Edit tour

Windows Analysis Report
ZwmyzMxFKL.exe

Overview

General Information

Sample name:	ZwmyzMxFKL.exe renamed because original name is a hash value
Original sample name:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Analysis ID:	1562418
MD5:	2fa4f19f9fb9e7a71d85aaf34d318178
SHA1:	2061483db691163ca0b1d04667d64e37af4c2fe0
SHA256:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769
Tags:	206-238-43-118exeuser-JAMESWT_MHT
Infos:

Detection

BlackMoon

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected BlackMoon Ransomware

Drops executables to the windows directory (C:\Windows) and starts them

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a global mouse hook

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

ZwmyzMxFKL.exe (PID: 6684 cmdline: "C:\Users\user\Desktop\ZwmyzMxFKL.exe" MD5: 2FA4F19F9FB9E7A71D85AAF34D318178)

ZwmyzMxFKL.exe (PID: 4240 cmdline: "C:\Users\user\Desktop\ZwmyzMxFKL.exe" /i "C:\Program Files (x86)\WindowsInstallerFQ\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\DnLIMGKCARTO" SECONDSEQUENCE="1" CLIENTPROCESSID="6684" AI_MORE_CMD_LINE=1 MD5: 2FA4F19F9FB9E7A71D85AAF34D318178)

msiexec.exe (PID: 5572 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 4736 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 86EAEA36D56ADACB6F4586ABE7AE0EB7 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 516 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 330C69625D946D3D58562FAE4D80B81E MD5: 9D09DC1EDA745A5F87553048E57620CF)

MSI6FFE.tmp (PID: 2432 cmdline: "C:\Windows\Installer\MSI6FFE.tmp" MD5: BE4ED0D3AA0B2573927A046620106B13)

e8a0d5af432b7e64DBD.exe (PID: 1368 cmdline: "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU" -o"C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55" -pe6ab90d5741a3329XSJ -aos -y MD5: FAE7D0A530279838C8A5731B086A081B)

conhost.exe (PID: 348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

e8a0d5af432b7e64DBD.exe (PID: 5456 cmdline: "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR" -o"C:\Program Files (x86)\DnLIMGKCARTO" -pd90abf5032721ffaBCX -aos -y MD5: FAE7D0A530279838C8A5731B086A081B)

conhost.exe (PID: 4064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

e8a0d5af432b7e64DBD.exe (PID: 1904 cmdline: "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX" -o"C:\Users\user\AppData\Roaming" -p5ccac7f27f4c789fFPK -aos -y MD5: FAE7D0A530279838C8A5731B086A081B)

conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Bor32-update-flase.exe (PID: 4636 cmdline: "C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe" MD5: 938C33C54819D6CE8D731B68D9C37E38)

Bor32-update-flase.exe (PID: 568 cmdline: "C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe" MD5: 938C33C54819D6CE8D731B68D9C37E38)

Haloonoroff.exe (PID: 2924 cmdline: "C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe" MD5: 0D318144BD23BA1A72CC06FE19CB3F0C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
KrBanker, BlackMoon	ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.	No Attribution	http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/ https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/ https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/	https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\DnLIMGKCARTO\ramengine.dll	Gandcrab	Gandcrab Payload	kevoreilly	0xdbd00:$string1: GDCB-DECRYPT.txt
C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\DnLIMGKCARTO\qex.dll	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\rtl120.bpl	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000010.00000000.1907174617.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000008.00000003.1839577125.0000000002E86000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: e8a0d5af432b7e64DBD.exe PID: 1368	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Bor32-update-flase.exe PID: 568	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.Bor32-update-flase.exe.30a950e.8.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
19.2.Bor32-update-flase.exe.30a950e.8.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x45ba:$s1: blackmoon 0x45fa:$s2: BlackMoon RunTime Error:
19.2.Bor32-update-flase.exe.30a950e.8.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
19.2.Bor32-update-flase.exe.30a950e.8.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x45ba:$s1: blackmoon 0x45fa:$s2: BlackMoon RunTime Error:
16.0.Bor32-update-flase.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T15:39:34.361950+0100	2052875	1	A Network Trojan was detected	192.168.2.7	49706	206.238.43.118	63569	TCP
2024-11-25T15:40:35.299279+0100	2052875	1	A Network Trojan was detected	192.168.2.7	49706	206.238.43.118	63569	TCP
2024-11-25T15:41:36.349804+0100	2052875	1	A Network Trojan was detected	192.168.2.7	49706	206.238.43.118	63569	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: ZwmyzMxFKL.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe

File opened: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.VC90.CRT\msvcr90.dll

Jump to behavior

Source: ZwmyzMxFKL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wininet.pdb source: ZwmyzMxFKL.exe, 00000000.00000003.1510639560.0000000005449000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584512070.00000000032AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\ddvsm\out\Intermediate\vscommon\perfwatson2.csproj_FB008427_ret\objr\amd64\PerfWatson2.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004C99000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp100.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004674000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb$$ source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdbRR#GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmauthd-log\win32\release\vmauthd.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb` source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb.. GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\gitproj\7z2201-src\CPP\7zip\UI\Console\Release\Console.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000002.1871768802.0000000000E28000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000000.1823799979.0000000000E28000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000000.1872769020.0000000000E28000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000002.1890825624.0000000000E28000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000E.00000000.1891790806.0000000000E28000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000E.00000002.1894578323.0000000000E28000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb!! source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdbII#GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdbf source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\HTTPRequest.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb'' GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb% source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1940075856.0000000002428000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdb source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdbLL%GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mfc90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004318000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\etcp5.0\Release\etcp.pdb source: Bor32-update-flase.exe, 00000013.00000002.1940075856.0000000002420000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: libEGL.dll.pdbs source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000479B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1949780074.0000000070041000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: E:\8168\vc98\dev\bin\vcspawn.pdbMZ source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb11 source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\531149\out\Release\sites.pdb source: sites.dll.2.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\122913\out\Release\SXIn64.pdb source: SXIn64.dll.2.dr
Source:	Binary string: msvcr120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdbDD!GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar32\Release\RAR.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004674000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallerAnalytics.pdbz source: ZwmyzMxFKL.exe, 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwCommonUI.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wininet.pdbUGP source: ZwmyzMxFKL.exe, 00000000.00000003.1510639560.0000000005449000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584512070.00000000032AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdbL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdbAA#GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000479B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\8168\vc98\dev\bin\vcspawn.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdbZZ source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\419058\out\Release\360AppCore.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\fhbemb\src\bin\Release\fhjyy.pdb source: MSI6FFE.tmp, 00000007.00000002.1896631716.0000000000C9E000.00000002.00000001.01000000.0000000B.sdmp, MSI6FFE.tmp, 00000007.00000000.1816871187.0000000000C9E000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\kwlogsvr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdbp source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdbp source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000479B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19188697\cayman_glib\glib\src\build\win32\vs14\Release\Win32\bin\gmodule-2.0.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\fhbemb\src\bin\Release_NL\fhbmini.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, Haloonoroff.exe, 00000014.00000000.1932897571.000000000040E000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\368203\out\Release\HipsLog.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: ZwmyzMxFKL.exe
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb.. source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000479B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdbWW'GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000479B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\531149\out\Release\sites.pdbX source: sites.dll.2.dr
Source:	Binary string: libEGL.dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\WallPaper_feihuo\windows\FFWallpaper\bin\Release\bfcipc.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \WallPaper\windows\FFWallpaper\bin\Release\FFWallpaper.pdb source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb-- source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\basichttp\win32\release\basichttp.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallerAnalytics.pdb source: ZwmyzMxFKL.exe, 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb//' source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb__(GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: z:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: x:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: v:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: t:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: r:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: p:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: n:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: l:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: j:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: h:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: f:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: b:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: y:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: w:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: u:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: s:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: q:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: o:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: m:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: k:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: i:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: g:
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: e:
Source: C:\Windows\Installer\MSI6FFE.tmp	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File opened: a:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File opened: [:

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D00640 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_00D00640
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CDB1B0 FindFirstFileW,GetLastError,FindClose,	0_2_00CDB1B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D0A4B0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00D0A4B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BE0880 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,	0_2_00BE0880
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D0A8B0 FindFirstFileW,FindClose,	0_2_00D0A8B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CDA850 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00CDA850
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CE8F30 FindFirstFileW,FindClose,FindClose,	0_2_00CE8F30
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CBFE80 FindFirstFileW,FindNextFileW,FindClose,	0_2_00CBFE80
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE87870 FindFirstFileW,FindClose,GetLastError,FindClose,	0_2_6CE87870
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE7D070 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,	0_2_6CE7D070
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CEA6B85 FindFirstFileExW,	0_2_6CEA6B85
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00CDB1B0 FindFirstFileW,GetLastError,FindClose,	5_2_00CDB1B0
Source: C:\Windows\Installer\MSI6FFE.tmp	Code function: 7_2_00C974DA FindFirstFileExW,	7_2_00C974DA
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DA8BA4 __EH_prolog3_GS,FindFirstFileA,FindFirstFileW,FindFirstFileW,	8_2_00DA8BA4
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E0D528 FindFirstFileExA,	8_2_00E0D528
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E0D7E0 FindFirstFileExW,FindClose,FindNextFileW,	8_2_00E0D7E0
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E0D9C1 FindFirstFileExW,	8_2_00E0D9C1
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E0D996 FindFirstFileExA,	8_2_00E0D996

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00D09310 _wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00D09310

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.7:49706 -> 206.238.43.118:63569

Source: global traffic

TCP traffic: 192.168.2.7:49706 -> 206.238.43.118:63569

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.43.118

Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: "https://www.facebook.com/iobitsoft equals www.facebook.com (Facebook)
Source: ZwmyzMxFKL.exe, 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmp, ZwmyzMxFKL.exe, 00000000.00000000.1460969583.0000000000DF9000.00000002.00000001.01000000.00000003.sdmp, ZwmyzMxFKL.exe, 00000005.00000000.1576694882.0000000000DF9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: FlashWindowExFlashWindowGetPackagePathKernel32.dllhttp://www.google.comTESTtin9999.tmphttp://www.yahoo.comhttp://www.example.com.partGET "filenameattachment=123POSTcharsetDLDISO-8859-1US-ASCIIutf-8utf-16FTP Server/AdvancedInstallerLocal Network ServerIf-Modified-Since: %s equals www.yahoo.com (Yahoo)
Source: ZwmyzMxFKL.exe	String found in binary or memory: TFlashWindowExFlashWindowGetPackagePathKernel32.dllhttp://www.google.comTESTtin9999.tmphttp://www.yahoo.comhttp://www.example.com.partGET "filenameattachment=123POSTcharsetDLDISO-8859-1US-ASCIIutf-8utf-16FTP Server/AdvancedInstallerLocal Network ServerIf-Modified-Since: %s equals www.yahoo.com (Yahoo)
Source: ZwmyzMxFKL.exe	String found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)

Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004318000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ftp://http://HTTP/1.0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/active.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/moreuse.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/multi_app/app_db3promote.php?action=insert
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/other/db_driverinstall.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/other/db_extlink_download.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/other/db_temp_download.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/other/insert.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ascstats.iobit.com/usage.php
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp, sites.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012E2000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1676255449.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1918218448.0000000006242000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1579122350.000000000104D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578979333.0000000001064000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D28000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D3F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1579122350.0000000001064000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D36000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000002.1907458023.00000000029F5000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ZwmyzMxFKL.exe, 00000000.00000003.1913590647.00000000012C3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012E2000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1916543990.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1676255449.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1918218448.0000000006242000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911242596.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1676447608.00000000012C2000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1579122350.000000000104D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000002.1907071565.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D28000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D36000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000002.1907458023.00000000029F5000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012E2000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1676255449.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1918218448.0000000006242000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1579122350.000000000104D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000002.1907071565.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D28000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D36000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000002.1907458023.00000000029F5000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ZwmyzMxFKL.exe, ZwmyzMxFKL.exe, 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://collect.installeranalytics.com
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004674000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004318000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D36000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000002.1907458023.00000000029F5000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp, sites.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ZwmyzMxFKL.exe, 00000000.00000003.1913590647.00000000012C3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012E2000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1916543990.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1676255449.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1918218448.0000000006242000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911242596.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1676447608.00000000012C2000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1579122350.000000000104D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000002.1907071565.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D28000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D36000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000002.1907458023.00000000029F5000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp, sites.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp, sites.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: ZwmyzMxFKL.exe, 00000000.00000003.1914965136.0000000001290000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1916408888.0000000001290000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1913753647.0000000001290000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000002.1907071565.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: ZwmyzMxFKL.exe, 00000000.00000003.1915302841.0000000001253000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1916372780.0000000001254000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: ZwmyzMxFKL.exe, 00000005.00000002.1907071565.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabs
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1949598410.000000006B296000.00000008.00000001.01000000.00000020.sdmp	String found in binary or memory: http://curl.haxx.se/V
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1949598410.000000006B296000.00000008.00000001.01000000.00000020.sdmp	String found in binary or memory: http://curl.haxx.se/docs/copyright.htmlDVarFileInfo$
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1949389364.000000006B282000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: http://curl.haxx.se/docs/http-cookies.html
Source: sites.dll.2.dr	String found in binary or memory: http://down.360safe.com/setup.exePathSOFTWARE
Source: sites.dll.2.dr	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ec.360bc.cnhttp://www.eyybc.com/forumdisplay.php?fid=17/memcp.php/ip.asp/time.asp/gonggao.txt
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://forums.iobit.com/forum/driver-booster/driver-booster-5
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://forums.iobit.com/showthread.php?t=16792
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://idb.iobit.com/check.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://install-log.kuwo.cn/music.yl
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://klog.kuwo.cn/music.yl
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://klog.kuwo.cn/music.ylhttp://install-log.kuwo.cn/music.ylhttp://log.kuwo.cn/music.ylrwSend
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://log.kuwo.cn/music.yl
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012E2000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1676255449.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1918218448.0000000006242000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1579122350.000000000104D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000002.1907071565.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D28000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D36000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000002.1907458023.00000000029F5000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: ZwmyzMxFKL.exe, ZwmyzMxFKL.exe, 00000000.00000003.1913590647.00000000012C3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012E2000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1916543990.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1676255449.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1918218448.0000000006242000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911242596.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1676447608.00000000012C2000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1579122350.000000000104D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578979333.0000000001064000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D28000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D3F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1579122350.0000000001064000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0L
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: ZwmyzMxFKL.exe, 00000000.00000003.1913590647.00000000012C3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012E2000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1916543990.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1676255449.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1918218448.0000000006242000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911242596.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1676447608.00000000012C2000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1579122350.000000000104D000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000002.1907071565.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D28000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584206286.0000000003D36000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000002.1907458023.00000000029F5000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004674000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004318000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com0_
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	String found in binary or memory: http://s2.symcb.com0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: SXIn64.dll.2.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	String found in binary or memory: http://sf.symcd.com0&
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stats.iobit.com/active_day.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stats.iobit.com/active_month.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stats.iobit.com/register.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stats.iotransfer.net/active.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SXIn64.dll.2.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	String found in binary or memory: http://sv.symcd.com0&
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw.symcd.com0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://t2.symcb.com0
Source: ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcd.com0&
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SXIn64.dll.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SXIn64.dll.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004674000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004318000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004674000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004318000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://update.iobit.com/infofiles/db2/Freeware-db.upt
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://update.iobit.com/infofiles/db2/db2_free.upt
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://update.iobit.com/infofiles/db2/db2_oth.upt
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://update.iobit.com/infofiles/db2/db2_pro.upt
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://update.iobit.com/infofiles/db3/embhtml/update.upt
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://updatestats.cd4o.com/api.php?act=update
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr, sites.dll.2.dr	String found in binary or memory: http://www.360.cn
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.bsplayer.com
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cd4o.com/drivers/
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cd4o.com/drivers/wlst/v.json
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp, sites.dll.2.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ZwmyzMxFKL.exe	String found in binary or memory: http://www.google.com
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/language-subtag-registry
Source: Bor32-update-flase.exe, 00000013.00000002.1939750809.0000000000BCD000.00000020.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=activateweb
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=activateweb-%d
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=bannerbuy
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=compare
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=dbproduct
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=download
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=expired
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=faq
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=feature
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=feedback
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=filerupt
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=forum
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=gaexpired
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=help
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=helptranslate
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=htmlfailed
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=index
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=install
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=likefb
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=lostcode
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=multipcexpired
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=othupdate
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=proupdate
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=purchase
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=purchase-%d
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=regexpired
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=reggaexpired
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=regovermax
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=revokedkey
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=update
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=usermanual
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/appgoto.php?to=vertoold
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/cloud/db/index.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/compare/db/index.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/driver-booster-pro.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/faq.php?product=db
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/feedback/db/feedback.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/goto.php?id=dbproregister
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/goto.php?id=dbsurvey
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/goto.php?id=likefb01_DB
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/goto.php?id=plusgp01_DB
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/goto.php?id=plusgp01_DBU
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/hotquestions-db.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/install/db/index.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/lostcode.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iobit.com/productfeedback.php?product=driver-booster
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004674000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004318000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kuwo.cn0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ludashi.com0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/rfc/bcp/bcp47.txt
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.super-ec.cn
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.com
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll1.2.3
Source: ZwmyzMxFKL.exe	String found in binary or memory: http://www.yahoo.com
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.zlib.net/D
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/BaiZhu/Request
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupList
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/Device/ClientHardwareConfig
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/LockWallpaper/Get
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/LockWallpaper/Gethttps://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaperht
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaper
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/adApi/plugRecommendNew
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/adApi/plugRecommendNew%s?channel=%shttps://bizhi.hfnuola.com/pc/desktop
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/agg/StartUp
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/agg/hour
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/desktopSubject
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/fhbzApi/checkFile
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/v/AfterLocalSet
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/v/AfterLocalSethttps://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupLi
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/v/FilterPayWallpaper
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/v/wallpaperInfoMulti
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhi.hfnuola.com/pc/v/wallpaperInfoMulti%sFFSL.exe
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhiweb.hfnuola.com/clientNew/index.html
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhiweb.hfnuola.com/clientNew/index.htmlchrome-error://chromewebdata_err:firstNav_
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhiweb.hfnuola.com/web/advertising.html?type=
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhiweb.hfnuola.com/web/advertising.html?type=9IagJ4qlKos8A8lm
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bizhiweb.hfnuola.com/web/vip.htmlhttps://bizhiweb.hfnuola.com/web/payNew.html%s?channel=%s&p
Source: ZwmyzMxFKL.exe, ZwmyzMxFKL.exe, 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://collect.installeranalytics.com
Source: ZwmyzMxFKL.exe, 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0)
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hao.360.cnstrtolwcstombsmbstowcsiexplore.exe360chrome.exe360se.exeSafehmpgHelperkslaunchwsaf
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://idea.hfnuola.com
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://idea.hfnuola.com20012rgbautoStartauto_start_slienthideDesktopIconpauseVidoset_mute_on_fullsc
Source: ZwmyzMxFKL.exe	String found in binary or memory: https://installeranalytics.com
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://logs.hfnuola.com
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://s1.driverboosterscan.com/worker.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://s2.driverboosterscan.com/worker.php
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0B
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/iobitsoft
Source: ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1918218448.0000000006242000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.advancedinstaller.com
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1939098561.0000000000A54000.00000002.00000001.01000000.0000001B.sdmp, sites.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, sites.dll.2.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gnu.org/licenses/
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.hfnuola.com
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.hfnuola.com/select
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.itrus.com.cn0
Source: ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/cps0/
Source: ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/repository0W

