opcode Fuzzy Hash: a37c3dd850fae1f7c1e85f689c0ba6d295bb95f3fdcca22db02f4dc32aee8d30
Instruction Fuzzy Hash: A621513195878AA6D220DF11CD44B1ABBF1BFED758F206B0EF1D0211A4E7F195848E86

Function 6CA80B80 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 338COMMON

Download Yara Rule

Strings

ProductCode, xrefs: 6CA804C0, 6CA81096
UpgradeCode, xrefs: 6CA80348
UILevel, xrefs: 6CA80E58
OLDPRODUCTS, xrefs: 6CA8109D
ProductVersion, xrefs: 6CA80D51

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: CountCreateGuidTick
String ID: OLDPRODUCTS$ProductCode$ProductVersion$UILevel$UpgradeCode
API String ID: 1175376463-174774698
Opcode ID: cc5ceea294e2732eee3deb7182a604afdf8f10e2a3228eff8d38690da2813ae7
Instruction ID: 42c684a9d57fb100845feae4a920935c985eb478d4babe323ee5aa47d2a454a7
Opcode Fuzzy Hash: cc5ceea294e2732eee3deb7182a604afdf8f10e2a3228eff8d38690da2813ae7
Instruction Fuzzy Hash: D6E18D71E01288CFDB00CFA8CA597EEBBB1BF45318F24821DD405AB791D7756A89CB91

Function 00D03570 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 319windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,RichEdit20W,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00D0371C
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00D03731
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00D03739

Part of subcall function 00CD9980: RtlAllocateHeap.NTDLL(?,00000000,?,93D979FF,00000000,00EAC6B0,000000FF,?,?,00F8C42C,00000000,00E2ECDB,80004005,93D979FF,?,?), ref: 00CD99CA

Strings

RichEdit20W, xrefs: 00D03714

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend$AllocateCreateHeapWindow
String ID: RichEdit20W
API String ID: 2359350451-4173859555
Opcode ID: 9dc810ac9c775cfa60b2a2ec72adf687d241e31edb46dda735007ddf47d01384
Instruction ID: d76c2927fdfc0cadfd980fe841dbcae8270a3372e8b49cc06eeba810b77625d0
Opcode Fuzzy Hash: 9dc810ac9c775cfa60b2a2ec72adf687d241e31edb46dda735007ddf47d01384
Instruction Fuzzy Hash: A3B16B75A012099FDB14CFA8C894BEEBBF8FF49710F144169E905AB391DB71AD40CBA0

Function 00CFD870 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 226windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD9980: RtlAllocateHeap.NTDLL(?,00000000,?,93D979FF,00000000,00EAC6B0,000000FF,?,?,00F8C42C,00000000,00E2ECDB,80004005,93D979FF,?,?), ref: 00CD99CA

Part of subcall function 00DCA0B0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00CF66F8,00000000,80004005), ref: 00DCA118
Part of subcall function 00DCA0B0: RedrawWindow.USER32(?,00000000,00000000,00000541,?,?,?,000000EF,?,00CF66F8,00000000,80004005), ref: 00DCA129
Part of subcall function 00DCA0B0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00DCA148

SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00CFDA2D
SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00CFDA44
SendMessageW.USER32(?,00001061,00000000,?), ref: 00CFDAA0

Strings

QuickSelectionList, xrefs: 00CFD962, 00CFD974, 00CFD97E

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend$Window$AllocateHeapRedraw
String ID: QuickSelectionList
API String ID: 884508843-3633591268
Opcode ID: 1110ea51a0851f54f24fdea1fb4be8396537557996af22e0f908d5bc70e036c6
Instruction ID: d1177dbee67d8de0fddd8ce117ed61078c851ce4d1d68dbbaea6572f53d15638
Opcode Fuzzy Hash: 1110ea51a0851f54f24fdea1fb4be8396537557996af22e0f908d5bc70e036c6
Instruction Fuzzy Hash: 43819C71A0020A9FCB14DF69C884BEAF7B5FF88314F14425DE566A7290DB75AE04CBA1

Function 6CAA3C1B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6CAA3C40
CatchIt.LIBVCRUNTIME ref: 6CAA3D26

Strings

RCC, xrefs: 6CAA3C5A
MOC, xrefs: 6CAA3C52

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: a81f8b133010cbd7a60ed905709185dac970abeefb7fa66381f1408506d2ff7e
Instruction ID: 338b09151e8d1fa01737f4adbcbbcc4f9b00fbc3549a4b531e62f1416a66be11
Opcode Fuzzy Hash: a81f8b133010cbd7a60ed905709185dac970abeefb7fa66381f1408506d2ff7e
Instruction Fuzzy Hash: 7E416676901209EFCF06CFD4CD80AEE7BB5AF48308F188599F956A7210D335DA96CB50

Function 00CDF600 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00CDF642
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00CDF648

Strings

RoOriginateLanguageException, xrefs: 00CDF638
combase.dll, xrefs: 00CDF63D

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 2574300362-3996158991
Opcode ID: 98e3a2fdb645a104ac6002ae0d54f843dcdef9e414f8610ce9928ab5c46f79b4
Instruction ID: 0a7ca57286f817ebbff5e9a23bf63f23655e09b67bdd32cfc563d925163bf9af
Opcode Fuzzy Hash: 98e3a2fdb645a104ac6002ae0d54f843dcdef9e414f8610ce9928ab5c46f79b4
Instruction Fuzzy Hash: B5315A719002099ADB10DFA8CC41BEEBBB4FB04314F10852BE925A73D0DB749B45DB91

Function 00E214E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00E1F23A,?,93D979FF,?,?,?,?,?,00EF62A5), ref: 00E214ED
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00E1F23A,?,93D979FF,?,?,?,?,?,00EF62A5), ref: 00E2150E
GetLastError.KERNEL32(00E1F23A,?,93D979FF,?,?,?,?,?,00EF62A5,000000FF,?,00E1EB6D,?,?,00000000), ref: 00E2156E

Strings

AdvancedInstaller, xrefs: 00E21556

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CreateEvent$ErrorLast
String ID: AdvancedInstaller
API String ID: 1131763895-1372594473
Opcode ID: c77f28d8307de89772568c0d9fb197603e7f9de91ff7b4fa762c8d68a4d51162
Instruction ID: e49885bf0ae87fe95b42eed13b85f8c2aa0632f06220cbeca0b85d9a5d65a963
Opcode Fuzzy Hash: c77f28d8307de89772568c0d9fb197603e7f9de91ff7b4fa762c8d68a4d51162
Instruction Fuzzy Hash: 9E117C31380712ABE720DF30DD89F16BBA4FB98708F2044A4F5069B290DBB1E901DB90

Function 00CE8320 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00F9957C), ref: 00CE835C
GetCurrentThreadId.KERNEL32 ref: 00CE8370
LeaveCriticalSection.KERNEL32(00F9957C), ref: 00CE83AF

Strings

4w, xrefs: 00CE83AF

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread
String ID: 4w
API String ID: 2351996187-3778465916
Opcode ID: 957a8ba456cc3728ebc8e5c5f33cd5b4b5faf6969d41894295d2ad09e8d763ce
Instruction ID: 7866d2b4a8d131ed9709a0dd3f70eeaf07a806842cbefdaf7bc68f58f1053407
Opcode Fuzzy Hash: 957a8ba456cc3728ebc8e5c5f33cd5b4b5faf6969d41894295d2ad09e8d763ce
Instruction Fuzzy Hash: EF11E631D08258CBDB11CF1AD80475BFBF4FB48B10F15465ED826933A0D7B159049B90

Function 00E8942C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00E893DD,?,?,00000000,?,?,?,00E89507,00000002,FlsGetValue,00F0B154,00F0B15C), ref: 00E89439
GetLastError.KERNEL32(?,00E893DD,?,?,00000000,?,?,?,00E89507,00000002,FlsGetValue,00F0B154,00F0B15C,?,?,00E86324), ref: 00E89443
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00E8946B

Strings

api-ms-, xrefs: 00E89450

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 125265551628e90502338e3d7939f1812225faae829f28836213796d4bedb23d
Instruction ID: 73a61befa961da1d7e05bb820f7e27fbcc70b1a173c54b489171944ba1e393c4
Opcode Fuzzy Hash: 125265551628e90502338e3d7939f1812225faae829f28836213796d4bedb23d
Instruction Fuzzy Hash: 30E04F3068420CF7EF202F70FC46B693B59AB00B45F148020FA4EB80E3E7A1EA11A745

Function 6CAB2865 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(461C95ED,?,00000000,?), ref: 6CAB28C8

Part of subcall function 6CAB653C: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6CAB14B5,?,00000000,-00000008), ref: 6CAB65E8

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CAB2B23
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CAB2B6B
GetLastError.KERNEL32 ref: 6CAB2C0E

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 3c436e7a8ede534637421da3e0324c1455bee4ff59e26cb1359378c3295df8a2
Instruction ID: ee047b6b417fbb342dfc776b64a4957a15f975d9cb89f4381e9cc1dafaa0c1db
Opcode Fuzzy Hash: 3c436e7a8ede534637421da3e0324c1455bee4ff59e26cb1359378c3295df8a2
Instruction Fuzzy Hash: B1D149B5E042499FCB05CFA8C8849DDBBB9FF49314F28462AE855F7741D730A986CB50

Function 00CF6560 Relevance: 6.3, APIs: 4, Instructions: 320windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00CF66A8
SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00CF66BD

Part of subcall function 00CD9980: RtlAllocateHeap.NTDLL(?,00000000,?,93D979FF,00000000,00EAC6B0,000000FF,?,?,00F8C42C,00000000,00E2ECDB,80004005,93D979FF,?,?), ref: 00CD99CA

Part of subcall function 00DCA0B0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00CF66F8,00000000,80004005), ref: 00DCA118
Part of subcall function 00DCA0B0: RedrawWindow.USER32(?,00000000,00000000,00000541,?,?,?,000000EF,?,00CF66F8,00000000,80004005), ref: 00DCA129
Part of subcall function 00DCA0B0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00DCA148

SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00CF67F3
SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00CF68EF

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend$Window$AllocateHeapRedraw
String ID:
API String ID: 884508843-0
Opcode ID: 4e0fb8c1f07b4a32223c3e666b9dd1b60dfbfc165a761e0591c5a6018abc6774
Instruction ID: 8a5f0c3398682af39ffe1b500d86c7c39ce91aa7cca842e5c104cb4f2c53739e
Opcode Fuzzy Hash: 4e0fb8c1f07b4a32223c3e666b9dd1b60dfbfc165a761e0591c5a6018abc6774
Instruction Fuzzy Hash: 43C1A071A00209DFDB18DFA8C895BEEFBB5FF48314F144219E525AB2D0DB75A940CBA1

Function 00CE49D0 Relevance: 6.3, APIs: 4, Instructions: 269memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 00CE4A9A
SysFreeString.OLEAUT32(00000000), ref: 00CE4AE6
SysFreeString.OLEAUT32(00000000), ref: 00CE4B08
SysFreeString.OLEAUT32(00000000), ref: 00CE4C63

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 94960f26fe35e5d15859c69b9800689c26bb3e301f37787e9dd3b01f1ed0a5e6
Instruction ID: 5a37cfcba09bb4d1cf29d3a95931e2cd0af09f87a8c7721fd2c69d259b5dfa7d
Opcode Fuzzy Hash: 94960f26fe35e5d15859c69b9800689c26bb3e301f37787e9dd3b01f1ed0a5e6
Instruction Fuzzy Hash: 54A18371A00649DFDB15DFA9CC48FAFBBB8EF48724F104119E515E7290E774AA01CBA1

Function 00D00050 Relevance: 6.2, APIs: 4, Instructions: 246windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000001,0000110A,00000004,?), ref: 00D00125
SendMessageW.USER32(00000001,0000110A,00000001,00000000), ref: 00D00157
SendMessageW.USER32(?,0000110A,00000004,?), ref: 00D002CE
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00D002F6

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ef0b6bf548a615994e050693ec032776bd379b1005cffac38f36dbea5f2ce0a7
Instruction ID: d047e208ce26c9b0f28a31fa6429a48e1f1546afac593858b694b06455d9a103
Opcode Fuzzy Hash: ef0b6bf548a615994e050693ec032776bd379b1005cffac38f36dbea5f2ce0a7
Instruction Fuzzy Hash: D3915E71A00209EFCB25DF68D884BEEBBF5FF49310F084569E509AB2D1D770A845CBA5