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00CBA2A0 SendMessageW,GetParent,GetParent,GetWindowRect,GetParent,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,MapWindowPoints,FillRect,DeleteDC,SendMessageW,SendMessageW,SendMessageW,

0_2_00CBA2A0

Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_f9060e17-1

Source: Yara match

File source: Process Memory Space: e8a0d5af432b7e64DBD.exe PID: 1368, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Yara detected BlackMoon Ransomware

Source: Yara match	File source: 19.2.Bor32-update-flase.exe.30a950e.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Bor32-update-flase.exe.30a950e.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bor32-update-flase.exe PID: 568, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.2.Bor32-update-flase.exe.30a950e.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 19.2.Bor32-update-flase.exe.30a950e.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: C:\Program Files (x86)\DnLIMGKCARTO\ramengine.dll, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D1F0D0 NtdllDefWindowProc_W,	0_2_00D1F0D0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00C97A10 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,	0_2_00C97A10
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BE2390 KillTimer,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,	0_2_00BE2390
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00C7C330 NtdllDefWindowProc_W,	0_2_00C7C330
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BD44A0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00BD44A0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BDE540 NtdllDefWindowProc_W,	0_2_00BDE540
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BDE6B0 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00BDE6B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BD4BC0 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString,	0_2_00BD4BC0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00C310D0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00C310D0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BD7190 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,	0_2_00BD7190
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BD5220 NtdllDefWindowProc_W,	0_2_00BD5220
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BD78B0 NtdllDefWindowProc_W,	0_2_00BD78B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BF58F0 NtdllDefWindowProc_W,	0_2_00BF58F0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BE7AC0 NtdllDefWindowProc_W,	0_2_00BE7AC0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BD7E70 NtdllDefWindowProc_W,	0_2_00BD7E70
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00C97A10 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,	5_2_00C97A10
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00C310D0 NtdllDefWindowProc_W,	5_2_00C310D0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BD7190 NtdllDefWindowProc_W,	5_2_00BD7190
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BD5220 NtdllDefWindowProc_W,	5_2_00BD5220
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BE2390 NtdllDefWindowProc_W,DeleteCriticalSection,	5_2_00BE2390
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00C7C330 NtdllDefWindowProc_W,	5_2_00C7C330
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BD44A0 NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,NtdllDefWindowProc_W,	5_2_00BD44A0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BDE540 NtdllDefWindowProc_W,	5_2_00BDE540
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BDE6B0 NtdllDefWindowProc_W,	5_2_00BDE6B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BD78B0 NtdllDefWindowProc_W,	5_2_00BD78B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BF58F0 NtdllDefWindowProc_W,	5_2_00BF58F0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BE7AC0 NtdllDefWindowProc_W,	5_2_00BE7AC0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BD7E70 NtdllDefWindowProc_W,	5_2_00BD7E70

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe

Code function: 8_2_00DA96C6: DeviceIoControl,

8_2_00DA96C6

Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe

File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGXlong.sys

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5b15df.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI185F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI18BE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI18EE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI19F8.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1A38.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3979.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI39A9.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AC3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6B0B.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6FFE.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\libjyy.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI185F.tmp

Jump to behavior

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_3_01330A49	0_3_01330A49
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CF4CA0	0_2_00CF4CA0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BE8080	0_2_00BE8080
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BEC127	0_2_00BEC127
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BEC116	0_2_00BEC116
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BE4200	0_2_00BE4200
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BC45FE	0_2_00BC45FE
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00C345B0	0_2_00C345B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BC4736	0_2_00BC4736
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BE0880	0_2_00BE0880
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BDEAF0	0_2_00BDEAF0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CBAA20	0_2_00CBAA20
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D8CBBA	0_2_00D8CBBA
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CECFD0	0_2_00CECFD0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BC3010	0_2_00BC3010
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D7D24E	0_2_00D7D24E
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BEF4E0	0_2_00BEF4E0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BEB461	0_2_00BEB461
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D91639	0_2_00D91639
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D8F711	0_2_00D8F711
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D97AA7	0_2_00D97AA7
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BEDAC0	0_2_00BEDAC0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE6DB00	0_2_6CE6DB00
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE7D070	0_2_6CE7D070
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE97C1A	0_2_6CE97C1A
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CEA8DC0	0_2_6CEA8DC0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CEA9FE7	0_2_6CEA9FE7
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE9788C	0_2_6CE9788C
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CEA3B89	0_2_6CEA3B89
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE99460	0_2_6CE99460
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE7F420	0_2_6CE7F420
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE79690	0_2_6CE79690
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CEA00FA	0_2_6CEA00FA
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE6F180	0_2_6CE6F180
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CEA2100	0_2_6CEA2100
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BE8080	5_2_00BE8080
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BC3010	5_2_00BC3010
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00C10160	5_2_00C10160
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BE4200	5_2_00BE4200
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BEF4E0	5_2_00BEF4E0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BEB461	5_2_00BEB461
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BC45FE	5_2_00BC45FE
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00C345B0	5_2_00C345B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00D91639	5_2_00D91639
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BC4736	5_2_00BC4736
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00D8F711	5_2_00D8F711
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00D84860	5_2_00D84860
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BDEAF0	5_2_00BDEAF0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BEDAC0	5_2_00BEDAC0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00D97AA7	5_2_00D97AA7
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00CBAA20	5_2_00CBAA20
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00D8CBBA	5_2_00D8CBBA
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00D7CEC0	5_2_00D7CEC0
Source: C:\Windows\Installer\MSI6FFE.tmp	Code function: 7_2_00C9D237	7_2_00C9D237
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DC45F7	8_2_00DC45F7
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DC23DA	8_2_00DC23DA
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DCE319	8_2_00DCE319
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DDEB3E	8_2_00DDEB3E
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DAC09C	8_2_00DAC09C
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E1C140	8_2_00E1C140
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DDC111	8_2_00DDC111
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E00104	8_2_00E00104
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E00361	8_2_00E00361
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E005BE	8_2_00E005BE
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E1C680	8_2_00E1C680
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DB4712	8_2_00DB4712
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E0082A	8_2_00E0082A
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DC8A0D	8_2_00DC8A0D
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E1CB30	8_2_00E1CB30
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DD8EC1	8_2_00DD8EC1
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DA1000	8_2_00DA1000
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E1D25F	8_2_00E1D25F
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DAD490	8_2_00DAD490
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DC15F5	8_2_00DC15F5
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DBD6F3	8_2_00DBD6F3
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E21890	8_2_00E21890
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DD59C7	8_2_00DD59C7
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E2196B	8_2_00E2196B
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DE6565	8_2_00DE6565
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DE68D7	8_2_00DE68D7
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DEA8BE	8_2_00DEA8BE
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DBEAC4	8_2_00DBEAC4
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DE6B81	8_2_00DE6B81
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E1ACC2	8_2_00E1ACC2
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DE6E48	8_2_00DE6E48
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DBAE29	8_2_00DBAE29
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DFEF0B	8_2_00DFEF0B
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DE7103	8_2_00DE7103
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DFF13A	8_2_00DFF13A
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DC7395	8_2_00DC7395
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DBF352	8_2_00DBF352
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DFF374	8_2_00DFF374
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DF34AD	8_2_00DF34AD
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DFF5A3	8_2_00DFF5A3
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DFF7D2	8_2_00DFF7D2
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DBF783	8_2_00DBF783
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DFFA0C	8_2_00DFFA0C
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DBFCAB	8_2_00DBFCAB
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DFFC3B	8_2_00DFFC3B
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DFFE98	8_2_00DFFE98

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Windows\Installer\MSI6FFE.tmp	Code function: String function: 00C929E0 appears 33 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00D72072 appears 33 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00BE0880 appears 47 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00D74A5A appears 42 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00D75370 appears 40 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00D8E2CD appears 34 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00BC7D00 appears 966 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 6CE908F0 appears 50 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00BC9800 appears 70 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00BC7160 appears 99 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00BCE300 appears 50 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00CD82C0 appears 58 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00BC70B0 appears 54 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00BC92A0 appears 66 times
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: String function: 00BC7270 appears 40 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00DE325C appears 36 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00DE31BA appears 36 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00DE3190 appears 42 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00DE31F1 appears 337 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00DF0FCC appears 87 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00E0BEAC appears 35 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00DE2F70 appears 66 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00DE31A7 appears 31 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00DE3225 appears 36 times
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: String function: 00E09CD9 appears 60 times

Source: ZwmyzMxFKL.exe

Static PE information: invalid certificate

Source: ZwmyzMxFKL.exe	Static PE information: Resource name: RT_VERSION type: PDP-11 overlaid pure executable not stripped
Source: mcommu.dll.2.dr	Static PE information: Resource name: APK type: Java archive data (JAR)
Source: safe505.dll.2.dr	Static PE information: Resource name: RCDATA_PE type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: safehmpg.dll.2.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: SpeedldSetting.dll.2.dr	Static PE information: Resource name: CITYCODE type: Zip archive data, at least v1.0 to extract, compression method=store
Source: uniconft64.dll.2.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000000.00000003.1510639560.0000000005449000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000005.00000003.1584512070.00000000032AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs ZwmyzMxFKL.exe
Source: ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs ZwmyzMxFKL.exe

Source: ZwmyzMxFKL.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 19.2.Bor32-update-flase.exe.30a950e.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 19.2.Bor32-update-flase.exe.30a950e.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: C:\Program Files (x86)\DnLIMGKCARTO\ramengine.dll, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload

Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: D:\dbs\el\ddvsm\out\Intermediate\vscommon\perfwatson2.csproj_FB008427_ret\objr\amd64\PerfWatson2.pdb

Source: classification engine

Classification label: mal84.rans.evad.winEXE@23/427@0/1

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00CDE5B0 FormatMessageW,GetLastError,

0_2_00CDE5B0

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DB828A GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		8_2_00DB828A
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DAB687 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,FreeLibrary,		8_2_00DAB687

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00D0B860 GetDiskFreeSpaceExW,

0_2_00D0B860

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00D23E80 CoCreateInstance,

0_2_00D23E80

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00BC9160 LoadResource,LockResource,SizeofResource,

0_2_00BC9160

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

File created: C:\Program Files (x86)\WindowsInstallerFQ

Jump to behavior

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

File created: C:\Users\user\AppData\Local\AdvinstAnalytics

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Mutant created: \Sessions\1\BaseNamedObjects\??
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Mutant created: \Sessions\1\BaseNamedObjects\NIpizDg64rfvhLyrCQMywaHQBENjzMv1R6uEoR8NfcvFEqARIU

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

File created: C:\Users\user~1\AppData\Local\Temp\INAF816.tmp

Jump to behavior

Source: Yara match	File source: 16.0.Bor32-update-flase.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.1907174617.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1839577125.0000000002E86000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\rtl120.bpl, type: DROPPED

Source: ZwmyzMxFKL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ZwmyzMxFKL.exe

String found in binary or memory: https://installeranalytics.com

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

File read: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ZwmyzMxFKL.exe "C:\Users\user\Desktop\ZwmyzMxFKL.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 86EAEA36D56ADACB6F4586ABE7AE0EB7 C
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Process created: C:\Users\user\Desktop\ZwmyzMxFKL.exe "C:\Users\user\Desktop\ZwmyzMxFKL.exe" /i "C:\Program Files (x86)\WindowsInstallerFQ\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\DnLIMGKCARTO" SECONDSEQUENCE="1" CLIENTPROCESSID="6684" AI_MORE_CMD_LINE=1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 330C69625D946D3D58562FAE4D80B81E
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI6FFE.tmp "C:\Windows\Installer\MSI6FFE.tmp"
Source: C:\Windows\Installer\MSI6FFE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU" -o"C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55" -pe6ab90d5741a3329XSJ -aos -y
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Installer\MSI6FFE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR" -o"C:\Program Files (x86)\DnLIMGKCARTO" -pd90abf5032721ffaBCX -aos -y
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Installer\MSI6FFE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX" -o"C:\Users\user\AppData\Roaming" -p5ccac7f27f4c789fFPK -aos -y
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe "C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe"
Source: unknown	Process created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe "C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe"
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Process created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe "C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe"
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Process created: C:\Users\user\Desktop\ZwmyzMxFKL.exe "C:\Users\user\Desktop\ZwmyzMxFKL.exe" /i "C:\Program Files (x86)\WindowsInstallerFQ\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\DnLIMGKCARTO" SECONDSEQUENCE="1" CLIENTPROCESSID="6684" AI_MORE_CMD_LINE=1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 86EAEA36D56ADACB6F4586ABE7AE0EB7 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 330C69625D946D3D58562FAE4D80B81E	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI6FFE.tmp "C:\Windows\Installer\MSI6FFE.tmp"	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU" -o"C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55" -pe6ab90d5741a3329XSJ -aos -y	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR" -o"C:\Program Files (x86)\DnLIMGKCARTO" -pd90abf5032721ffaBCX -aos -y	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX" -o"C:\Users\user\AppData\Roaming" -p5ccac7f27f4c789fFPK -aos -y	Jump to behavior
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Process created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe "C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe"

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: libjyy.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: upsdk.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: tdpcontrol.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: tdpstat.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: libcurl.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: tdpstat.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: tdpinfo.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: wship6.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: hipsdiamain.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: msvcr100.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: napinsp.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: wshbth.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: winrnr.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: libmini.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: netdevenvspeed.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: dinput8.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: hid.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: ksuser.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: avrt.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: audioses.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: midimap.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Section loaded: msvfw32.dll

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

File written: C:\Users\user\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\tracking.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: ZwmyzMxFKL.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ZwmyzMxFKL.exe

Static file information: File size 58031336 > 1048576

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe

File opened: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.VC90.CRT\msvcr90.dll