Function 00DFAAD0 Relevance: 6.2, APIs: 4, Instructions: 199COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00DFAC21
GetForegroundWindow.USER32(?,00000000,?,?,93D979FF,00000010,?), ref: 00DFAC31
SetForegroundWindow.USER32(00000000), ref: 00DFAC6B

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

OutputDebugStringW.KERNEL32(00000010,93D979FF,00000010,?,?,93D979FF,00000010,?,?,93D979FF,00000010), ref: 00DFACBF

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$ForegroundInit_thread_footer$ActiveDebugHeapOutputProcessString
String ID:
API String ID: 1401059542-0
Opcode ID: c2378bc4ee40dfb7a53dff8c27dd79a3fd7e5f32701f5853f728694b5d84ea72
Instruction ID: 78d870ff32fa0b86366b0fb8d1383d9c9a448322d5425bfb2651a606c0541a4c
Opcode Fuzzy Hash: c2378bc4ee40dfb7a53dff8c27dd79a3fd7e5f32701f5853f728694b5d84ea72
Instruction Fuzzy Hash: 5F61F275A006499FDB14DB6CC8087BEBBB5EF45310F19C26DE91997391DB309D00CBA1

Function 00E232D0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00E23335

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

Strings

=m, xrefs: 00E239EA, 00E23A29, 00E23A34
4+, xrefs: 00E23A37
realm, xrefs: 00E2391D, 00E2392F, 00E23939

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$ErrorHeapLastProcess
String ID: 4+$=m$realm
API String ID: 1087724403-3748416252
Opcode ID: 764d55e63094f3aa3fbb5b043e51c2e2657928c0cd1fcafaec88f992bf57673d
Instruction ID: c4313d8c6d2385eed50bbd7a9edc3126d53f85dab2cd655d54cdeb39bc6459f5
Opcode Fuzzy Hash: 764d55e63094f3aa3fbb5b043e51c2e2657928c0cd1fcafaec88f992bf57673d
Instruction Fuzzy Hash: 7F51C571A0021A9BDB11FFB5DC85BAFB7A8EF40314F14516AE924A7342DB799A00CF61

Function 00CEF260 Relevance: 6.2, APIs: 4, Instructions: 183windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,00000000), ref: 00CEF2F9
GetParent.USER32(?), ref: 00CEF319
SendMessageW.USER32(00000000,00000135,?,?), ref: 00CEF329
FillRect.USER32(?,00000000,00000000), ref: 00CEF337

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Rect$ClientFillMessageParentSend
String ID:
API String ID: 425900729-0
Opcode ID: 3e6e9cae25f8450f03bb70667501f76e7c022d301ed77504bc6ece303274245a
Instruction ID: cc4dd648570a1252aba149ff549050c59ead32d6acc4e28e6912287696a91c2b
Opcode Fuzzy Hash: 3e6e9cae25f8450f03bb70667501f76e7c022d301ed77504bc6ece303274245a
Instruction Fuzzy Hash: 42816970A00759EFDB25DF64C948BAEBBB4FF08300F1081A9E509A7291DB70AE85DF50

Function 00CED470 Relevance: 6.2, APIs: 4, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00CED5A8
SysAllocString.OLEAUT32(00000000), ref: 00CED5BB
VariantClear.OLEAUT32(00000000), ref: 00CED5DD
VariantClear.OLEAUT32(?), ref: 00CED60E

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ClearVariant$AllocString
String ID:
API String ID: 2502263055-0
Opcode ID: 95acf64df5016150ff3f6e1feccb4adba06087a78d274ea847e74290565062cd
Instruction ID: d9d2d566b234b783f652cbc76b3cfa9d2133a4b66b4e8e9c3d9ea3379258153e
Opcode Fuzzy Hash: 95acf64df5016150ff3f6e1feccb4adba06087a78d274ea847e74290565062cd
Instruction Fuzzy Hash: FA51C6B6A0025DDBDB10CF65CC40B99B7B4EF48714F1085AAEA19E7281D735EA80CF94

Function 00D037F0 Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000C5,?,00000000), ref: 00D0383B
GetClientRect.USER32(?,?), ref: 00D0386D
GetDC.USER32(?), ref: 00D03880
GetDeviceCaps.GDI32(00000000), ref: 00D03887

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CapsClientDeviceMessageRectSend
String ID:
API String ID: 3507044913-0
Opcode ID: dd9eac15a4feb3cc05f9a8f9ba638191aaf0dd412ded2ae376163f0a4f4db0d8
Instruction ID: f0a21eeb34234ea563aa005f97b7dde65f00cac5e714f0d9440798bc451bd1b5
Opcode Fuzzy Hash: dd9eac15a4feb3cc05f9a8f9ba638191aaf0dd412ded2ae376163f0a4f4db0d8
Instruction Fuzzy Hash: 454181316143049FD721EF39CC46F9AB7E8BF88300F044A2AF589D71A1DB71A944CB91

Function 6CA7CBA0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 6CA78270: GetProcessHeap.KERNEL32 ref: 6CA782CC

MultiByteToWideChar.KERNEL32(00000003,00000000,https://collect.installeranalytics.com,000000FF,00000000,00000000), ref: 6CA7CC21
MultiByteToWideChar.KERNEL32(00000003,00000000,https://collect.installeranalytics.com,000000FF,461C95C9,-00000001), ref: 6CA7CC53

Strings

http://collect.installeranalytics.com, xrefs: 6CA7CBFE
https://collect.installeranalytics.com, xrefs: 6CA7CC07, 6CA7CC1C, 6CA7CC4E

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: ByteCharMultiWide$HeapProcess
String ID: http://collect.installeranalytics.com$https://collect.installeranalytics.com
API String ID: 2590121937-247959907
Opcode ID: b13c4b62f1ba8ae86a5c4b324f66a9555fb645efb64bd4c43a8d6c1a7f6e1242
Instruction ID: ada79b54af95eb0e6913ab2069073d1ab9b801cd8b4b7b5cbc64909736e4edbc
Opcode Fuzzy Hash: b13c4b62f1ba8ae86a5c4b324f66a9555fb645efb64bd4c43a8d6c1a7f6e1242
Instruction Fuzzy Hash: F031BE35704244AFDB24DFACC944B9DBBF9EB44728F20425EE515AB780CB7569048BA0

Function 00CE5660 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00CE5714
IsChild.USER32(?,00000000), ref: 00CE571E
GetWindow.USER32(?,00000005), ref: 00CE572D
SetFocus.USER32(00000000), ref: 00CE5734

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Focus$ChildWindow
String ID:
API String ID: 501040988-0
Opcode ID: 6b86f9cf508533a4551e007426264065b287fbc4fbfec7a84c2a3a34f0d354eb
Instruction ID: 274f45d83608839f76dc844e40f8eed0adfa64d0e845722d013f0120aa232ac0
Opcode Fuzzy Hash: 6b86f9cf508533a4551e007426264065b287fbc4fbfec7a84c2a3a34f0d354eb
Instruction Fuzzy Hash: A831DB70614B0AEFDB04CF65CD49BAAB7B8FF08314F108219F425CB2A0DB71A920DB90

Function 6CAB6942 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6CAB653C: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6CAB14B5,?,00000000,-00000008), ref: 6CAB65E8

GetLastError.KERNEL32 ref: 6CAB69A6
__dosmaperr.LIBCMT ref: 6CAB69AD
GetLastError.KERNEL32(?,?,?,?), ref: 6CAB69E7
__dosmaperr.LIBCMT ref: 6CAB69EE

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 5719035e274fb3bcf4ef222f145864aff209a51d70d8b79f533fc5b31f24f638
Instruction ID: f0c9df7931066477f3f163692c1450f9f0fcb441fd69c77858db83b5f2595d06
Opcode Fuzzy Hash: 5719035e274fb3bcf4ef222f145864aff209a51d70d8b79f533fc5b31f24f638
Instruction Fuzzy Hash: 0E21B371604359AFDB089FA6C98095BB7BCFF003687088629F965E7B00D731EC89CB60

Function 6CAACF25 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd9698add140de4a4faa853aa6d82d719d748b65b7b943b83b9fd62f4dba868
Instruction ID: 922aac67a0430d77616be78d14014fea676cef545214424cd58b90355fa6549d
Opcode Fuzzy Hash: 2dd9698add140de4a4faa853aa6d82d719d748b65b7b943b83b9fd62f4dba868
Instruction Fuzzy Hash: 44218071608305AFE710AFEAC940D9E776CEF4536C7088615F915D7A50D732EC8ACB60

Function 6CAB78F1 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6CAB78F9

Part of subcall function 6CAB653C: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6CAB14B5,?,00000000,-00000008), ref: 6CAB65E8

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CAB7931
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CAB7951

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 4151d228a26f3b4f09f8ced9a1d3e8b53854e4b99117219f84c761af0e06b206
Instruction ID: 81f3d0bd982111ed9363460df58fa1495145b92ee2974cef93f09f037dd0d044
Opcode Fuzzy Hash: 4151d228a26f3b4f09f8ced9a1d3e8b53854e4b99117219f84c761af0e06b206
Instruction Fuzzy Hash: 9E1108B6505615BEE71517F65D88C9F7D7CDE462983044124F402E2700EB75DD8A86B1

Function 00CF29D0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,93D979FF), ref: 00CF2A3A
EnterCriticalSection.KERNEL32(?,93D979FF), ref: 00CF2A47
LeaveCriticalSection.KERNEL32(?), ref: 00CF2A98

Strings

4w, xrefs: 00CF2A98

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: 4w
API String ID: 3991485460-3778465916
Opcode ID: dfd6eb9f9eda1021eff9ec44d9e8bece437f7c4ee8ceb8a22acad7b41ae5efed
Instruction ID: 26d2619af15575251167cc3a37ab54096b90ac752968968394de092aa3b7c3df
Opcode Fuzzy Hash: dfd6eb9f9eda1021eff9ec44d9e8bece437f7c4ee8ceb8a22acad7b41ae5efed
Instruction Fuzzy Hash: C02102369043489FDF11CF24C840BE9BBB4FF16320F5001A9ED59AB392D3326A06DBA0

Function 00CF2AC0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,93D979FF), ref: 00CF2B2A
EnterCriticalSection.KERNEL32(?,93D979FF), ref: 00CF2B37
LeaveCriticalSection.KERNEL32(?), ref: 00CF2B7E

Strings

4w, xrefs: 00CF2B7E

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: 4w
API String ID: 3991485460-3778465916
Opcode ID: c59197e5932cb7ce0eb5c6d92a2cb00efa3c3642c48bfee1ab2ac81b5db93674
Instruction ID: fbe884aa9df591794f5c844a114771dfe37fcf33536d838436240bd52b27daf9
Opcode Fuzzy Hash: c59197e5932cb7ce0eb5c6d92a2cb00efa3c3642c48bfee1ab2ac81b5db93674
Instruction Fuzzy Hash: DF21F1369043489FDF11CF24C840BE9BBB4FF15324F1005A9ED59AB392D732A905DB90

Function 00CF2910 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,93D979FF,?), ref: 00CF296D
EnterCriticalSection.KERNEL32(?,93D979FF,?), ref: 00CF297A
LeaveCriticalSection.KERNEL32(?), ref: 00CF29A2

Strings

4w, xrefs: 00CF29A2

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: 4w
API String ID: 3991485460-3778465916
Opcode ID: 1b505b724c28969432a2e30b1a0c6eb0138ee87ff5302060001d978f4ec98191
Instruction ID: c45c42713daddd2170cf05230d86e08bbb6986d5fa1f1ddee4c9ba5cfe838b82
Opcode Fuzzy Hash: 1b505b724c28969432a2e30b1a0c6eb0138ee87ff5302060001d978f4ec98191
Instruction Fuzzy Hash: 632126369043499FCF01CF24C840BEABF74FF16324F5002A9D865A7392D7725A05DBA1

Function 6CABDAFC Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6CABC10C,?,00000001,?,?,?,6CAB2C62,?,?,00000000), ref: 6CABDB13
GetLastError.KERNEL32(?,6CABC10C,?,00000001,?,?,?,6CAB2C62,?,?,00000000,?,?,?,6CAB31E9,?), ref: 6CABDB1F

Part of subcall function 6CABDAE5: CloseHandle.KERNEL32(FFFFFFFE,6CABDB2F,?,6CABC10C,?,00000001,?,?,?,6CAB2C62,?,?,00000000,?,?), ref: 6CABDAF5