Jump to behavior

Source: ZwmyzMxFKL.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x237c00

Source: ZwmyzMxFKL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ZwmyzMxFKL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ZwmyzMxFKL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ZwmyzMxFKL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ZwmyzMxFKL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ZwmyzMxFKL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ZwmyzMxFKL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ZwmyzMxFKL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wininet.pdb source: ZwmyzMxFKL.exe, 00000000.00000003.1510639560.0000000005449000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584512070.00000000032AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\ddvsm\out\Intermediate\vscommon\perfwatson2.csproj_FB008427_ret\objr\amd64\PerfWatson2.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004C99000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp100.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004674000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb$$ source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdbRR#GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmauthd-log\win32\release\vmauthd.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb` source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb.. GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\gitproj\7z2201-src\CPP\7zip\UI\Console\Release\Console.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000002.1871768802.0000000000E28000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000000.1823799979.0000000000E28000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000000.1872769020.0000000000E28000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000002.1890825624.0000000000E28000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000E.00000000.1891790806.0000000000E28000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000E.00000002.1894578323.0000000000E28000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb!! source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdbII#GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdbf source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\HTTPRequest.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb'' GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb% source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1940075856.0000000002428000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdb source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdbLL%GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mfc90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004318000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\etcp5.0\Release\etcp.pdb source: Bor32-update-flase.exe, 00000013.00000002.1940075856.0000000002420000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: libEGL.dll.pdbs source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000479B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1949780074.0000000070041000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: E:\8168\vc98\dev\bin\vcspawn.pdbMZ source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb11 source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\531149\out\Release\sites.pdb source: sites.dll.2.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\122913\out\Release\SXIn64.pdb source: SXIn64.dll.2.dr
Source:	Binary string: msvcr120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdbDD!GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar32\Release\RAR.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004674000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallerAnalytics.pdbz source: ZwmyzMxFKL.exe, 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwCommonUI.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wininet.pdbUGP source: ZwmyzMxFKL.exe, 00000000.00000003.1510639560.0000000005449000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584512070.00000000032AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdbL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdbAA#GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000479B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\8168\vc98\dev\bin\vcspawn.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdbZZ source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\419058\out\Release\360AppCore.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888505607.0000000003910000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1888803964.0000000003AFE000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000004550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\fhbemb\src\bin\Release\fhjyy.pdb source: MSI6FFE.tmp, 00000007.00000002.1896631716.0000000000C9E000.00000002.00000001.01000000.0000000B.sdmp, MSI6FFE.tmp, 00000007.00000000.1816871187.0000000000C9E000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\kwlogsvr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdbp source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdbp source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000479B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-19188697\cayman_glib\glib\src\build\win32\vs14\Release\Win32\bin\gmodule-2.0.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\fhbemb\src\bin\Release_NL\fhbmini.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, Haloonoroff.exe, 00000014.00000000.1932897571.000000000040E000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\368203\out\Release\HipsLog.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: ZwmyzMxFKL.exe
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb.. source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000479B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdbWW'GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000479B000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\531149\out\Release\sites.pdbX source: sites.dll.2.dr
Source:	Binary string: libEGL.dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G:\CLIENT\WallPaper_feihuo\windows\FFWallpaper\bin\Release\bfcipc.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \WallPaper\windows\FFWallpaper\bin\Release\FFWallpaper.pdb source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb-- source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\basichttp\win32\release\basichttp.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallerAnalytics.pdb source: ZwmyzMxFKL.exe, 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb//' source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb__(GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp

Source: ZwmyzMxFKL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ZwmyzMxFKL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ZwmyzMxFKL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ZwmyzMxFKL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ZwmyzMxFKL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: shiF855.tmp.0.dr

Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00CDE740 LoadLibraryW,GetProcAddress,LoadImageW,FreeLibrary,

0_2_00CDE740

Source: initial sample

Static PE information: section where entry point is pointing to: .code1

Source: shiF855.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shiF855.tmp.0.dr	Static PE information: section name: .didat
Source: mcommu.dll.2.dr	Static PE information: section name: DLLShare
Source: mcommu.dll.2.dr	Static PE information: section name: DLLShare
Source: mcommu.dll.2.dr	Static PE information: section name: DLLShare
Source: mcommu.dll.2.dr	Static PE information: section name: DLLShare
Source: Safelive.dll.2.dr	Static PE information: section name: .IShareO
Source: safemon64.dll.2.dr	Static PE information: section name: .share
Source: safemonhlp.dll.2.dr	Static PE information: section name: .manifst
Source: shell360ext.dll.2.dr	Static PE information: section name: .orpc
Source: shell360ext64.dll.2.dr	Static PE information: section name: .orpc
Source: Sites64.dll.2.dr	Static PE information: section name: text
Source: SiteUIProxy.dll.2.dr	Static PE information: section name: shared
Source: SMLLauncher.dll.2.dr	Static PE information: section name: .menu_sh
Source: SMLLauncher64.dll.2.dr	Static PE information: section name: .menu_sh
Source: spsafe.dll.2.dr	Static PE information: section name: .share
Source: spsafe.dll.2.dr	Static PE information: section name: .hlpsec
Source: spsafe64.dll.2.dr	Static PE information: section name: .share
Source: spsafe64.dll.2.dr	Static PE information: section name: .detourd
Source: spsafe64.dll.2.dr	Static PE information: section name: .detourc
Source: spsafe64.dll.2.dr	Static PE information: section name: .hlpsec
Source: vccorlib140.dll.2.dr	Static PE information: section name: minATL
Source: WdHPFileSafe.dll.2.dr	Static PE information: section name: .MAGIC
Source: WdHPFileSafe.dll.2.dr	Static PE information: section name: QProtect
Source: WdHPFileSafe64.dll.2.dr	Static PE information: section name: .MAGIC
Source: WdHPFileSafe64.dll.2.dr	Static PE information: section name: .code0
Source: WdHPFileSafe64.dll.2.dr	Static PE information: section name: .code1
Source: uni_links_desktop_plugin.dll.2.dr	Static PE information: section name: _RDATA
Source: url_launcher_windows_plugin.dll.2.dr	Static PE information: section name: _RDATA
Source: window_manager_plugin.dll.2.dr	Static PE information: section name: _RDATA
Source: window_size_plugin.dll.2.dr	Static PE information: section name: _RDATA
Source: NetmTray.dll.2.dr	Static PE information: section name: .menu_sh
Source: NetmTray64.dll.2.dr	Static PE information: section name: .menu_sh
Source: npaxlogin.dll.2.dr	Static PE information: section name: .orpc
Source: Ntvbld64.dll.2.dr	Static PE information: section name: .share

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D751AE push ecx; ret	0_2_00D751C1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CBB3E0 push ecx; mov dword ptr [esp], 3F800000h	0_2_00CBB516
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BDB860 push ecx; mov dword ptr [esp], ecx	0_2_00BDB861
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE458F5 push edi; retn 0004h	0_2_6CE458F6
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE448D8 push E86CEF0Ah; iretd	0_2_6CE448DD
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE9045C push ecx; ret	0_2_6CE9046F
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00D751AE push ecx; ret	5_2_00D751C1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00CBB3E0 push ecx; mov dword ptr [esp], 3F800000h	5_2_00CBB516
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BDB860 push ecx; mov dword ptr [esp], ecx	5_2_00BDB861
Source: C:\Windows\Installer\MSI6FFE.tmp	Code function: 7_2_00C92A26 push ecx; ret	7_2_00C92A39
Source: C:\Windows\Installer\MSI6FFE.tmp	Code function: 7_2_701435B5 push ecx; ret	7_2_701435C8
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DE2FB6 push ecx; ret	8_2_00DE2FC9
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DE31BA push ecx; ret	8_2_00DE31CD

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSI6FFE.tmp

Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe

File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGXlong.sys

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\netmstart.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp120.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\zip.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\safewrapper32.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vcl120.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF8E3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\settingcentercfg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\swverify64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\shiF855.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\Ntvbld64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcr80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\mcommu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdui3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdres.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.Bcl.AsyncInterfaces.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SpeedUp.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\bfcipc.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\PSpendZ.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\safe505.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NetDiagDll.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File created: C:\Users\user~1\AppData\Local\Temp\1732545569\....\Microsoft.TransCompositio.msi (copy)	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\lockkrnl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\safemonhlp.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yhregd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\UninstAgent.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\TPClnVM.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wuhelp.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\hipslog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NetmLogin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSI5CA.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4DB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\qutmload.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wddisam.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI185F.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\zlib1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\vxproto.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6FFE.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user~1\AppData\Local\Temp\6003093\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\vcruntime140.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\N0vaDesktop.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI18BE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NetSpeed.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vmauthd.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSI92FA.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\7z.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp90.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\DrawContent\DrawContentNoname.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrLiteBase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SxWrapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File created: C:\Users\user~1\AppData\Local\Temp\9206\....\Microsoft.TransCompositia.msi (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdtHelper.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\KwCommonUI.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\HipsdiaMain.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Agent	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\lco.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp120.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\oDayProtect.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\StartSD.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\7z.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\pp_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMEventBus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\ramengine.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp140.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\TDPSTAT.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.VC90.CRT\msvcp90.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QMOfficeScan.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\ebHost.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\http.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSI92DA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\npaxlogin.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\libjyy.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\ntvbld.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\np360SoftMgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\X64For32Lib.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMAVProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\UnifyCommon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\swverify32.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user~1\AppData\Local\Temp\6003156\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SomProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdexhelper.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vclx120.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\safehmpg64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\spsafe64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\qutmvd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI39A9.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\PackageMgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QMAVProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\webprotect.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.VC90.CRT\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSI56B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSI51C.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\TDPCONTROL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\QseCore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\sites.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\rar.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user~1\AppData\Local\Temp\6002093\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\safemon64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\MiniUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\lzmaextractor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\window_size_plugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SiteUIProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wuhelp64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\WDRecord.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\KwLayoutMgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QMDns.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSI609.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\UninstDisplay.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6B0B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\url_launcher_windows_plugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\uniconft64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\svcMonitor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\shell360ext64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\PopSoftEng.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\qroscfg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFDE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\urlproc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\safewrapper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\sysmon.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\OTGContainer.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\oDayProtect.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcr90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI18EE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\shi1542.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NetmTray.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\ntvbld.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\bpchelper.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\KwLogSvr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SXIn.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\TDPINFO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SomAdvUtils.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shiF9BB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3979.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SomPlugin.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Watson2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\Safelive.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\madBasic_.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\spsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\mobileflux.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shiFA39.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SoftUpdate.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SysSweeper.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\rtl120.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\WiFiSafe.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shi621.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcr110.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\XLGameUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NetmonEP.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\TengineEx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\qutmipc.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user~1\AppData\Local\Temp\6003187\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\shell360ext.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI19F8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\fhjyy.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\Sites64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user~1\AppData\Local\Temp\6002156\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NetDefender.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\UPSDK.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF990.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1A38.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SpeedupOpt.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vcruntime140_1.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\madDisAsm_.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\RX.EXE	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\ATellPhon	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\statslib.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\NetDevenvSpeed.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdzerop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\ToastImage.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QQPCHwNetwork.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdexhelperx64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\libcurl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdefence.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SpeedldSetting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\TrashClean.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SXIn64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NetmTray64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\intl.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QQFileFlt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\TEngine.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user~1\AppData\Local\Temp\6003125\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SelfProtectAPI2.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QMOfficeScanX64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\MemDefrag.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\wdui2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\UDiskScanEngine.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140_2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\WHelp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NotifyDown.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Ntvbld64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\INAF816.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\sysoptm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File created: C:\Users\user~1\AppData\Local\Temp\9210\....\Microsoft.TransCompositib.msi (copy)	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\madExcept_.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\uniconft.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\window_manager_plugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\Netgm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\probe.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\SMWebProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\sysfilerepS.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shi690.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\APXhttp.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\libcurl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\qex.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\PDown.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.VC90.MFC\mfc90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\zpthdo.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\PackageMgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\iopdate.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\safehmpg.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\libmini.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QMRtpDLL.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	File created: C:\Users\user~1\AppData\Local\Temp\6002031\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\BBC.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\pluginmgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMDns.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\sbmon.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\KwLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\WindowInjection.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\zeropmgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\uni_links_desktop_plugin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4FB.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcr120.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\APXmodule-2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\DnLIMGKCARTO\NewKernel.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI19F8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI185F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI39A9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\libjyy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6FFE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3979.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6B0B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI18BE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI18EE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1A38.tmp	Jump to dropped file

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\madBasic_.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\madDisAsm_.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\madExcept_.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\rtl120.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vcl120.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vclx120.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Agent	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File created: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\ATellPhon	Jump to dropped file

Source: C:\Windows\Installer\MSI6FFE.tmp

Code function: 7_2_701410C0 ProcessMain,_memset,CoInitialize,CoCreateGuid,CoCreateGuid,swprintf,CoUninitialize,_memset,lstrlenW,lstrlenW,RegCreateKeyW,RegSetValueExW,RegCreateKeyW,lstrlenW,RegSetValueExW,RegCloseKey,RegCloseKey,RegCreateKeyW,lstrlenW,RegSetValueExW,RegCloseKey,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,__wcsrev,_memset,lstrcatW,lstrcatW,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,_memset,wsprintfW,wsprintfW,_memset,wsprintfW,_memset,wsprintfW,_memset,ShellExecuteExW,ShellExecuteExW,WaitForSingleObject,WaitForSingleObject,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,

7_2_701410C0

Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Znfwnnebe9356wfl

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: C:\Program Files (x86)\DnLIMGKCARTO\qex.dll, type: DROPPED

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\msiexec.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File opened / queried: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\themes\ovf-vmware.xsd			Jump to behavior
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	File opened / queried: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\themes\ovfenv-vmware.xsd			Jump to behavior

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: GetAdaptersInfo,GetAdaptersInfo,

0_2_6CE65B60

Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe

Thread delayed: delay time: 86400000

Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Window / User API: threadDelayed 6607
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Window / User API: foregroundWindowGot 1756

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\netmstart.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp120.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\zip.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\safewrapper32.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vcl120.bpl	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF8E3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\settingcentercfg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\swverify64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiF855.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcr80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\Ntvbld64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\mcommu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdui3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdres.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.Bcl.AsyncInterfaces.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SpeedUp.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\bfcipc.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\PSpendZ.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\safe505.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NetDiagDll.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\lockkrnl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\safemonhlp.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yhregd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\UninstAgent.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\TPClnVM.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wuhelp.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\hipslog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NetmLogin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI5CA.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4DB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\qutmload.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wddisam.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI185F.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\zlib1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\vxproto.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\6003093\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\vcruntime140.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\N0vaDesktop.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI18BE.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vmauthd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NetSpeed.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI92FA.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\7z.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp90.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\DrawContent\DrawContentNoname.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrLiteBase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SxWrapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\9206\....\Microsoft.TransCompositia.msi (copy)	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\KwCommonUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdtHelper.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Agent	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\lco.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp120.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\oDayProtect.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp100.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\7z.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\StartSD.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\pp_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMEventBus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\ramengine.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp140.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.VC90.CRT\msvcp90.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QMOfficeScan.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\ebHost.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\http.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI92DA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\npaxlogin.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp140_2.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\ntvbld.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\np360SoftMgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\X64For32Lib.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMAVProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\swverify32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\UnifyCommon.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\6003156\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SomProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdexhelper.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vclx120.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\safehmpg64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\spsafe64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\qutmvd.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\PackageMgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI39A9.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QMAVProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\webprotect.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.VC90.CRT\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI56B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI51C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\QseCore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\sites.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\6002093\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\rar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\MiniUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\safemon64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\lzmaextractor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\window_size_plugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SiteUIProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wuhelp64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\KwLayoutMgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\WDRecord.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QMDns.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI609.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6B0B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\UninstDisplay.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\uniconft64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\url_launcher_windows_plugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\svcMonitor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\shell360ext64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\PopSoftEng.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\qroscfg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFDE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\urlproc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\safewrapper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\sysmon.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\OTGContainer.exe	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\oDayProtect.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcr90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI18EE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi1542.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NetmTray.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\ntvbld.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\bpchelper.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\KwLogSvr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SXIn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SomAdvUtils.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiF9BB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3979.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SomPlugin.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Watson2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\Safelive.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\madBasic_.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\spsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\mobileflux.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiFA39.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SoftUpdate.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SysSweeper.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\rtl120.bpl	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi621.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\WiFiSafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcr110.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\XLGameUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NetmonEP.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\qutmipc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\TengineEx.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\6003187\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\shell360ext.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI19F8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\Sites64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\6002156\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NetDefender.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1A38.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF990.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SpeedupOpt.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vcruntime140_1.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\RX.EXE	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\madDisAsm_.bpl	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\ATellPhon	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\statslib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdzerop.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QQPCHwNetwork.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\ToastImage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdexhelperx64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdefence.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SpeedldSetting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\TrashClean.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SXIn64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NetmTray64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\intl.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QQFileFlt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\TEngine.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\6003125\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SelfProtectAPI2.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QMOfficeScanX64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe64.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\MemDefrag.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\UDiskScanEngine.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\wdui2.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140_2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\WHelp.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Ntvbld64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NotifyDown.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\INAF816.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\sysoptm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\9210\....\Microsoft.TransCompositib.msi (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\madExcept_.bpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\uniconft.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\window_manager_plugin.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\Netgm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\probe.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\SMWebProxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\APXhttp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\sysfilerepS.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi690.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp110.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\qex.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\PDown.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.VC90.MFC\mfc90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\zpthdo.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\PackageMgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\iopdate.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\safehmpg.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\6002031\....\TemporaryFile (copy)	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QMRtpDLL.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\pluginmgr.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMDns.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\sbmon.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\KwLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\WindowInjection.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\zeropmgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\uni_links_desktop_plugin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4FB.tmp	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcr120.dll	Jump to dropped file
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\APXmodule-2.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DnLIMGKCARTO\NewKernel.dll	Jump to dropped file