___initconout.LIBCMT ref: 6CABDB2F

Part of subcall function 6CABDAA7: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CABDAD6,6CABC0F9,?,?,6CAB2C62,?,?,00000000,?), ref: 6CABDABA

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6CABC10C,?,00000001,?,?,?,6CAB2C62,?,?,00000000,?), ref: 6CABDB44

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3e8360f688b69633e6ea6bfef42348adabec75d42c2d76ed0c1a3220ced0692c
Instruction ID: b8bc43381daedde529bc5db156704b536e01484c241a9bcdc59f5427300e2e59
Opcode Fuzzy Hash: 3e8360f688b69633e6ea6bfef42348adabec75d42c2d76ed0c1a3220ced0692c
Instruction Fuzzy Hash: F7F0303660421ABBCF166FD5DC0498A3F7AFF497A1F098114FA1996620C7329865DB90

Function 6CA9FC36 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,6CA9FBD3,00000064), ref: 6CA9FC59
LeaveCriticalSection.KERNEL32(6CB09B8C,00000000,?,6CA9FBD3,00000064,?,6CA7831D,6CB0A384,461C95ED,?,00000000,6CABF11D,000000FF,?,6CA98162), ref: 6CA9FC63
WaitForSingleObjectEx.KERNEL32(00000000,00000000,?,6CA9FBD3,00000064,?,6CA7831D,6CB0A384,461C95ED,?,00000000,6CABF11D,000000FF,?,6CA98162), ref: 6CA9FC74
EnterCriticalSection.KERNEL32(6CB09B8C,?,6CA9FBD3,00000064,?,6CA7831D,6CB0A384,461C95ED,?,00000000,6CABF11D,000000FF,?,6CA98162), ref: 6CA9FC7B

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: a01f2d80711669bc146859bc725103ea06b88cff23a821d10e95d349e4028c49
Instruction ID: 4e8aa955009b5bda6474c703dd8625571ef160fad249e288e308e903fe2741ed
Opcode Fuzzy Hash: a01f2d80711669bc146859bc725103ea06b88cff23a821d10e95d349e4028c49
Instruction Fuzzy Hash: 50E0E536B2522ABBCF052BD19C09A9A7E79AF5E6B1B058018FA0566510876168419BD0

Function 6CA829F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 250COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6CA82AF3

Strings

0, xrefs: 6CA82CEA
Queue Time, xrefs: 6CA82A4C

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: CountTick
String ID: 0$Queue Time
API String ID: 536389180-3826937611
Opcode ID: e1cc0680bc609ba0802487a0452d796057e3e61a1cafe20ac2b08a940560f51a
Instruction ID: 230a9b3cc8aa703fb58141229c7cea10de643b74780825c824a28eb004430070
Opcode Fuzzy Hash: e1cc0680bc609ba0802487a0452d796057e3e61a1cafe20ac2b08a940560f51a
Instruction Fuzzy Hash: 619180B19012499FDB04CF68CD98BEE77B5FF48318F14421DE8199B780D774AA88CB91

Function 00CE3060 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 231windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 00CE30D6
SendMessageW.USER32(?,00000000,00000000), ref: 00CE31D2

Part of subcall function 00CE4BC0: SysFreeString.OLEAUT32(00000000), ref: 00CE4C63

Strings

AtlAxWin140, xrefs: 00CE30CE

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CreateFreeMessageSendStringWindow
String ID: AtlAxWin140
API String ID: 4045344427-3842940177
Opcode ID: 53d7d741ffb01dc359a4da9e122da3ed7b5a1af3c761a1214ca1f798cf4f6a40
Instruction ID: 57511abb795293d1b9a82895be1958797f00a84edf6eb73378227649b4bc3f3a
Opcode Fuzzy Hash: 53d7d741ffb01dc359a4da9e122da3ed7b5a1af3c761a1214ca1f798cf4f6a40
Instruction Fuzzy Hash: 6F914774600245EFDB14CF69C888F9ABBB9FF48720F1085A8F9259B391CB71EA01DB50

Function 6CA91820 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 6CA91A52

Strings

false, xrefs: 6CA9196F
true, xrefs: 6CA91985

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: false$true
API String ID: 118556049-2658103896
Opcode ID: a17d2290848f6809e64d3482f9ca6efd497c874c13ef8197b7acfbc150c68add
Instruction ID: 2a080d5190cc268536a789a7ea3742e1a6deceab902d834a024e83806b7d29f0
Opcode Fuzzy Hash: a17d2290848f6809e64d3482f9ca6efd497c874c13ef8197b7acfbc150c68add
Instruction Fuzzy Hash: 637183B1D10748DBDB10CF94C941BDEBBF8FF04304F14466AE915ABA81E775AA88CB91

Function 6CA89F60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(00000000,461C95ED), ref: 6CA8A001

Strings

\\?\UNC\, xrefs: 6CA8A026, 6CA8A087
\\?\, xrefs: 6CA8A13F, 6CA8A16A

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: a8b47ac1447d04c9e61ad57da66e118a49c52ed497939fc4dce042b7de1b23d0
Instruction ID: 3992501ac6ad2f9dc6d82574f4140ee50cc4ac9a4784ebd62841f626d939837a
Opcode Fuzzy Hash: a8b47ac1447d04c9e61ad57da66e118a49c52ed497939fc4dce042b7de1b23d0
Instruction Fuzzy Hash: 1061A071E012049FDB14CF68D985BAEB7B6FF45308F14861CD511A7B80DB75A988CBA1

Function 00DDD5D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 192COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,93D979FF), ref: 00DDD671

Strings

\\?\UNC\, xrefs: 00DDD698, 00DDD6F9
\\?\, xrefs: 00DDD7B3, 00DDD7DE

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: 5c518dad7ac381ce3ba95dc0747d9286fedb4e898f706f3bb4dde884915c98ba
Instruction ID: 19df7437b25ab2ac84222ffe668858d2fbe9487261fa0501d1e369a25dbc1277
Opcode Fuzzy Hash: 5c518dad7ac381ce3ba95dc0747d9286fedb4e898f706f3bb4dde884915c98ba
Instruction Fuzzy Hash: 6E61C1709002089BDF14DF68C885BAEB7F6FF94304F14851EE816A7381DB75A948CBE1