Source: C:\Windows\Installer\MSI6FFE.tmp

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

API coverage: 9.2 %

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe TID: 6912	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe TID: 2916	Thread sleep time: -75000s >= -30000s
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe TID: 3364	Thread sleep time: -61000s >= -30000s
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe TID: 4244	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe TID: 4256	Thread sleep time: -74000s >= -30000s
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe TID: 3024	Thread sleep time: -86400000s >= -30000s
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe TID: 4244	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerFQ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File Volume queried: C:\Program Files (x86)\WindowsInstallerFQ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D00640 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_00D00640
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CDB1B0 FindFirstFileW,GetLastError,FindClose,	0_2_00CDB1B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D0A4B0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00D0A4B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BE0880 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,	0_2_00BE0880
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D0A8B0 FindFirstFileW,FindClose,	0_2_00D0A8B0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CDA850 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00CDA850
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CE8F30 FindFirstFileW,FindClose,FindClose,	0_2_00CE8F30
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00CBFE80 FindFirstFileW,FindNextFileW,FindClose,	0_2_00CBFE80
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE87870 FindFirstFileW,FindClose,GetLastError,FindClose,	0_2_6CE87870
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE7D070 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,	0_2_6CE7D070
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CEA6B85 FindFirstFileExW,	0_2_6CEA6B85
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00CDB1B0 FindFirstFileW,GetLastError,FindClose,	5_2_00CDB1B0
Source: C:\Windows\Installer\MSI6FFE.tmp	Code function: 7_2_00C974DA FindFirstFileExW,	7_2_00C974DA
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DA8BA4 __EH_prolog3_GS,FindFirstFileA,FindFirstFileW,FindFirstFileW,	8_2_00DA8BA4
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E0D528 FindFirstFileExA,	8_2_00E0D528
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E0D7E0 FindFirstFileExW,FindClose,FindNextFileW,	8_2_00E0D7E0
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E0D9C1 FindFirstFileExW,	8_2_00E0D9C1
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E0D996 FindFirstFileExA,	8_2_00E0D996

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00D09310 _wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00D09310

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00D719D1 VirtualQuery,GetSystemInfo,

0_2_00D719D1

Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Thread delayed: delay time: 86400000
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Thread delayed: delay time: 30000

Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CompanyNameVMware, Inc.b
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <description>"VMware Authorization Service"</description>
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-vmx.exe%s%c..%c%svmware-vmx-debug.exevmware-vmx-stats.exeNo ticket found
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: StartVirtualMachines%s: Failed to retrieve info from %%ALLUSERSPROFILE%%%s.
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareAutostartServiceVMAutostartRunServiceStarting service control dispatcher
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[vmwarestring.dll??0string@utf@@QAE@ABV01@@Z??0string@utf@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z??0string@utf@@QAE@ABV_bstr_t@@@Z??0string@utf@@QAE@ABVubstr_t@@@Z??0string@utf@@QAE@ABVustring@Glib@@@Z??0string@utf@@QAE@PBD@Z??0string@utf@@QAE@PBDW4StringEncoding@@@Z??0string@utf@@QAE@PB_W@Z??0string@utf@@QAE@XZ??1string@utf@@QAE@XZ??4string@utf@@QAEAAV01@V01@@Z??8string@utf@@QBE_NABV01@@Z??9string@utf@@QBE_NABV01@@Z??Astring@utf@@QBEII@Z??Bstring@utf@@QBE?BVubstr_t@@XZ??Bstring@utf@@QBEABVustring@Glib@@XZ??Hstring@utf@@QBE?AV01@ABV01@@Z??Hstring@utf@@QBE?AV01@I@Z??Mstring@utf@@QBE_NABV01@@Z??Nstring@utf@@QBE_NABV01@@Z??Ostring@utf@@QBE_NABV01@@Z??Pstring@utf@@QBE_NABV01@@Z??Ystring@utf@@QAEAAV01@ABV01@@Z??Ystring@utf@@QAEAAV01@I@Z?CopyAndFree@utf@@YA?AVstring@1@PADP6AXPAX@Z@Z?CreateWithBOMBuffer@utf@@YA?AVstring@1@PBXH@Z?CreateWithLength@utf@@YA?AVstring@1@PBXHW4StringEncoding@@@Z?CreateWritableBuffer@utf@@YAXABVstring@1@AAV?$vector@DV?$allocator@D@std@@@std@@@Z?CreateWritableBuffer@utf@@YAXABVstring@1@AAV?$vector@_WV?$allocator@_W@std@@@std@@@Z?GetUtf16Cache@string@utf@@ABEPB_WXZ?IntToStr@utf@@YA?AVstring@1@_J@Z?InvalidateCache@string@utf@@AAEXXZ?Validate@utf@@YA_NABVustring@Glib@@@Z?__autoclassinit2@string@utf@@QAEXI@Z?append@string@utf@@QAEAAV12@ABV12@@Z?append@string@utf@@QAEAAV12@ABV12@II@Z?append@string@utf@@QAEAAV12@PBDI@Z?assign@string@utf@@QAEAAV12@ABV12@@Z?begin@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?begin@string@utf@@QBE?AV?$ustring_Iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?bytes@string@utf@@QBEIXZ?c_str@string@utf@@QBEPBDXZ?clear@string@utf@@QAEXXZ?compare@string@utf@@QBEHABV12@_N@Z?compare@string@utf@@QBEHIIABV12@@Z?compareLength@string@utf@@QBEHABV12@I_N@Z?compareRange@string@utf@@QBEHIIABV12@II_N@Z?empty@string@utf@@QBE_NXZ?end@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?end@string@utf@@QBE?AV?$ustring_Iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?endsWith@string@utf@@QBE_NABV12@_N@Z?erase@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@V34@0@Z?erase@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@V34@@Z?erase@string@utf@@QAEAAV12@II@Z?find@string@utf@@QBEIABV12@I@Z?find@string@utf@@QBEIII@Z?find_first_not_of@string@utf@@QBEIABV12@I@Z?find_first_not_of@string@utf@@QBEIII@Z?find_first_of@string@utf@@QBEIABV12@I@Z?find_first_of@string@utf@@QBEIII@Z?find_last_not_of@string@utf@@QBEIABV12@I@Z?find_last_not_of@string@utf@@QBEIII@Z?find_last_of@string@utf@@QBEIABV12@I@Z?find_last_of@string@utf@@QBEIII@Z?foldCase@string@utf@@QBE?AV12@XZ?insert@string@utf@@QAEAAV
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: name="VMware.VMware.vmauthd"
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PANIC: %s599 vmware-authd PANIC: %s
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb!!
Source: ZwmyzMxFKL.exe, 00000000.00000002.1917610097.0000000005E11000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1506796894.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1510250352.0000000005DE0000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1912022206.0000000005E11000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1917610097.0000000005DE8000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911415806.0000000005DDD000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1506847337.0000000005DE8000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1913972096.0000000005DE6000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1506847337.0000000005E11000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911415806.0000000005E11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwarebase.DLL
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Unicode_TrimRightvmwarebase.DLL
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 17.5.0 build-22583795VMware Workstation%s Authentication Daemon Version %u.%u for %s %s
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Bor32-update-flase.exe, 00000013.00000002.1938693333.000000000061C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Invalid pathname (too long)Config file not found: %sVMware Server ConsoleYou need read access in order to connect with the %s. Access denied for config file: %sYou need execute access in order to connect with the %s. Access denied for config file: %s%s-fdConnect %sError connecting to %s service instance.Can't create mutex '%s' (%d)Timeout acquiring thread lock.-fdvmauthd.connectionSetupTimeoutCould not open %s process %d. (error %d)Error connecting to vmx process.No such %s process: %s
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Authorization Service
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: name="VMware.VMware.vmwarestring"
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1870577138.00000000009D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m.pakVGX/Optimizat/plugins/ar.pakVGX/Optimizat/plugins/bg.pakVGX/Optimizat/plugins/Microsoft.VC80.ATL.manifestVGX/Optimizat/plugins/Microsoft.VC80.CRT.manifestVGX/Optimizat/plugins/vd.icoVGX/Optimizat/plugins/versionVGX/Optimizat/themes/ca.pakVGX/Optimizat/themes/cs.pakVGX/Optimizat/themes/da.pakVGX/Optimizat/themes/isolinux.binVGX/Optimizat/themes/ovf-vmware.xsdVGX/Optimizat/themes/ovfenv-vmware.xsdVGX/Optimizat/themes/sample.flpVGX/Optimizat/vmPerfmon.hVGX/plugins/de.pakVGX/plugins/el.pakVGX/plugins/en-GB.pakVGX/plugins/en-US.pakVGX/plugins/Microsoft.VC80.ATL.manifestVGX/plugins/Microsoft.VC80.CRT.manifestVGX/plugins/RunHours/es-419.pakVGX/plugins/RunHours/es.pakVGX/plugins/RunHours/et.pakVGX/plugins/RunHours/fa.pakVGX/plugins/versionVGX/Ptuity.plxVGX/Ptuityoosty.plxVGX/qvlnk.broVGX/rbVGX/rtl120.bplVGX/settingssVGX/settingss2VGX/somextrainfo.iniVGX/SresoBooster.uiVGX/station.binVGX/SysP1.batVGX/SysP2.batVGX/Theme.icoVGX/TP.iniVGX/vcl120.bplVGX/vclx120.bplVGX/version/AARV1VGX/version/AARV2VGX/version/AuLibV1VGX/version/AuLibV2VGX/version/CharMainoV1VGX/version/CharMainoV2VGX/version/CjLibV1VGX/version/CjLibV2VGX/version/ComeOnVGX/version/globalV1VGX/version/globalV2VGX/version/QdLibV1VGX/version/QdLibV2VGX/version/qvlnkbroV1VGX/version/qvlnkbroV2VGX/version/settingV1VGX/version/settingV2VGX/version/ShellVGX/version/TOFNCVGX/version/WinCallVGX/VNL.iniVGX/WBGvisualelementsmanifestVGX/WGLogin.olgVGX/Win.rbgVGX/7z.dllVGX/APXhttp.dllVGX/APXmodule-2.0.dllVGX/BBC.exeVGX/bfcipc.dllVGX/bpchelper.dllVGX/ebHost.exeVGX/EduWebContainer.dllVGX/Haloonoroff.exeVGX/hipslog.dllVGX/HoursBroker/DrawContent/DrawContentNoname.exeVGX/HoursBroker/lco.exeVGX/http.dllVGX/intl.dllVGX/iopdate.exeVGX/KwCommonUI.dllVGX/KwLayoutMgr.dllVGX/KwLib.dllVGX/KwLogSvr.dllVGX/libcurl.dllVGX/libEGL.dllVGX/libmini.dllVGX/MemDefrag.dllVGX/Microsoft.Bcl.AsyncInterfaces.exeVGX/Microsoft.VC90.CRT/msvcp90.dllVGX/Microsoft.VC90.CRT/msvcr90.dllVGX/Microsoft.VC90.MFC/mfc90.dllVGX/msvcp100.dllVGX/msvcp110.dllVGX/msvcp120.dllVGX/msvcp140.dllVGX/msvcp140_1.dllVGX/msvcp140_2.dllVGX/msvcp80.dllVGX/msvcp90.dllVGX/msvcr100.dllVGX/msvcr110.dllVGX/msvcr120.dllVGX/msvcr80.dllVGX/msvcr90.dllVGX/NetDevenvSpeed.dllVGX/ntvbld.dllVGX/Ntvbld64.dllVGX/oDayProtect.dllVGX/PackageMgr.dllVGX/pp_helper.exeVGX/PSpendZ.exeVGX/QMAVProxy.dllVGX/QMDns.dllVGX/QMOfficeScan.dllVGX/QMOfficeScanX64.dllVGX/QMRtpDLL.dllVGX/QQFileFlt.dllVGX/QQPCHwNetwork.dllVGX/rar.exeVGX/RX.EXEVGX/TPClnVM.dllVGX/vcruntime140.dllVGX/vcruntime140_1.dllVGX/vmauthd.dllVGX/Watson2.exeVGX/XLGameUpdate.exeVGX/zip.exeVGX/zlib1.dll
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: HttpURI_ParseAndDecodeURLvmwarebase.DLL
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1840446215.00000000009DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VGXVGX/HoursBrokerVGX/HoursBroker/DrawContentVGX/Microsoft.VC90.CRTVGX/Microsot0.MFCVGX/OptimizatVGX/Optimizat/pluginsVGX/Optimizat/themesVGX/pluginsVGX/plugins/RunHoursVGX/UtilsVGX/versionVGX/BoukenVGX/BoukenPVGX/Bo_2VGX/AgentVGX/APKwait.batVGX/ATellPhonVGX/bbnn.rbgVGX/Blend.visualelementsmanifest.xmlVGX/Browser_1VGX/BseziofVGX/cbg.sigVGX/cdm.sigVGXce_200_percent.pakVGX/contribscr.iniVGX/cor.sigVGX/DataTransform.iniVGX/dmEetfzcFeMLeUVbVGX/HoursBroker/CIM_ResourceAllocationSettingData.xsdGursBroker/CIM_VirtualSystemSettingData.xsdVGX/HoursBroker/common.xsdVGX/HoursBroker/hi.pakVGX/HoursBroker/hr.pakVGX/HoursBroker/hu.pakVGX/Houser/li.datVGX/HoursBroker/LICENSE.3rdVGX/HoursBroker/LICENSE.libcodecsVGX/HoursBroker/LICENSE.libdtVGX/HoursBroker/livehis.datVGX/HoursBroker/ioft.VC80.ATL.manifestVGX/HoursBroker/Microsoft.VC80.CRT.manifestVGX/HoursBroker/package.jsonVGX/HoursBroker/rpi.datVGX/HoursBroker/slist.datVXrsBroker/versionVGX/HoursBroker/xml.xsdVGX/intchar32VGX/intchar64VGX/LastnamaVGX/LastnameVGX/LastnymcVGX/libtemp.batVGX/LostVGX/LostHeVG/PVGX/LostPHeVGX/LostPSheVGX/LostSheVGX/madBasic_.bplVGX/madDisAsm_.bplVGX/madExcept_.bplVGX/Microsoft.VC80.ATL.manifestVGX/Microsoft.VC80.RnifestVGX/Microsoft.VC90.CRT/Microsoft.VC90.CRT.manifestVGX/Microsoft.VC90.MFC/Microsoft.VC90.MFC.manifestVGX/Microsoft_VC90_CRT_manifestVGX/NtdLogVGX/NULL.binVGX/NVIDIA_GeForce_Experience_jsonVGX/Optimizat/plugins/am.pakVGX/Optimizat/plugins/ar.pakVGX/Optimizat/plugins/bg.pakVGX/Opit/plugins/Microsoft.VC80.ATL.manifestVGX/Optimizat/plugins/Microsoft.VC80.CRT.manifestVGX/Optimizat/plugins/vd.icoVGX/Optimizat/plugins/versionVptimizat/themes/ca.pakVGX/Optimizat/themes/cs.pakVGX/Optimizat/themes/da.pakVGX/Optimizat/themes/isolinux.binVGX/Optimizat/themes/ovf-vmware.xd/Optimizat/themes/ovfenv-vmware.xsdVGX/Optimizat/themes/sample.flpVGX/Optimizat/vmPerfmon.hVGX/plugins/de.pakVGX/plugins/el.pakVGX/plugins/enGkVGX/plugins/en-US.pakVGX/plugins/Microsoft.VC80.ATL.manifestVGX/plugins/Microsoft.VC9
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FileDescriptionVMware BasicHTTP DLLL
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Server Console
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Authorization and authentication service for starting and accessing virtual machinesVMware Authorization ServiceVMAuthdServiceSuccessfully registered %s.
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-autostart.log
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FileDescriptionVMware event log sourceL
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMWARE_BASICHTTP_TRACE
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Workstation
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 599 vmware-authd PANIC: %s
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevmware-authd.exeF
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: : SSL RequiredNFCSSL supported/tServerDaemonProtocol:SOAPVMware%s Authentication Daemon Version %u.%u%s, %s, %s, %s, %s, %s%sError retrieving thumbprintInvalid arguments to '%s%s'Login failed: token key authentication not allowed.GET TOKEN KEY failed: got %s
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-hostd
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMWARE_HTTPSPROXYBasicHTTP: AppendRequestHeader failed to append to the request header. Insufficient memory.
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FileDescriptionVMware string libraryL
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevmwarestring.DLLF
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <description>"VMware string library"</description>
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwarestring.dll
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: nfcnfcsslvmware-hostdPROXY service %s not found.USER too long.Password required for %s.Login with USER first.InSeCuRePassword not understood.User %s logged in.LOGIN FAILURE from %.128s, %s
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: StartVirtualMachines
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ProductNameVMware WorkstationP
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \VMware\VMware Workstation\vmAutoStart.xml
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 1998-2023 VMware, Inc.J
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMWARE_BASICHTTP_TRACE0bora\apps\lib\basicHttp\http.cBasicHTTP: curl_multi_init failed.
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FileDescriptionVMware Authorization ServiceL
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb..
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 1998-2022 VMware, Inc.J
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-vmx-debug.exe
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 1998-2022 VMware, Inc.D
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMWARE_HTTPSPROXY
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-vmx-stats.exe
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: File_CreateDirectoryvmwarebase.DLL)_strdup
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: security.host.ruisslvmwareauthd.policy.allowRCForReadvmauthd.startupTimeoutgetpeername failed: %d tid %d
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: User not authorized for vpx agent contactvmware-vpxaUser not authorized for vmx contactConnecting socket=%s
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb--
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: InternalNamevmwarestringj#
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \\.\pipe\vmware-authdpipeCreateNamedPipe failed: %s (%d)
Source: ZwmyzMxFKL.exe, 00000000.00000002.1917610097.0000000005E11000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1912022206.0000000005E11000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1506847337.0000000005E11000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911415806.0000000005E11000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1506261431.0000000005E11000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1510250352.0000000005E11000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1913972096.0000000005E11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-]
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: @vmware-autostartVMAutostart_InitGetVMAutostartConfigFilePathCould not get the ALLUSERSPROFILE folder path
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CompanyNameVMware, Inc.R
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <description>"VMware event log source"</description>
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CompanyNameVMware, Inc.T
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware-client
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-vmx.exe
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000002.1871432161.00000000009B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VGX\Optimizat\themes\ovfenv-vmware.xsdVGX/QQPCHwNetwork.dllVGX/rar.exeVGX/RX
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CompanyNameVMware, Inc.X
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 1998-2022 VMware, Inc.@
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Autostart ServiceCreateService failed (%d)
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: name="VMware.VMware.basichttp"
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: name="VMware.VMware.vmauthd-log"
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-\vmware-autostart.loga+Cannot open file '%s'
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-vpxa
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-autostart
Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <description>"VMware BasicHTTP DLL"</description>