Function 00E23110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD9CC0: GetProcessHeap.KERNEL32 ref: 00CD9D15
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9D47
Part of subcall function 00CD9CC0: __Init_thread_footer.LIBCMT ref: 00CD9DD2

GetLastError.KERNEL32(?,00000000,FTP Server,0000000A), ref: 00E23194
WaitForSingleObject.KERNEL32(?,0000000A,?,00000000,FTP Server,0000000A), ref: 00E231CD

Strings

REST %u, xrefs: 00E23161

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$ErrorHeapLastObjectProcessSingleWait
String ID: REST %u
API String ID: 1670056567-3183379045
Opcode ID: 196c08ed5db8fd7f83eef0b47ce8a089b1568a0d44f2064152d916a90b0f47b6
Instruction ID: 30f5db22d8773a5f468059f8f8d079b67a8796ecba43e3badd8270d192c38eab
Opcode Fuzzy Hash: 196c08ed5db8fd7f83eef0b47ce8a089b1568a0d44f2064152d916a90b0f47b6
Instruction Fuzzy Hash: 4451F332600608DFD720DB79DC84B6AB7E5FF40328F245629E556AB6A1DB79EE00CF40

Function 00E3F900 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00000000,00000000,00000000,_pbl_evt,00000008,?,?,00F2BE58,00000001,93D979FF,00000000), ref: 00E3F9AE
CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 00E3F9CB

Strings

_pbl_evt, xrefs: 00E3F982

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Event$CreateOpen
String ID: _pbl_evt
API String ID: 2335040897-4023232351
Opcode ID: 3a8142ece3b4ab7bd698307881b16d3f4ca9f83c538ee126eb3e80ffa3b13364
Instruction ID: 06188c18835f4ecd7dca1c482e700ff16920f803044b2c1d56e0b64cd7194320
Opcode Fuzzy Hash: 3a8142ece3b4ab7bd698307881b16d3f4ca9f83c538ee126eb3e80ffa3b13364
Instruction Fuzzy Hash: 3E518C71D00249AFDB10DFA8DD45BEEBBB4EF08714F508229E925B72C0EB746A04CB90

Function 6CA958A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 6CA9590A

Strings

]: { , xrefs: 6CA95955
Win32 COM Error [, xrefs: 6CA95944

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: String
String ID: Win32 COM Error [$]: {
API String ID: 2568140703-2764242999
Opcode ID: a4d75ff11b98d71a2fb3696d357d18516cb2ad3cd4672403f767d937d972190e
Instruction ID: ae282cbd2729afbc4415cee74d833f82283af574f1009ab82805a28c945751bc
Opcode Fuzzy Hash: a4d75ff11b98d71a2fb3696d357d18516cb2ad3cd4672403f767d937d972190e
Instruction Fuzzy Hash: 18418E34901148DBDB15DB68CA51BEEBBF5BF11218F2081AD9016A7B91DB305F4DCBA1

Function 00DF3620 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,93D979FF,00F2B190), ref: 00DF3678
LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 00DF3782

Part of subcall function 00DE3110: std::locale::_Init.LIBCPMT ref: 00DE31ED

Part of subcall function 00DE0BA0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00DE0C75

Strings

Failed to get Windows error message [win32 error 0x, xrefs: 00DF3696

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: FormatFreeInitIos_base_dtorLocalMessagestd::ios_base::_std::locale::_
String ID: Failed to get Windows error message [win32 error 0x
API String ID: 1983821583-3373098694
Opcode ID: 3580f19db1b7babcfa0b8d13e066905aa1a610978ffca3cffb4347b590c3c87d
Instruction ID: cd96c572a3e0ee27b24de361f2d2d43a4f39f71e0fa470f9ae89b55ad7d16416
Opcode Fuzzy Hash: 3580f19db1b7babcfa0b8d13e066905aa1a610978ffca3cffb4347b590c3c87d
Instruction Fuzzy Hash: 894180B0A003599BDB10DF68C909BAFBBF8FF04704F118559E555EB291D7B4AB08CBA1

Function 6CA79DF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CoCreateGuid.OLE32(?,461C95ED,?), ref: 6CA79E47
GetTickCount.KERNEL32 ref: 6CA79EF2

Strings

{%0.8X-%0.4X-%0.4X-%0.2X%0.2X-%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X}, xrefs: 6CA79E92

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: CountCreateGuidTick
String ID: {%0.8X-%0.4X-%0.4X-%0.2X%0.2X-%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X}
API String ID: 1175376463-1897611700
Opcode ID: ecfdf10cad72c79ae399f9e7e6bb37f09294cff6465c1c72913b66d3ad5947b9
Instruction ID: 282bc3f285b26e7ea70919c509f92c048c7e39b05d2e88f2378bff290e67a8da
Opcode Fuzzy Hash: ecfdf10cad72c79ae399f9e7e6bb37f09294cff6465c1c72913b66d3ad5947b9
Instruction Fuzzy Hash: BD4182B19043599ECB20CFA9CD04BEEBBF8FF08714F14461AE559EB681D778A544CBA0

Function 6CA998A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,461C95ED), ref: 6CA998F8
LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 6CA999E3

Part of subcall function 6CA8EE30: std::locale::_Init.LIBCPMT ref: 6CA8EF28

Part of subcall function 6CA8E2D0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA8E3A5

Strings

Failed to get Windows error message [win32 error 0x, xrefs: 6CA99916

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: FormatFreeInitIos_base_dtorLocalMessagestd::ios_base::_std::locale::_
String ID: Failed to get Windows error message [win32 error 0x
API String ID: 1983821583-3373098694
Opcode ID: f3387397860922a7855cd55c1443f2ee1a7012ca263809f6b2f2daf1e0156e02
Instruction ID: 07c24c113295bd88b5e5e0b37976ad034ae15ee04c7915ae41c487ba244cf2df
Opcode Fuzzy Hash: f3387397860922a7855cd55c1443f2ee1a7012ca263809f6b2f2daf1e0156e02
Instruction Fuzzy Hash: 22419F70A103099FDB10CFA8CA45B9FBBF9EF45708F144559E415AB780D7B4AA48CB91