Source: C:\Windows\Installer\MSI6FFE.tmp

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00D79913 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D79913

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00D0D260 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

0_2_00D0D260

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00CDE740 LoadLibraryW,GetProcAddress,LoadImageW,FreeLibrary,

0_2_00CDE740

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D741D9 mov esi, dword ptr fs:[00000030h]	0_2_00D741D9
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D8E8FB mov eax, dword ptr fs:[00000030h]	0_2_00D8E8FB
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D8E93F mov eax, dword ptr fs:[00000030h]	0_2_00D8E93F
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D7FDF7 mov ecx, dword ptr fs:[00000030h]	0_2_00D7FDF7
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CEA68F9 mov eax, dword ptr fs:[00000030h]	0_2_6CEA68F9
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE9D57C mov ecx, dword ptr fs:[00000030h]	0_2_6CE9D57C
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00D741D9 mov esi, dword ptr fs:[00000030h]	5_2_00D741D9
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00D8E8FB mov eax, dword ptr fs:[00000030h]	5_2_00D8E8FB
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00D8E93F mov eax, dword ptr fs:[00000030h]	5_2_00D8E93F
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00D7FDF7 mov ecx, dword ptr fs:[00000030h]	5_2_00D7FDF7
Source: C:\Windows\Installer\MSI6FFE.tmp	Code function: 7_2_00C960A8 mov eax, dword ptr fs:[00000030h]	7_2_00C960A8
Source: C:\Windows\Installer\MSI6FFE.tmp	Code function: 7_2_00C98164 mov eax, dword ptr fs:[00000030h]	7_2_00C98164
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DF1819 mov eax, dword ptr fs:[00000030h]	8_2_00DF1819
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DF18A7 mov eax, dword ptr fs:[00000030h]	8_2_00DF18A7

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00D74245 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_00D74245

Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BFAEA0 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00BFAEA0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D74CCD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00D74CCD
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00BFD8C0 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00BFD8C0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_00D79913 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D79913
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE8F87E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CE8F87E
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE94963 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CE94963
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 0_2_6CE905E5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CE905E5
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BFD8C0 __set_se_translator,SetUnhandledExceptionFilter,	5_2_00BFD8C0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00D79913 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00D79913
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00D74CCD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00D74CCD
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: 5_2_00BFAEA0 __set_se_translator,SetUnhandledExceptionFilter,	5_2_00BFAEA0
Source: C:\Windows\Installer\MSI6FFE.tmp	Code function: 7_2_00C95453 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00C95453
Source: C:\Windows\Installer\MSI6FFE.tmp	Code function: 7_2_00C92920 SetUnhandledExceptionFilter,	7_2_00C92920
Source: C:\Windows\Installer\MSI6FFE.tmp	Code function: 7_2_00C91EEE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00C91EEE
Source: C:\Windows\Installer\MSI6FFE.tmp	Code function: 7_2_00C9278E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00C9278E
Source: C:\Windows\Installer\MSI6FFE.tmp	Code function: 7_2_70142521 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_70142521
Source: C:\Windows\Installer\MSI6FFE.tmp	Code function: 7_2_70141BC3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_70141BC3
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DE460E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00DE460E
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DE47A4 SetUnhandledExceptionFilter,	8_2_00DE47A4
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00E08B72 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00E08B72
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: 8_2_00DE3395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00DE3395

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Process created: C:\Users\user\Desktop\ZwmyzMxFKL.exe "C:\Users\user\Desktop\ZwmyzMxFKL.exe" /i "C:\Program Files (x86)\WindowsInstallerFQ\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\DnLIMGKCARTO" SECONDSEQUENCE="1" CLIENTPROCESSID="6684" AI_MORE_CMD_LINE=1	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU" -o"C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55" -pe6ab90d5741a3329XSJ -aos -y	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR" -o"C:\Program Files (x86)\DnLIMGKCARTO" -pd90abf5032721ffaBCX -aos -y	Jump to behavior
Source: C:\Windows\Installer\MSI6FFE.tmp	Process created: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX" -o"C:\Users\user\AppData\Roaming" -p5ccac7f27f4c789fFPK -aos -y	Jump to behavior

Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Fabout:blank:\kernel32.dll*winswinntwin2000win2000serverwinxpwin2003winvistawin2008win7win2008r2win8win2012win11win10GetNativeSystemInfoProgmanSHELLDLL_DefViewWorkerWSysListView32ToolbarWindow32NotifyIconOverflowWindowBUTTON;Versionopen=%s\%sgetNetBarConfig szMainkey:%s szKey:%s szValue:%s getNetBarConfig error szMainkey:%s szKey:%s
Source: sites.dll.2.dr	Binary or memory string: gShell_traywnd
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ]wQCFFTaskBarDlg{"fftaskbar":{"%s":1,"color":%d,"percent":%d,"align":%d,"applyType":%d}}-%s %d %d %d %dSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeGameDev.exeSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeGame.exeInstallPath%s\wegame.exeExeFileGetCommandLineWkernelBase.dllGetCmdLinentdllProgram ManagerNVIDIA GeForce OverlayDeskWindowkdeskOSRWindowCcWaterMarkWindowATL:00D719E0TXGuiFoundationFound FullScreen Windows: strWindowName=%s strWndClassName=%s hwnd=0x%xSOFTWARE\Microsoft\Windows\CurrentVersion\RunFFWallpaper.exe -silentFFWallpaperSetAutoRun %d, result: %dFolderViewTXMiniSkinLhb
Source: Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: tiCBaseWallPaperPlayer::RemoveAllOldWindowsCBaseWallPaperPlayer: RemoveOldWindowsEx: BasePlayerWnd=0x%xCBaseWallPaperPlayer::RemoveWindows()~CDesktopAttributesCDesktopAttributes::ExitFetchThreadCDesktopAttributes::FetchDesktopInfoThreadNew thread New start @@@@CDesktopAttributes::FetchDesktopInfoThread New exitCDesktopAttributes::FetchDesktopInfoThread New not found Program ManagerCDesktopAttributes::FetchDesktopInfoThread New begin set worker end: #### no explorer.exeCDesktopAttributes::FetchDesktopInfoThread New Err: #### no Program Manager with explorerCDesktopAttributes::monitor explorer err quit bizhiWindows

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_6CE90708 cpuid

0_2_6CE90708

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	0_2_00D030D0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6CEA9C73
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: GetLocaleInfoW,	0_2_6CEA9975
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: GetLocaleInfoW,	0_2_6CEA1A87
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6CEA9A9E
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: GetLocaleInfoW,	0_2_6CEA9BA4
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	0_2_6CE6D5E0
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: EnumSystemLocalesW,	0_2_6CEA95FC
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: EnumSystemLocalesW,	0_2_6CEA15BE
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: EnumSystemLocalesW,	0_2_6CEA95B1
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: EnumSystemLocalesW,	0_2_6CEA9697
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_6CEA9722
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_6CEA930F
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	8_2_00E097C9
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	8_2_00E098ED
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	8_2_00E09931
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: GetLocaleInfoW,	8_2_00E0A219
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	8_2_00E1335A
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	8_2_00E135D2
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	8_2_00E136D6
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: EnumSystemLocalesW,	8_2_00E1363B
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_00E13763
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: GetLocaleInfoW,	8_2_00E139B3
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_00E13ADC
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: GetLocaleInfoW,	8_2_00E13BE3
Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_00E13CB0

Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\three_colors.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\blue.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\three_colors.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\blue.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\three_colors.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\blue.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\three_colors.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\blue.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\whitesmall.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\whitesmall.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\whitesmall.jpg VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00D198C0 CreateNamedPipeW,CreateFileW,

0_2_00D198C0

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00D0D180 GetLocalTime,

0_2_00D0D180

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Code function: 0_2_00D181C0 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegDeleteValueW,RegCloseKey,

0_2_00D181C0

Source: C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe

Code function: 8_2_00DE0FC5 __EH_prolog3_catch_GS,GetVersionExA,

8_2_00DE0FC5

Source: C:\Users\user\Desktop\ZwmyzMxFKL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	2 Windows Service	1 Access Token Manipulation	2 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	2 Windows Service	1 Timestomp	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	21 Input Capture	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	13 Process Injection	1 DLL Side-Loading	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	47 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	132 Masquerading	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	161 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	13 Process Injection	/etc/passwd and /etc/shadow	141 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	Embedded Payloads	Keylogging	1 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ZwmyzMxFKL.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\DnLIMGKCARTO\7z.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\MiniUI.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NetDefender.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NetDiagDll.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NetSpeed.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\Netgm.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NetmLogin.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NetmTray.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NetmTray64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NetmonEP.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NewKernel.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\NotifyDown.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\Ntvbld64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\PDown.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\PopSoftEng.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\QseCore.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SMWebProxy.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SXIn.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SXIn64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox64.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\Safelive.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SelfProtectAPI2.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SiteUIProxy.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\Sites64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrLiteBase.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SoftUpdate.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SomAdvUtils.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SomPlugin.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SomProxy.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SpeedUp.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SpeedldSetting.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SpeedupOpt.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\StartSD.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SxWrapper.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\SysSweeper.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\TEngine.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\TengineEx.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\ToastImage.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\TrashClean.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\UDiskScanEngine.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\UnifyCommon.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\UninstAgent.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\UninstDisplay.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\WDRecord.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\WiFiSafe.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\WindowInjection.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\X64For32Lib.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\lockkrnl.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\mcommu.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\mobileflux.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\netmstart.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\np360SoftMgr.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\npaxlogin.dll	2%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\ntvbld.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\pluginmgr.dll	2%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\probe.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\qex.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\qroscfg.dll	3%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\qutmipc.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\qutmload.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\qutmvd.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\ramengine.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\safe505.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\safehmpg.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\safehmpg64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\safemon64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\safemonhlp.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\safewrapper.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\safewrapper32.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\sbmon.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\settingcentercfg.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\shell360ext.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\shell360ext64.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\sites.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\spsafe.dll	0%	ReversingLabs
C:\Program Files (x86)\DnLIMGKCARTO\spsafe64.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.kuwo.cn0	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/v/FilterPayWallpaper	0%	Avira URL Cloud	safe
http://klog.kuwo.cn/music.ylhttp://install-log.kuwo.cn/music.ylhttp://log.kuwo.cn/music.ylrwSend	0%	Avira URL Cloud	safe
https://www.hfnuola.com	0%	Avira URL Cloud	safe
http://updatestats.cd4o.com/api.php?act=update	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/v/AfterLocalSet	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/v/AfterLocalSethttps://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupLi	0%	Avira URL Cloud	safe
http://install-log.kuwo.cn/music.yl	0%	Avira URL Cloud	safe
http://www.ludashi.com0	0%	Avira URL Cloud	safe
http://www.winimage.com/zLibDll1.2.3	0%	Avira URL Cloud	safe
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	0%	Avira URL Cloud	safe
http://www.super-ec.cn	0%	Avira URL Cloud	safe
https://bizhiweb.hfnuola.com/web/advertising.html?type=	0%	Avira URL Cloud	safe
http://forums.iobit.com/showthread.php?t=16792	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/desktopSubject	0%	Avira URL Cloud	safe
https://www.itrus.com.cn0	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaper	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/agg/StartUp	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/fhbzApi/checkFile	0%	Avira URL Cloud	safe
http://www.bsplayer.com	0%	Avira URL Cloud	safe
http://klog.kuwo.cn/music.yl	0%	Avira URL Cloud	safe
https://idea.hfnuola.com20012rgbautoStartauto_start_slienthideDesktopIconpauseVidoset_mute_on_fullsc	0%	Avira URL Cloud	safe
http://stats.iotransfer.net/active.php	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/v/wallpaperInfoMulti	0%	Avira URL Cloud	safe
https://bizhiweb.hfnuola.com/web/vip.htmlhttps://bizhiweb.hfnuola.com/web/payNew.html%s?channel=%s&p	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/LockWallpaper/Gethttps://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaperht	0%	Avira URL Cloud	safe
https://www.hfnuola.com/select	0%	Avira URL Cloud	safe
https://idea.hfnuola.com	0%	Avira URL Cloud	safe
https://logs.hfnuola.com	0%	Avira URL Cloud	safe
https://bizhi.hfnuola.com/pc/agg/hour	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iobit.com/appgoto.php?to=download	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	false		high
http://www.vmware.com/0	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/v/AfterLocalSet	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe	sites.dll.2.dr	false		high
http://www.kuwo.cn0	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004674000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004318000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/goto.php?id=plusgp01_DB	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/v/FilterPayWallpaper	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://updatestats.cd4o.com/api.php?act=update	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=activateweb-%d	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.hfnuola.com	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://stats.iobit.com/register.php	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.indyproject.org/	Bor32-update-flase.exe, 00000013.00000002.1939750809.0000000000BCD000.00000020.00000001.01000000.0000001D.sdmp	false		high
http://www.iobit.com/faq.php?product=db	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.ludashi.com0	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=vertoold	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ascstats.iobit.com/active.php	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://update.iobit.com/infofiles/db2/db2_oth.upt	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://klog.kuwo.cn/music.ylhttp://install-log.kuwo.cn/music.ylhttp://log.kuwo.cn/music.ylrwSend	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=feature	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://curl.haxx.se/V	e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1949598410.000000006B296000.00000008.00000001.01000000.00000020.sdmp	false		high
http://www.iobit.com/cloud/db/index.php	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://collect.installeranalytics.com	ZwmyzMxFKL.exe, ZwmyzMxFKL.exe, 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmp	false		high
http://www.iobit.com/appgoto.php?to=bannerbuy	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=index	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/v/AfterLocalSethttps://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupLi	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=lostcode	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=proupdate	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	false		high
http://ascstats.iobit.com/moreuse.php	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://idb.iobit.com/check.php	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://install-log.kuwo.cn/music.yl	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll1.2.3	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s1.driverboosterscan.com/worker.php	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/goto.php?id=plusgp01_DBU	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=compare	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/hotquestions-db.php	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/driver-booster-pro.php	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=regovermax	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=usermanual	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.yahoo.com	ZwmyzMxFKL.exe	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.super-ec.cn	Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://stats.iobit.com/active_month.php	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	false		high
http://down.360safe.com/setup.exePathSOFTWARE	sites.dll.2.dr	false		high
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	ZwmyzMxFKL.exe, 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/lostcode.php	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ascstats.iobit.com/other/db_temp_download.php	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/rfc/bcp/bcp47.txt	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://update.iobit.com/infofiles/db2/Freeware-db.upt	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	false		high
http://forums.iobit.com/showthread.php?t=16792	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=install	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.zlib.net/D	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.0000000003931000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004FF1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/desktopSubject	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.info-zip.org/	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004F5D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1862085982.0000000003AE5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1861605055.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/agg/StartUp	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://twitter.com/iobitsoft	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/fhbzApi/checkFile	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bizhiweb.hfnuola.com/web/advertising.html?type=	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.advancedinstaller.com	ZwmyzMxFKL.exe, 00000000.00000003.1483045794.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911680421.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000002.1918218448.0000000006242000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1914284205.000000000623F000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1911198258.000000000627B000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000000.00000003.1481744488.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1584175211.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, ZwmyzMxFKL.exe, 00000005.00000003.1578901866.000000000103E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iobit.com/goto.php?id=dbsurvey	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaper	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://klog.kuwo.cn/music.yl	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.itrus.com.cn0	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.360.cn	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr, sites.dll.2.dr	false		high
http://www.bsplayer.com	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://logs.hfnuola.com	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://idea.hfnuola.com20012rgbautoStartauto_start_slienthideDesktopIconpauseVidoset_mute_on_fullsc	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cd4o.com/drivers/	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=othupdate	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/appgoto.php?to=feedback	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhiweb.hfnuola.com/web/vip.htmlhttps://bizhiweb.hfnuola.com/web/payNew.html%s?channel=%s&p	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://stats.iotransfer.net/active.php	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=helptranslate	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.hfnuola.com/select	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.sysinternals.com	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/agg/hour	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=forum	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/LockWallpaper/Gethttps://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaperht	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ascstats.iobit.com/usage.php	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1839577125.00000000031EC000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	Bor32-update-flase.exe, 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/productfeedback.php?product=driver-booster	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://idea.hfnuola.com	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iobit.com/appgoto.php?to=filerupt	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004951000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.000000000410D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004674000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004179000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004318000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.1889295473.0000000003F41000.00000004.00001000.00020000.00000000.sdmp, SXIn64.dll.2.dr	false		high
http://update.iobit.com/infofiles/db2/db2_free.upt	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0B	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000004D2E000.00000004.00001000.00020000.00000000.sdmp	false		high
https://installeranalytics.com	ZwmyzMxFKL.exe	false		high
http://update.iobit.com/infofiles/db2/db2_pro.upt	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iobit.com/	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bizhi.hfnuola.com/pc/v/wallpaperInfoMulti	Bor32-update-flase.exe, 00000013.00000002.1945786916.0000000002AC3000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.com	ZwmyzMxFKL.exe	false		high
http://www.iobit.com/appgoto.php?to=revokedkey	e8a0d5af432b7e64DBD.exe, 00000008.00000003.1868265946.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
206.238.43.118	unknown	United States		174	COGENT-174US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562418
Start date and time:	2024-11-25 15:37:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZwmyzMxFKL.exe renamed because original name is a hash value
Original Sample Name:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Detection:	MAL
Classification:	mal84.rans.evad.winEXE@23/427@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 63% Number of executed functions: 92 Number of non-executed functions: 158
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.20.68.201, 2.20.68.210
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: ZwmyzMxFKL.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	PVJ6cLZQ0T.xls	Get hash	malicious	Unknown	Browse	199.232.214.172
	Pe4905VGl1.bat	Get hash	malicious	AsyncRAT	Browse	199.232.214.172
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	199.232.210.172
	WNIOSEK BUD#U017bETOWY 25-11-2024#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	199.232.214.172
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	199.232.210.172
	Vendor Agreement Ready for Your Signature November 22 2024 at 084923 PM.msg	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	199.232.214.172
	http://propdfhub.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	05.Unzipped.obfhotel22-11.js	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	412300061474#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	Payment-251124.exe	Get hash	malicious	FormBook	Browse	38.181.21.178
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	154.49.45.52
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	38.166.98.107
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	38.214.239.244
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	38.191.176.15
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	38.169.189.105
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	149.110.31.106
	la.bot.arm6.elf	Get hash	malicious	Unknown	Browse	38.170.60.226
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	38.184.126.92

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Program Files (x86)\DnLIMGKCARTO\MiniUI.dll	https://baoku.360.cn/d/2000006826_9510044	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\5b15e0.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	233121
Entropy (8bit):	6.780017404433053
Encrypted:	false
SSDEEP:	3072:C5y01xKUstVAnrQnzMYywmn3h1sp7/WvCnIukR4BbxKigu/fgl1glfdjgBftJeC0:AjKbsQnzXtr7tbxKVuE1gQJeCEMx4T
MD5:	85D5A13056634208C19FBA4D4AF99734
SHA1:	7D7C47A386A9A542CF70EA93C8E8B422F0C4F404
SHA-256:	149EE7374F536709670236188C0B879DCE2604DB7C262B2B6F673079D76A1BA0
SHA-512:	DFA88BB49821F1449EF3CCA47A56DC55FE4BA58BE83EE372FFD364A70CFD3D77601BFFDEA0289FB30DF3937FEF34B70C6CA3B275DACAF1234BD5EE5AAD402035
Malicious:	false
Preview:	...@IXOS.@.....@.LyY.@.....@.....@.....@.....@.....@......&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}..Windows..DAN_127.msi.@.....@.....@.....@........&.{7CE79A54-E11F-4229-A93E-21F771890BDE}.....@.....@.....@.....@.......@.....@.....@.......@......Windows......Rollback..ck(W.V.n.d\O:.....RollbackCleanup..ck(W Rd..Y.N.e.N...e.N:. .[.1.].....ProcessComponents..ck(W.f.e.~.N.l.Qh...&.{0BDD925F-9555-4E0F-A320-9E414AC18B7C}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{FEAD2C16-C7B0-493E-B979-1B01A169ADEA}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{219ADBFB-928A-44BA-B5DA-1D1DD02A9DE3}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{7FB0B2CE-26ED-4773-9078-E2F86C2C4CEE}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{449205F5-EF10-4633-89C5-6B9B2E805E5E}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{BB6DA803-06FF-4409-8816-D24DCC1494E9}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{99367B7C-ED56-4B7C-AC93-8377FB8D31D7}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{AE

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGXlong.sys

Download File

Process:	C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe
File Type:	data
Category:	dropped
Size (bytes):	28048
Entropy (8bit):	3.6716486556264147
Encrypted:	false
SSDEEP:	96:BCHCHCHCHCHCwCwCwCwCwCwC9C9C9C9C9C9C9CeCeCeCeCeCeCTCTCTCTCTCTCTo:GUUUUUUI
MD5:	0B459D9B1FD8845D01002151B6AE9056
SHA1:	1ADE97C28A8EEC84AEECFC8D7B8540CC03F7635B
SHA-256:	CBD435C9FE6092EF2285571317DBD6E632673474C60FB481A203FB3E63FBB66C
SHA-512:	11C2060E1B9D174E06AD34BB221C3EBFD16DD184E7C5B4B60500CC0CE7DB017A7753BEB3CB978F09757869BA024D4CE3D53DA606B4BEF735BDB5D5A8CB064DA2
Malicious:	true
Preview:	....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.1.-.2.5. . .9.:.3.9.:.3.1.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.1.-.2.5. . .9.:.3.9.:.3.1.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.1.-.2.5. . .9.:.3.9.:.3.1.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.1.-.2.5. . .9.:.3.9.:.3.1.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.1.-.2.5. . .9.:.3.9.:.3.1.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.1.-.2.5. . .9.:.3.9.:.3.2.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.1.-.2.5. . .9.:.3.9.:.3.2.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.1.-.2.5. . .9.:.3.9.:.3.2.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.4.-.1.1.-.2.5. . .9.:.3.9.:.3.2.....[..Q.[:.].....[..h..

C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	11899249
Entropy (8bit):	7.999984351394933
Encrypted:	true
SSDEEP:	196608:KyI8u4EVuksjwsBda7kJ+a92Fg2HgG81uxjdMh2Bwp7+E7Bg5YYP2OX9DfJGm7H4:KyIF4EVuksssBQ72HedwqElg+vOX9Dfy
MD5:	C66828D973E515ACB0060CB60920DE00
SHA1:	17BC290B5840FF65D84E5C02183A9B2312ED9E68
SHA-256:	3F2D82C5582EB1BE20F8D65708F19D51ECA328EF675C999A84F1CA885C0AE917
SHA-512:	6A812DD495A237C65054C87F141DD76A5892F2BB2EA2488EE96D6B798F957492370765513BAA39451AB72BF0145C3ADC90A3354BC2925A1959FB20E9BC66ECDE
Malicious:	false
Preview:	7z..'...~l..........A........rW"...w._.P.........~0.iH0W{..<...[....6.hy0.\|..N.....l7.:.......[gYE$.......Zjwi9.).....Q.XA?....4.T..Y.v.m..r.. .(..?mP'\5,.c..6.o&......bp.=.)..HT5..IX..@l...^..#...v..S.....h...%.(...d......LD...e.f^.Ao0....$...1.%.....I.V...b..~....q..e.. 5....VX...Nz...V..1}......`..c..7..Iq.X..N?KbY ..a. 8eK...o...-...v.e..c.jR..)..~...........l..t-<../.....E.0...v..Z...q....^Q.ddU..[......h...TZ..A.+..>%4'..X....F6HZ.p7V..0...\.+8..6(.@J>...1..z.qA.{}.n'..6.+.....R..Ams..W...n....j.r.\|r......T$..].........w.M..HK_.q.,..s.....9/K..."...q.2.d.Ny@e.vg.....:LQ..~Z.....v...+I.......w\.}.o..E..#D..c.3.2..l.O.Z..Qwl#p.Y.Y.6..._...pl..a1..e......8..O...L.g....W.m.x.......{.18z.!...eH.#&.m..v.A.Im..p.O..#d...]...._........\|._...,l........y\.>..=..m .2Av.U..N...c....r.....,.W.D..ci.}k..6z..@....\|.........N .{#owy-. rT...+eK.m.O...pg14{$...C&n..W.5.........@.}.....;..:........,q;28.+..F.....?....Lt.@.)..1&.P3.:gN..

C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	4834001
Entropy (8bit):	7.999963493905153
Encrypted:	true
SSDEEP:	98304:i91iY+Lr26MQKS1BD3OAIm9v28jokFLvOgeVyzUASP3MDXW22Cm3rR7E:iCfFx3D3dI8jokVv66UpkXh2COZE
MD5:	190DA843146C5269F9D8EC94AC1FFD38
SHA1:	FA6E5AECAECFAA43E634962956220B6FDAB3C12E
SHA-256:	F4E70D98F1DE3E136172BC919E1657DEA4F53B0703C07B7242F8021CE2243800
SHA-512:	2D831315941441AB9872E376CD205778526BA1A86845DB4D4CAAF278E0EC5DC8980C478DC2E15DAD57611F3D0BA89109398BC3EEC1143DEF02A49E5BE3064E7D
Malicious:	false
Preview:	7z..'.....gp.I.....A........:...x.m..8.R..Z&..!@A.I.:..;.E>[96..$.aVb.../.F..A....Y.r.@..2.y.....Fc.M..F....x.....]....p.1,^Hk......@......3l..#.........n..OV...D;..]..O...?@...U......igPF..g.N..xa'f..e.Y...Y...D.:.....,.f.~..y. 0..wU='.!....?........"....9......gN......j3.....e...'_l..].E[...3?._.r....^.{.Z9..3s..}x.......&....O.(?...0..K..p..%..W....b..........p.J.BW.e./kw..........U.qO.y$a..M."....h.I. ..PH.A.D..9#8......x...{.....#..]....g...7M...[..~.^0..n.X...I.B,......\|Y..^...;...h-.Y6.]....(.n...yJ..X..Z.u..\|..+87..'.x..}.`l...?.....".~..2.V.+....wJd.q^UN...."+.)?... mQ/..kU..^~.....&.0.$.j...Y.l...M..T1...k.h..c?R.-....5..9y.......\.Yg...{.R..r.T.0.....8..rPk\Ng.......d.....v..O"..+R...3U...N..........S[w..6...N.....c\|$..}....1...c...~.a...e.jgu..VnI<..k.Rt..l....h......hv..]?AzH.......7.8,o.5.'......K.2..Y.......>-.q...O.Pj...K...~.....r.Y.w.....g.#..p...w.!!......%....].n...sA..._.YP.~stK.X..m.n.e..n....X...

C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	204
Entropy (8bit):	6.616224253821849
Encrypted:	false
SSDEEP:	6:uL/lIqrpZ8aVrATs/efBjTOFQSuRy+c4MOTkgoEL:mhpC0rAYGfBOFQSuVf
MD5:	F68C164711EA04F63728918CACA19CCA
SHA1:	86EBB36C33BEF4439667F58B0DA7A17FFF4AA9BE
SHA-256:	3268DF88CFE7326DAEBDC1A5D1F4972F5F2F135A5B99FF4CE1EF6FA46FEF7935
SHA-512:	1E830A545DC85691B9A5956C0CF35FA5D915CD043B06B4751323C5D21842B23DE5D5E8A82BF657793B22EA376766FED5805B14AD19619887B9D6BE3B3135ED10
Malicious:	false
Preview:	7z..'....y..p.......<.......R....mt>...L..P.c.....u.A.=._so<......5>..)_.F.......[hbo..B.a.)......+b.1.?>.U.F{j.i.....&.-.Q....h.o.eC..K /.....p......$.....S...0....x..F..Av.#....].......n......v...