Function 6CA8F990 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 6CA8FA42

Strings

+, xrefs: 6CA8F9B6
%, xrefs: 6CA8F9C9

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: a0331c649811f662d5541af295e174c1cd1c5299c9b24bb116e37d55495cb175
Instruction ID: f4d14f1f2f2d6a3b7cc73597cc8b41563395fd0ff22e504a0f93d1787edce3e0
Opcode Fuzzy Hash: a0331c649811f662d5541af295e174c1cd1c5299c9b24bb116e37d55495cb175
Instruction Fuzzy Hash: 32210F712083859FD701CF18CC45B9BBBE9AB8A314F08891DFA9497282D738D948C7A2

Function 6CA8FA80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 6CA8FB29

Strings

%, xrefs: 6CA8FAB9
+, xrefs: 6CA8FAA6

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: e021f200f1aa9fa908a4922d594f01339fe5bb6a6ac549e064d4621e8b1bc1ea
Instruction ID: a430e28793f5ec997827a3b9060f394ac6a0178d616bd5a2a8c2578fc07e54c8
Opcode Fuzzy Hash: e021f200f1aa9fa908a4922d594f01339fe5bb6a6ac549e064d4621e8b1bc1ea
Instruction Fuzzy Hash: 1021F4712093459FE711CF18CC55B9BBBE9EB89314F08881DFA9487692D738D54CC7A2

Function 00D15300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D1532B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D1538E

Strings

bad locale name, xrefs: 00D153B1

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 1675f16246ba5312d06586ebd5fb5bfd867d1ebea8ec64f73eedb1165235c927
Instruction ID: 7ccb43144a11ed4c9f73942a5e9016adb2a56ee6ca84769b992d4a2c878bc670
Opcode Fuzzy Hash: 1675f16246ba5312d06586ebd5fb5bfd867d1ebea8ec64f73eedb1165235c927
Instruction Fuzzy Hash: 4F21E070905B84EFD720CF68C90078ABBF4AF15700F14869DE499DBB81D7BAAA04C7A1

Function 6CA8CC00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6CA8CC2B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6CA8CC8E

Strings

bad locale name, xrefs: 6CA8CCB1

Memory Dump Source

Source File: 00000000.00000002.2605712784.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000000.00000002.2605687997.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605773359.000000006CAD4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605822809.000000006CAFF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.2605850336.000000006CB0B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca50000_ZwmyzMxFKL.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 3a94d9e2d27483fcd24f49978d7c391073766d77c22828e559468fff5deaa28e
Instruction ID: 69846002f5bc6df39bfabafe2cae9369f14fdec97a33e090cded8e7af9520c68
Opcode Fuzzy Hash: 3a94d9e2d27483fcd24f49978d7c391073766d77c22828e559468fff5deaa28e
Instruction Fuzzy Hash: 1821D270805784EED721CFA8C90478BBFF4AF19314F148A9ED49597B81D3B6A608CBA1

Function 00CF7710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

GetParent.USER32(00000005), ref: 00CF7784

Strings

d, xrefs: 00CF7750
C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00CF7759

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Parent
String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$d
API String ID: 975332729-572215800
Opcode ID: bcdcedaaefe87f280ab87ad325c8a4e9b08751548ca614d61d4b0cb744d8c5cf
Instruction ID: 4e246817e2ec30c1c08de8f5abb8876ccef58444fc791374d80d678b7cfb401c
Opcode Fuzzy Hash: bcdcedaaefe87f280ab87ad325c8a4e9b08751548ca614d61d4b0cb744d8c5cf
Instruction Fuzzy Hash: 67215970D04398DFDF00DFE4D958BDDBBB1AF45308F508048E505AB295D7B95A08EB51

Function 00CE266B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00CE26D9

Strings

d, xrefs: 00CE26AB
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00CE26B4

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$d
API String ID: 2558294473-506145171
Opcode ID: 1e36cd9c79794bab573b9a586f87bbfe83c7b9a437faaca4ff31858e56220aa9
Instruction ID: 3eff237c60170c013b6ec697d82e8d75a20268757b35ec71071f7127d83d944b
Opcode Fuzzy Hash: 1e36cd9c79794bab573b9a586f87bbfe83c7b9a437faaca4ff31858e56220aa9
Instruction Fuzzy Hash: 46214770D05298DFDF00DFE5E99879DBBB5BF45308F504088E005BB296EBB55A08EB51

Function 00CF77EB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

GetParent.USER32(0000000D), ref: 00CF785C

Strings

d, xrefs: 00CF7826
C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00CF782F

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Parent
String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$d
API String ID: 975332729-572215800
Opcode ID: b34b8926149956f6b4683059d0445f53ac1bddaee73523b70b25f3b96cc07f26
Instruction ID: 0e0ed644bc1e3f0cf08dd77de94251933cd6fa3298a9951765e9f132a292cbfa
Opcode Fuzzy Hash: b34b8926149956f6b4683059d0445f53ac1bddaee73523b70b25f3b96cc07f26
Instruction Fuzzy Hash: 2A215730D04288EEDF00DFE4D85879CBBB0AF04308F608058E0057B296DBB95A08EB52

Function 00CE2A59 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00CE2ACA

Strings

C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00CE2AA5
d, xrefs: 00CE2A99

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$d
API String ID: 2558294473-506145171
Opcode ID: 93156ef173dfdc97f4f2ff7e4de9614945b74d85d7a2ad8796737d60b9e7b309
Instruction ID: 7758b64f37261b54f5c3efc80d3bab617f47f51096e887dc51e012bc948c6c72
Opcode Fuzzy Hash: 93156ef173dfdc97f4f2ff7e4de9614945b74d85d7a2ad8796737d60b9e7b309
Instruction Fuzzy Hash: 31214770D05298DFCF00DFE5E89879DBBB1BF45308F608098E001BB296DBB95A09EB51

Function 00CE2740 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00CE27AB

Strings

d, xrefs: 00CE277B
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00CE2784

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$d
API String ID: 2558294473-506145171
Opcode ID: 9864957e3457c3eab7c554e79cbdd1c9e38dc2f2aea65b24229528507338442e
Instruction ID: 868b34dc7f637d27596d79fb7b31dada61b96202ec623f0c3a844d34b8da0c57
Opcode Fuzzy Hash: 9864957e3457c3eab7c554e79cbdd1c9e38dc2f2aea65b24229528507338442e
Instruction Fuzzy Hash: 72216730D0429CEEDF04DFE5E8987DDBBB0AF55308F608048E0057B296DBB55A08EB62