C:\Program Files (x86)\DnLIMGKCARTO\7z.dll

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1390312
Entropy (8bit):	6.599443687044708
Encrypted:	false
SSDEEP:	24576:w4wwwwscgymwef8Z8Zzj6z1el68mUi1m/ONxdDDHNCU+3kvaBW7839l5Qafgb6L1:pwwwwscgymwefyEQ/U6/NnDDHNCTeaBf
MD5:	292575B19C7E7DB6F1DBC8E4D6FDFEDB
SHA1:	7DBCD6D0483ADB804ADE8B2D23748A3E69197A5B
SHA-256:	9036B502B65379D0FE2C3204D6954E2BB322427EDEEFAB85ECF8E98019CBC590
SHA-512:	D4AF90688D412BD497B8885E154EE428AF66119D62FAF73D90ADFFC3EEF086CF3A25B0380EC6FDC8A3D2F7C7048050EF57FCEA33229A615C5DCDA8B7022FA237
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0...0...0...9a.=...9c.I...9b.(...b......b.. ...b..&...9...1...9...7...0........4................1....o.1.....1...Rich0...........PE..L....x.c...........!.........~......x7...............................................~....@.........................P...\|......P....p.................P,..........0...............................P...@............................................text............................... ..`.rdata..............................@..@.data...0........4..................@....rsrc.......p......................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\MiniUI.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	921160
Entropy (8bit):	6.7626587126151065
Encrypted:	false
SSDEEP:	24576:nJtdTUbI0Ig/fMiK6hRN/IgOoWtT9nQnap:nJjUbIU/fPHhrIgBWtTFQnap
MD5:	5123C3B8ADEB6192D5A6B9DC50C867B1
SHA1:	6D142074A21AA50C240CE57CA19A61E104BBDF41
SHA-256:	273CE954C8D33ABAAC3A0FD8546719F09718C1D91317ECF5B99181DFFA3FE26A
SHA-512:	067305A8F09C480FE4A4C8609638C9A490C4EBE2782BD13C10B380DF14F76D4748EB785F44E7BCB86514718F99D07C3C6A4B43928A294B18020CB0FA589EE2A0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2...2...2..f}M..2...JN..2...JR..2.......2.......2...2..3...`_..2...J_.y2...JX.%2...JI..2...`O..2...JJ..2..Rich.2..........PE..L...h..Z...........!......... ......Q........................................ .......G....@..............................................................7...P..$....................................'..@.......................@....................text............................... ..`.rdata...].......^..................@..@.data...X.... ...X..................@....rsrc................j..............@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NetDefender.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	451480
Entropy (8bit):	6.641728581015286
Encrypted:	false
SSDEEP:	12288:c2qfhIic6ZYk/UxdGhZi1MVv2MIbvweYsoOzpgseJUnv9it:c2qfGhz/qgodsoRenv9it
MD5:	2C63554380D33E2AB153CB285E72C2F8
SHA1:	1EDE14CA4003AE639AA80E2F4E90558DD1A49A7A
SHA-256:	F77F9AFB3459F2D2C8FB0354317A0353ACBBF6D31988597775ADCD9AB0D80BA1
SHA-512:	96F951089D907F635AF5A517AAF53FD13064ECA471DC4440B8C67147A91F11043043F102814C2E6DE8933F81F30D6AFFFCC073BF98670A8D52A5518AD89646B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........`.q.3.q.3.q.3B>.3.q.3...3.q.3...3kq.3..3.q.3..3.q.3.q~3.q.3...3.q.3...3.q.3...3.q.3.#.3.q.3...3.q.3Rich.q.3................PE..L....tc...........!.................}..............................................D.....@..............................................................I.......7.. ...................................@............................................text.............................. ..`.rdata..o^.......`..................@..@.data....w.......2..................@....rsrc................*..............@..@.reloc...Y.......Z...>..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NetDiagDll.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	337736
Entropy (8bit):	6.495942481063909
Encrypted:	false
SSDEEP:	6144:g1wCwn8QI2fm53Nx4Lj23TIae3m7jwyhb/7hjW7iBH+ljFx5mcvbKr:gmnckm5dy63TRe3XyhbNjWep+ljFx5R
MD5:	22C3095414CE54C8405225E3BCAAE591
SHA1:	9F0515A564B5077F49AACE011E84AF51F9973F32
SHA-256:	B734DB11E973318D728FE92E112639AE5B8876C855E6507315C707D04D3E0746
SHA-512:	2BE22658A038F8061B398489C357EFBA0F920FA24655A53650593D4924EE565E445D3A7CFD2C9689BC3A79E8355157004640E49B0249FCA63B3EBE11726D42A8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T...T...T....{.V...].x.M...].n.....].i.....T......s;..O...].g.G...]...U...J.y.U...].\|.U...RichT...........................PE..L....fgS...........!.........(......~........................................`...........@.............................U...l....................................,..`................................S..@............................................text............................... ..`.rdata..............................@..@.data...8Z.......0..................@....rsrc...............................@..@.reloc...A.......B..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NetSpeed.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	499432
Entropy (8bit):	6.633998530829339
Encrypted:	false
SSDEEP:	6144:2gz1k3fKRVIpJcADwPkUeKvd8C/RxC4MwYXlHUCMJ/TBJnt8KZ0Se+4xichK4:tMfKRGJc1tnPC4MwYXVl4/Trt8K61s2
MD5:	049791828DE05D24D29EC9C8687F8B1A
SHA1:	2B6D787EB078DFAE0C6718A9D99D06CEB01FB273
SHA-256:	D418DDA34640521B8695642C7A7E719F173F706472617CFF4ED343FB68211862
SHA-512:	7E36019A163F55932F95D33FACB216B69244DC8D5506CFD1D2E707A736AF448D7A4F78ABEAF85CF0F42E4E18B7EB1D330A9788F73773E6BE23A61C6B2981136F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............a...a...a.......a.......a.......a......a.......a.......a...`.D.a.......a.......a.......a.......a.Rich..a.........PE..L......c...........!................................................................\|.....@.............................a............p...............r..P,......@F.................................(q..@...............`............................text...E........................... ..`.rdata...G.......H..................@..@.data...Xp.......,..................@....rsrc........p......................@..@.reloc..\|d.......f..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\Netgm.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	343784
Entropy (8bit):	6.490658338748216
Encrypted:	false
SSDEEP:	6144:rFp+cWO/EibdFr0Zv7U7bAb1qi8JU0Wexe/1Yd02Y+VZRg43r:rFMcWO/Eib3r8jU7Q1qi860WexexEGe
MD5:	6E5F6B4D49768E131EF614DD07E5EFA5
SHA1:	DBA90982727A9373C8D97E72500D89814184C7B6
SHA-256:	EE326C156144EB89DE76C21C66BDA10BD22922B1A9C85615CACEE84DF355604C
SHA-512:	12FF45D6F469B577E74A62B866DAE2A879751654A6627250286E3CC4F319411FE901155347DA762010F373BBEB46F2BD95E0428893242EE4707BEFA7312CF92D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o..o..o... ..o.....o.....%o..=..o......o....o....o..o.._o.....o.....o..=..o.....o..Rich.o..........PE..L....P.d...........!.........d...............................................p....... ....@..........................Q.."....@...........Y..............P,... ...*..0...............................x...@............................................text............................... ..`.rdata..2...........................@..@.data...._...`...2...@..............@....rsrc....Y.......Z...r..............@..@.reloc...C... ...D..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NetmLogin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	533600
Entropy (8bit):	6.567835943059589
Encrypted:	false
SSDEEP:	12288:OgmCH8ZkhmmpKJiv/Dn5EWomaMIhEKf3Io7fknS52:Og58GnOthL/I1nW2
MD5:	5D7B815A95164AFB4A8E35240644793D
SHA1:	3AA5BFB8B2EE68C33BEB3190480CBE0149C29A96
SHA-256:	1158A8B493FC607354DD21E5A601760C082C00EB8B69E839E17E4A198C807418
SHA-512:	95E06406294258A3F81446A17E5CF67A02EFCDB0DA257F32ECD5B48D3F00B9BE628E2F82C04856191CDFDE02474ABC62D64D4A200164D7F6149993E548C8A335
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.o.o...o...o......n...f..w...f......f..!...HTz.~...o......f..$...f..n...q...n...f..n...Richo...........................PE..L......Z...........!.....F..........'........`...............................`......v.....@..........................U..P....G...........................5......LJ..@c..................................@............`...............................text...iD.......F.................. ..`.rdata.......`.......J..............@..@.data....r...`...8...B..............@....rsrc................z..............@..@.reloc...k.......l..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NetmTray.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	247016
Entropy (8bit):	6.914297747665078
Encrypted:	false
SSDEEP:	3072:LQvXrZQoI8GHJg9bb9wv/cZD9Da5TUUQJYlCXbKJOZwFSYG0GTO/X3/mCP0V:kFIZgXwvkZqUpJRGOZwFVG0X/mXV
MD5:	5B4C825671418F34D95EC1F7BB55FFA1
SHA1:	C0AA182B281EDB4F06BDC98D7CF413AF948AB50A
SHA-256:	AA51AE325D53D586532145E0C6E702247654502C0349C5FC570D7155353B045A
SHA-512:	BEC6D76883BF786F93BCA0E32A36CF21002D5E1CDC1C098628D9D50D1E8E40B0E44C6AAA07DD8B503ABA5B638D44CBFAAF6C4BFB0E9F6C8F49470D7664432F73
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..#...p...p...p..ap...p..wpv..p..pp6..p/1.p...p...p...p..~p+..p..fp...p..`p...p..ep...pRich...p........PE..L....B.e...........!.................$....................................................@.............................]....i..........x...............P,..........`...............................HM..@............................................text............................... ..`.rdata...q.......r..................@..@.data....N......."...p..............@....menu_sh............................@....rsrc...x...........................@..@.reloc...2.......4...b..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NetmTray64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	290024
Entropy (8bit):	6.537709606383622
Encrypted:	false
SSDEEP:	6144:AhEzpelia8VSPgFmHKbDNATfCfzWNunIj1EpJRGOZwFVG0SJK:AhSpelaSPXMmLC7W4iOZYG0n
MD5:	0F15D28EB4CCD9DADFEC0305BF5F8E2A
SHA1:	04DE9FA6736978FDEFA031082C58FFCD0169861D
SHA-256:	F06872A9A6A6AFB4FEA670385694EA364F271705FB89B09E4390E95752A98F25
SHA-512:	955B8C3F383C66B4249510A20890C856994F2F4E9FA40C374B472B9E19AC2441A86BE67249F13E1F624AAF2F03D0F6A73F69A0E3D73178F2FC39843382D1041E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..Hq..Hq..Hx..H...Hx..H{..Hx..HN..HVT.Hl..Hq..Hl..Hx..HR..Hx..Hp..Ho..Hp..Hx..Hp..HRichq..H........PE..d...7B.e.........." .....L...........]...............................................L....@.........................................."..]...0....................#...@..P,......P....h...............................................`..@............................text....J.......L.................. ..`.rdata..M....`.......P..............@..@.data....j...0...,..................@....pdata...#.......$...@..............@..@.menu_sh.............d..............@....rsrc................f..............@..@.reloc..L............2..............@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NetmonEP.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	160584
Entropy (8bit):	6.648758970829866
Encrypted:	false
SSDEEP:	3072:ABDE5pe7xyshJiszc1TLQXDNxLYeW54C:Aip4ysYTLcXP
MD5:	EFEBB6F93832D5A7EEF3BD4EB81D4A79
SHA1:	9A75E55A08422E7B6A7D695EBB0F61589B31005C
SHA-256:	542928806DE9A653C52250A0AB3D7847EF9249C195C00B82E5BDEB066AE6D2DF
SHA-512:	D9F276F0556539739289585B55482034BDF99F0C18917720F1AB84B870DDA3E303792CD4DF85183155BFFF8DA174EFBE8A74506197B268D632BA6916AF00E521
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m..,m...m..=m...m..+m..m.Y.m...m...m...m.."m...m..:m...m..<m...m..9m...mRich...m........PE..L......S...........!.................`...............................................................................*..V.... ..d....`...............X.......p......................................p...@............................................text...I........................... ..`.rdata..VJ.......L..................@..@.data.... ...0......................@....rsrc........`.......4..............@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NewKernel.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1972240
Entropy (8bit):	6.63076238185676
Encrypted:	false
SSDEEP:	49152:nv1FKcXCAM55Jwaa7VrAHU8tSyAjCGx5H8zJ:v1xM5Maa7BKSyrmmJ
MD5:	8A6E81F3860774D1B7F5F6972F42C848
SHA1:	C2F5A283633360D2A45B5C7887E43E0E9D03B88A
SHA-256:	CE3015C34B24F02B687D6549A222FA164D9314B1E4685845BB022DFCA80BDA95
SHA-512:	27F348C1123A2DE4B9E8E99CFFAB22AD2E2E625CDAE426CF3F6D36CF8A4F2B5E2486C0DD33EFCBC8E5B449AD47E656544D0DAD71AED57E79FA0F8740E530EE5D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q...?...?...?.Q.....?.....?...Q...?.....?.....?...,.?...R...?...D...?...>...?...h.?.....?.....?.....?.Rich..?.........................PE..L....&.b...........!.....f...h......T........................................`............@.........................`...........T.... ...1..............xC...`.....p...............................P{..@............................................text....e.......f.................. ..`.rdata..Hu.......v...j..............@..@.data...h...........................@....rsrc....1... ...2..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\NotifyDown.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	549488
Entropy (8bit):	6.736896619735914
Encrypted:	false
SSDEEP:	12288:XLgRCEprkKZlVgTndpHpTVWDQZNrHIGUYmHASzK8BnWToS09:7gAEprcnLVADQbzIGHmxK+WTO
MD5:	14274CF241144895CA05CD456197F573
SHA1:	4D4009B0A2F7BA56C6C98DC823C41085EF4712C7
SHA-256:	113562BF950B39E9466E8F646C84AAA93F6B2C89530F56913B0B36E0096239A0
SHA-512:	5A8009D935EB59B10523494C6C9D0A79FD29B0FA41CBA046E9CCC60A8D2EBA05CCC23D881E121A4526371E21B7C9DB6CC62783E1A5ACAD019705970C9F52091E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y.....y.x...y.....y..J...y..J....y..x.P.y.......y.......y.....y.....y.....y.Rich.y.................PE..L....u.T...........!.........@............... ......................................j.....@......................... q.......R..T........Q...........L.......`...M...&..................................@............ ...............................text............................... ..`.rdata...R... ...T..................@..@.data....z....... ...^..............@....rsrc....Q.......R...~..............@..@.reloc...x...`...z..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\Ntvbld64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS-DOS executable PE32+ executable (DLL) (native) x86-64, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	42976
Entropy (8bit):	6.2171815555231875
Encrypted:	false
SSDEEP:	768:iHfqCaczo/ZinYCOd9L9KyhaM7JubDGpZRKjKj9MPgkU7:8fqT/ZWY/L9l7JheMJ
MD5:	671F95CAB2B5CF121125413F250F5275
SHA1:	73D99D09A3D8978A5C6DB43CEC85FB43B03B7A26
SHA-256:	728A1FCDEDCA6DBD8FDDDE3F33CD64DD99853C26EF5B10D3FEF0D76D0480964B
SHA-512:	4AF690AF838CEB026636931AEDE3852EAE6D83881149EF4C28CC1DD032C3F7F6A64B30171C2524512FACD40496DAB305523D20637B44EFBF0D5805D0FAD1FFCB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!.........`......................................................................Rich....................PE..d.....a.........." .....H...".................p..........................................@.........................................pV.......S..(.......h....p.......h..H?...........................................................................................text....F.......H.................. ..`.data........`.......N..............@...

C:\Program Files (x86)\DnLIMGKCARTO\PDown.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	253456
Entropy (8bit):	6.554744612110189
Encrypted:	false
SSDEEP:	6144:OpoEWHpLJeJ8MvIucm/334RStKp7Tu975:vEsLJeJ8MvPcm/30u975
MD5:	637FB39583F9C2EC81E0557970CD71AD
SHA1:	ADA1137BB47DF62F48407ACC2DC713D92D13A0E0
SHA-256:	330B8EC664949CB9DE5BCCE5AC248148B58DCFEED69ACD8D9CB576AAA935045E
SHA-512:	F72C77D29C51CC6AC1151C919C769BF063E5BAE763033B9BF5BC713E01416ECB301A120B22A17037310E47662EA916A06AA09BB441DBDEE4032A6D59A0876ECC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........gOT...T...T...]..B...].....]..Y...sTr.C...T......]......]..U...J...U...T...V...]..U...RichT...........................PE..L......b...........!................W...............................................j.....@.........................@L.......=..........T...............xC..........@................................!..@............................................text...)........................... ..`.rdata.............................@..@.data....H...P...(...:..............@....rsrc...T............b..............@..@.reloc...,...........j..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\PopSoftEng.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	662920
Entropy (8bit):	6.526894314465185
Encrypted:	false
SSDEEP:	12288:+huSCyAZQUpHByI4ur32KWVyTHrpGUCiAqfoHD2AvdLnaSZCzm3slIalDoH7+F+2:+huSCySQUpHBl4uqKW2Hr9otZCCAlUHa
MD5:	C3EA1FBF2B856FC25E5348C35FF51DD9
SHA1:	87D8FDFDD52FA3BD59FDC7BB1E378091D0D91C16
SHA-256:	6F24B8CA595B4B472320C7A104C64AAD6F0928AD4F1318D1DCFBB0C5BD488A64
SHA-512:	298CE88D37E0496CDF6DADCD7D8890128B90113161311D67ED264B003D5840460FE594B8550FA46E45AF88564E4095C21B748CA3D2B497540ABEB0CAF5533820
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.............~.......~.......T.......~..........................J....~.......~.......T...............~......Rich............................PE..L... .._...........!................q........0...............................P......8.....@..........................J..N...D9...........................6......PT...3..................................@............0..(............................text............................... ..`.rdata.......0......................@..@.data....~...P...8...4..............@....rsrc................l..............@..@.reloc..Vn.......p...t..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\QKFJSGCGWGRQ

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177
Entropy (8bit):	4.880763515526955
Encrypted:	false
SSDEEP:	3:FCB9RhFUOivy0JQlr0TGKS2e/1k8Ve53y2+FXUsKov13wetdQQqi5xQn:FwrFTZ0eJ4GVfeoFXUszv9wgCQPxQn
MD5:	EAB9552FB070D7C48B31FE6A7A9CB0B3
SHA1:	A8F7E04F0C10082A3A66A6D8AD3BF7815D51744B
SHA-256:	EDC57321D853B03CDFFC2F4021834B57BCCB4080D477F5499B01255B5CE8BCA3
SHA-512:	800D26529897047A7B584F3219CA56AF9ADE591949CE8F2504D25BDE4595515413454A597F9C3A5496D57C3EAB3D514B871021A3B709908002AFBADB68A1FC60
Malicious:	false
Preview:	[XLY]..P2=24c6269477f0.JFU..P5=e6ab90d5741a3329XSJ..P4=7c24ad187eeb.NUX..P7=5ccac7f27f4c789fFPK..P3=408dd7481cc3.KWR..P6=d90abf5032721ffaBCX..P0=DAN127..P1=e8a0d5af432b7e64DBD..

C:\Program Files (x86)\DnLIMGKCARTO\QseCore.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	849224
Entropy (8bit):	6.7893930691706075
Encrypted:	false
SSDEEP:	12288:V/Fiea85oMvk6SqMNH/U6beovEYNVXWTwROJTQ9wC1N4Lx09GpVuQ:VAF85oAk6lMNfU6beXwROJTQSC4l0KuQ
MD5:	AA4E9E8A1B0B7C4126451814701A449F
SHA1:	7D988C453283C345E17422FC4B2B6CCFD8200245
SHA-256:	6CA0ABCD77232A5CBADE520596CAB305012ED72315C09CB5A30C3C1E96367F98
SHA-512:	0738DFDE9EC2B1E23B88FDA344CFBA443705A3AD87F22629676118DF555BD395D1737066EFCC4257B8138A0D282491CBD30F36D1880CA640E7D463855C0AD63C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........!..O..O..O.{....O.{.....O.{....O.Q;...O...L..O...J..O...K..O..O..O...K..O...J...O......O..N...O.W.F...O.W.O..O.W..O....O.W.M..O.Rich.O.........PE..L.....6]...........!................E...............................................f)....@........................../.......0..d........................6.......W..P...p...............................@............................................text............................... ..`.rdata...........0..................@..@.data....F...@...,...2..............@....rsrc................^..............@..@.reloc...W.......X...d..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	212736
Entropy (8bit):	6.5563268584705146
Encrypted:	false
SSDEEP:	3072:Avcp8oGNjoBve82gWpBIcKLrzKA0OV2ufMn6gZxl+aQw6ufYy93XOf:A0KjNIvTNTLfnzVinlxM4H93U
MD5:	C620298CA2BDCA843ABC0ADC2284D22B
SHA1:	5F3ABB307ABF58A68FC383D305C3D665EA97D242
SHA-256:	D02F4E37CDE862031F5CB2D3258700C0FB35240B38FC7ADBD5A1B17D66DF4890
SHA-512:	556B1133C87C068DFA1FF804A72937C7186B0FA4E1B6B304B0DF4C92FFD74F94FF666664A5E9D7A99FB711B92501759E4D193D63D571B81A33FC463414F476EC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......::..~[..~[..~[..w#k.f[..w#z.7[..w#}..[..w#m.e[..~[..EZ..w#t.a[..w#l..[..`.j..[..w#o..[..Rich~[..................PE..L.....`...........!.....&...................@...............................P......s.....@.................................p...x.......................hB... ......PC..................................@............@...............................text....$.......&.................. ..`.rdata..4m...@...n.................@..@.data...\J.........................@....menu_sh............................@....rsrc...............................@..@.reloc..2.... ...0..................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253184
Entropy (8bit):	6.363916692576782
Encrypted:	false
SSDEEP:	6144:tTCn6I6/mMOqpaWL4nUEMjh7Rpv8k4a1kD6/+jW9xW:tTCnDbCvL4nU1JRD4aD+jW9xW
MD5:	B9A31BA56DC01C0C73155031AE3446D1
SHA1:	42CB51BBDA2A54B8FFB6FDC2B0EB0A489B829362
SHA-256:	8334D8C3862DE837F1BB807DEE2C4AD9B97B3F86BFA21C969BD3048C57BB3513
SHA-512:	35DB8FF9219BF63236B678CA48E3C6DAF90B903E4E78ADAF9830665AC2F9D7052E7C3517D69B761D395BE7D03E5737FF4AD39161D1E601FBE80023CBB4559283
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.o.xp..xp..xp..q...sp..q...2p..q....p..q...yp..q...cp..xp..Gq..q...gp..q...yp..f"..yp..q...yp..Richxp..........PE..d.....`.........." ......................................................... .......f....@..........................................I.......5..x...............d#......hB..........................................................................................text...(........................... ..`.rdata..4...........................@..@.data....e...P...$...@..............@....pdata..d#.......$...d..............@..@.menu_sh............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SMWebProxy.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	295368
Entropy (8bit):	6.583880646699428
Encrypted:	false
SSDEEP:	6144:ijPPsNVSZD4ioUxapXikyDcjMZ1xIf9m5:OXaOD4LUxaJikyo9m5
MD5:	3B01EA2E64EF94C2C5EFE592EE5B70B8
SHA1:	45F6D2C091B4F5C2B965E6EAAA7044EC738DE9BA
SHA-256:	E140B6A46964D31E904E3BB95F6BE6DF5B6E485917B1B25C4BE96A34F4ED20DE
SHA-512:	7746E52530A07731057E21B87B97A6BD3005EA58099BD53DEB9D73765E2B6F127D75B857B350DDF6F99506D378E1FE861A124AE03601FBFCFAA92408BDDCC19E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w..}...}...}.._2...}.......}...t..}...b..}...}..\|.......}......}......x}.......}.../...}.......}..Rich.}..........................PE..L...Hb.b...........!......... ......&........0.......................................5....@.........................p................0...............8..0I...P...&...4..............................8\|..@............0...............................text............................... ..`.rdata..,....0......................@..@.data...<T.......2..................@....rsrc........0......................@..@.reloc...;...P...<..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SXIn.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	635816
Entropy (8bit):	6.823676525760391
Encrypted:	false
SSDEEP:	6144:Tlz6QjBwh7+43poiJd29rWE0lErzZ5XQth5tp8+H2fpX8KoK+:ZvIakdb29rWE4s95Ab54U2BX5T+
MD5:	980E9ACA6BEF47FBC2932F0DE9F5CAED
SHA1:	8A8E789BF2556874D3E1F6BE59A62B760DB0ADA4
SHA-256:	77AE2B998ACCDF2FE910A6AF0F009D704EA5D22372217B93B0B3CD35EFDD114B
SHA-512:	A5BB750ED0929B37A424C1008CF5501CCEBF3D0874C2B40C7257851D054E7F72C243E3CBA59638148FDC9647D3870CE8BC2E586B812047FD60E6EACF36689676
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.....i.......i.......i......i.......i...h...i......i.......i.......i.Rich..i.................PE..L.....-X...........!.....t..........6G....................................................@.....................................,.......L............~...5.......9..@...................................@...............@............................text....s.......t.................. ..`.rdata..............x..............@..@.data....w...P...H...4..............@....rsrc...L............\|..............@..@.reloc...<.......>...>..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SXIn64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	484264
Entropy (8bit):	4.8651000638357065
Encrypted:	false
SSDEEP:	6144:WaeD8gIbWj/EWytPiiuchD7QQiIU1NQHCPHNmruxwiakbg4N0ofotOs4/:Wan1kQTnStv/
MD5:	74FFD9F87EBF209C684058B414F4419F
SHA1:	9E7C57B7264E9832444050A90E3C701D8133E084
SHA-256:	6C786EC66EE5EDDF2AE13D5877B38AB87C7D2CB917713D83C3E623B17E43CD11
SHA-512:	C29BF6F23F818EFC97C97C1B232E45554B268AE5C9DD273AD09FF5B7888393DF6ED713DB61E97F64F247B89341B90DAD3449E4DD8856036203F795F8C5C6D691
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y\..\..\..U.)V..U./I..\.....U.8b..U.?$..B.(]..U.-]..Rich\..........................PE..d....c-X.........." ................................................................6.....@.................................................p8.......p.......P...........5...p..(...................................................................................text.............................. ..`.rdata..............................@..@.data...8....P.......6..............@....pdata.......P......................@..@.rsrc........p......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	440944
Entropy (8bit):	5.0570962173478415
Encrypted:	false
SSDEEP:	3072:1vq3Sy0t09MsgqZTM3PpwqQJuIiXfX+FY9eO1hSVdJXizcMkJ83xsnXwS:1s9CpYFiPX+FY9eOjIJSzcKOgS
MD5:	9F07F52CE69A1E46EA6EC1BF19BA0F89
SHA1:	32658306225C8E245CFDDDB2147CCE6A27A33B45
SHA-256:	512F303CD3DE948F462A6D555C1C4AFB54F8909515154A9C2EBC64B0B900AD48
SHA-512:	40F03ED84A0EE231EA9F50860EE512FB92ABF520F8EC08F63AE2D144CE2AADEC1AD6EA2BC5783818DD777E291258CD82495662465C0C4EC1D57EC6386922FBF4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S..BS..BS..B..DBR..BZ.GBE..BZ.VB...BZ.QB..BtF.BQ..BtF.BH..BS..BY..BZ.XBv..BZ.@BR..BM.FBR..BZ.CBR..BRichS..B........PE..L...4.5U...........!.........................0............................................@............................._........................................-..@3..................................@............0...............................text............................... ..`.rdata.......0......."..............@..@.data...d...........................@....rsrc................X..............@..@.reloc...C.......D...^..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	546376
Entropy (8bit):	5.015995676537172
Encrypted:	false
SSDEEP:	6144:i/Vb1CsJBDw9rO+tIizIiJzh6X+pW1N5elfQ5Kjk5ntyszhxIeXP6cQ9cDecrGPv:i11M/6upWMy5FdxIefQ
MD5:	A01A06F88A40B18E991560126EC661D9
SHA1:	B28B7EBCDFCE746143840FA8560F95FEFCCCD96C
SHA-256:	9D4F6BD9D3692F9221AC31EEEAF3089231FC7696902B2E25261625479B474F1D
SHA-512:	78CA189FB5AFB92D72D4AB9A82701768AE441244F3FD2A1E6BBF572ED9D95B490270926939DCEDA45F6581EE898F615B92BBFCBA51DA5738BC9AE93637DE11CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X#..9MT.9MT.9MTJv.T.9MT.A.T.9MT.A.T.9MT.A.T\9MT.. T.9MT...T.9MT..6T.9MT.9LT.8MT.A.T.9MT.A.T.9MT.k.T.9MT.A.T.9MTRich.9MT........................PE..d.....5U.........." .........8.......z..............................................YN....@.............................................a....................@..d5...6..........X.......................................................x............................text...B........................... ..`.rdata..Q...........................@..@.data........ ......................@....pdata..d5...@...6..................@..@.rsrc...............................@..@.reloc..<............ ..............@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\Safelive.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	399080
Entropy (8bit):	6.607169017259267
Encrypted:	false
SSDEEP:	6144:YXpbJ5SqucSsGc/RZ65wy8XwoP4526KTQ84/IJTsPKrcvffHpg+XdfNYedLULVO:Yd3DSmY57DoAlM9TsPKgnzL/
MD5:	B93E6AB683ACF93FF88195A6978ECB80
SHA1:	C99C1A2A3A740BD422C2A2344B78CDD17E1A75B8
SHA-256:	37D5A7BB8B8B16BD853899091E5F1ADBAADCBFCEC04E20FE7A19F3C62F760D3E
SHA-512:	3E1E41253EFD1636C7FAABD8652E074E07865D2678DF6BAA4570CD9FC5096FAC0084FD00B5EAB37F03D9876AE9420FA539AF858624D74F082DE5FED4A4C7C280
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._S'..2IU.2IU.2IU.lHT.2IU...U.2IUIZJT.2IUIZMT.2IU...U.2IU.[HT.2IU.CLT;2IU.CLT.2IU.J.U.2IU.[MT.2IU.[LT.2IU.[MT.2IU.[LT.2IU.[LT.2IU.[MT.2IUIZLT.2IU.@MT.2IU.@HT.2IU.2HU.3IU.\LT.2IU.[MT.2IU.[LT52IU.[IT.2IU.[.U.2IU.2.U.2IU.[KT.2IURich.2IU........................PE..L...a.bd...........!.........^...............................................`............@..........................p..`...@r..,.......................P,... ...3..0...T...................( ..........@............................................text...;........................... ..`.rdata..6...........................@..@.data...pR.......(...x..............@....IShareO............................@....rsrc...............................@..@.reloc...3... ...4..................@..B................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SelfProtectAPI2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	203736
Entropy (8bit):	6.531358280046865
Encrypted:	false
SSDEEP:	3072:T7fkhRh4guLJHlfWd+efnWgRHcEAn1C/7QIzr+1no++7gQlR9PheMD:TTiR8LJFOdb5RHO107QIzay/R9H
MD5:	CF27DAFEABA3797471DA691268635114
SHA1:	CC1B362D8A0E842156BE8C0944EF0C080210F568
SHA-256:	41EB69FEBBD76DFCF6B79E46F57F620BEFCCD720E733CA5CF217CFF5AACD00CE
SHA-512:	13F7FFCE3845D1B665B332A82051D0EEFF4D72768976CC829B7B8779C4D41103084F2BCB8FAB8B76B1F445DD028BB0F20F0387A92E877255B2E46A6433E31F05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b..;..;..;..2{R.6..2{M.(..2{[.N..2{K....;.....2{\.~..2{J.:..%QL.:..2{I.:..Rich;..........................PE..L....z=b...........!.................@....... ............................... ......<K....@.........................p.......(u..........................@?......P....#...............................Z..@............ ...............................text...N........................... ..`.rdata...f... ...h..................@..@.data...`L.......(...x..............@....rsrc...............................@..@.reloc..`*.......,..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SiteUIProxy.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	356416
Entropy (8bit):	6.465138857076493
Encrypted:	false
SSDEEP:	6144:XsTEQD4zJ2lo5iYMHHb4iGb9LdDR6tL2EZoEN4b2oHN0L9c:cTEQDi2EiPH7QR6F2EZPN4b2Y0L9c
MD5:	36F88DA8AB5C25A1655AD0AAEBB2AE50
SHA1:	467ABE06651B6D5B30204C012162090868F4C050
SHA-256:	0574B9283D232BDEAC7C53CC86C5A89435D52FF399039CF5BB304628BE286A6F
SHA-512:	184C1F130717C7E235FB08DBD265D1D2A8E67D106081553A00F66AFC10E80ED4B756386A9717F6051E9ECAD81EAA236DDDD8D863D425F55D996BA713F99FE5CB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.............A...................m.....@.....................C.......U......./...................................Rich............................PE..L......`...........!.........<.......................................................[....@.........................`.......D........0...............8...7...@...1..@...............................0Q..@............................................text............................... ..`.rdata..?...........................@..@.data....h.......<..................@...shared..P.... ......................@....rsrc........0......................@..@.reloc...I...@...J..................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\Sites64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2168896
Entropy (8bit):	5.999722251500823
Encrypted:	false
SSDEEP:	24576:KuXhkP3HlT0nZuFpgMD+3oHm+FJ4bX0W7rqhA/bWqX+Wpd51XQ0ezUYWV9aA:nkPVT0nZopy3fDWhADb/X5ezUQA
MD5:	3459812C0F0E1AE7A7D45D33EC707E50
SHA1:	8750626D1761B19E1261336828C191D323AA0FD7
SHA-256:	6DCBE7775187D2DF7B00603E4AD1D0863F4C7A003FE4C78E5523A9AAC001A05F
SHA-512:	107507FED0B10CDD2506C2F4D5649EF84A2675171C134A5CB8AA9598471546A903E46DBD10FEEDB2F8AE9F8629824546A626ED255E2667C6ED2D5BCE03448DF0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.is+.. +.. +.. .. -.. ". &.. ". :.. .\j ,.. .\. .. 5. ... .\. .. .\\| 4.. +.. ... ". ... ". ... ". .. 5. .. +.. .. ". .. Rich+.. ........PE..d......`.........." .........................................................@!......^!...@.........................................`/..................8-......T..... ..7.... .L...@................................................................................text............................... ..`.rdata..2...........................@..@.data....L...@....... ..............@....pdata..T............<..............@..@text.................X..............@.. .rsrc...8-...........h..............@..@.reloc..$F.... ..H.... .............@..B................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299488
Entropy (8bit):	6.549878286512139
Encrypted:	false
SSDEEP:	6144:6QSVHoPTdlKhw8EtPCLo/LSaQmYmehdchOu91:Q8dmw8EtPyojjAhHu91
MD5:	36833C3A8F35E68C2EB010375E26630B
SHA1:	4EBAD43E9369B8EE410FD79D04357F83774AA111
SHA-256:	236813B1FDF280D842A04CB79E0DB155D