Function 00CF78C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetParent.USER32(00000013), ref: 00CF78F6

Strings

C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00CF78DB
Unknown exception, xrefs: 00CF78CB

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Parent
String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
API String ID: 975332729-9186675
Opcode ID: 2377822b16ba40b9e6adc4ceb6c41b5ea7d2963fa085e9a5e19f2997e4135546
Instruction ID: 7dd990995bb92acc3dbbb51467f8d4bdd23b8a1cffdf5429d163509ab1ea9a97
Opcode Fuzzy Hash: 2377822b16ba40b9e6adc4ceb6c41b5ea7d2963fa085e9a5e19f2997e4135546
Instruction Fuzzy Hash: CB016130D05388EFCF00EBE4C9596DDBBB0AF55300F948188E101AB396D7B55E08E7A2

Function 00CE2812 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00CE283F

Strings

Unknown exception, xrefs: 00CE281A
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00CE282A

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
API String ID: 2558294473-2631306498
Opcode ID: db4616910fd58a41ef3840d9dd94c92b5c90df36e7ab9b271c9bb00c0b0e0356
Instruction ID: fd801d4369d57f33f208003a0d4f1a805338712bdaf23188ca9ef726b819af3d
Opcode Fuzzy Hash: db4616910fd58a41ef3840d9dd94c92b5c90df36e7ab9b271c9bb00c0b0e0356
Instruction Fuzzy Hash: 46015230D05388DBCF05EBE4C9596DDBFB4AF55304F544198E0016B396EBB55A04E7A2

Function 00E8594A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E8592D

Part of subcall function 00E81B8B: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E81B96
Part of subcall function 00E81B8B: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E81BFE
Part of subcall function 00E81B8B: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E81C0F

Strings

JY, xrefs: 00E8594A
@Y, xrefs: 00E85927

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: @Y$JY
API String ID: 697777088-528289003
Opcode ID: eb5dda730d4c9ded95ed178a0986d5b84dd57ee94a5ad1c55b710f089eff8d03
Instruction ID: ad7a8537e57b24e1b622f446f821218509b676e2ec66875990663d5e25527762
Opcode Fuzzy Hash: eb5dda730d4c9ded95ed178a0986d5b84dd57ee94a5ad1c55b710f089eff8d03
Instruction Fuzzy Hash: 0CB0128236C604FC754872581D03C76035CC4C0FB2330956BF41CE4041E8408C022373

Function 00E8595E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E8592D

Part of subcall function 00E81B8B: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E81B96
Part of subcall function 00E81B8B: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E81BFE
Part of subcall function 00E81B8B: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E81C0F

Strings

^Y, xrefs: 00E8595E
@Y, xrefs: 00E85927

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: @Y$^Y
API String ID: 697777088-2317172137
Opcode ID: 8c3b123a4327eaeabfdea7c950e9d53f3de8ab95a9ed5a4e0eb9c195e4d0bbc9
Instruction ID: e0e875d24db8f3a130424a6cb554f929cedb228abd2f0cc195787b50cd59285f
Opcode Fuzzy Hash: 8c3b123a4327eaeabfdea7c950e9d53f3de8ab95a9ed5a4e0eb9c195e4d0bbc9
Instruction Fuzzy Hash: 8AB0128236C604ECB548725C1E03C76035CC8C0F7233055ABF01CE4042E8428C032373

Function 00E85954 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E8592D

Part of subcall function 00E81B8B: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E81B96
Part of subcall function 00E81B8B: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E81BFE
Part of subcall function 00E81B8B: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E81C0F

Strings

@Y, xrefs: 00E85927
TY, xrefs: 00E85954

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: @Y$TY
API String ID: 697777088-3232572680
Opcode ID: d21c3f93ea9c4f329426c8c2c1b5464c582b86cb0ce6a13693344abab2a5614f
Instruction ID: 8e1db7140e87d75e43c3cc0fa0f8fe2ca17adb2576ee42b856b355613e44d192
Opcode Fuzzy Hash: d21c3f93ea9c4f329426c8c2c1b5464c582b86cb0ce6a13693344abab2a5614f
Instruction Fuzzy Hash: CCB0128236C704EC754872581D03C76039CC4C0F72330566BF01CE4041E8408C422373

Function 00E85936 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E8592D

Part of subcall function 00E81B8B: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E81B96
Part of subcall function 00E81B8B: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E81BFE
Part of subcall function 00E81B8B: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E81C0F

Strings

@Y, xrefs: 00E85927
6Y, xrefs: 00E85936

Memory Dump Source

Source File: 00000000.00000002.2602770401.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2602746524.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602985608.0000000000F09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603053192.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603080927.0000000000F96000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603109273.0000000000F97000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603131577.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: 6Y$@Y
API String ID: 697777088-1130007802
Opcode ID: 188d46142fe16787a602e76ab1563f4cc99aa8b44f8ccb5a028475708985d364
Instruction ID: 208d41da3453ebbd3cc68f02bc6cb13694b4c2e144db0e706d7e758be33e19dc
Opcode Fuzzy Hash: 188d46142fe16787a602e76ab1563f4cc99aa8b44f8ccb5a028475708985d364
Instruction Fuzzy Hash: C5B0129236C604ECF50472581F03C76035CC0C0F72330556BF01CE4041E8418C032373

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZwmyzMxFKL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\629ca2.rbs

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGXlong.sys

C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU

C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR

C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX

C:\Program Files (x86)\DnLIMGKCARTO\7z.dll

C:\Program Files (x86)\DnLIMGKCARTO\MiniUI.dll

C:\Program Files (x86)\DnLIMGKCARTO\NetDefender.dll

C:\Program Files (x86)\DnLIMGKCARTO\NetDiagDll.dll

C:\Program Files (x86)\DnLIMGKCARTO\NetSpeed.dll

C:\Program Files (x86)\DnLIMGKCARTO\Netgm.dll

C:\Program Files (x86)\DnLIMGKCARTO\NetmLogin.dll

C:\Program Files (x86)\DnLIMGKCARTO\NetmTray.dll

C:\Program Files (x86)\DnLIMGKCARTO\NetmTray64.dll

C:\Program Files (x86)\DnLIMGKCARTO\NetmonEP.dll

C:\Program Files (x86)\DnLIMGKCARTO\NewKernel.dll

Windows Analysis Report
ZwmyzMxFKL.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre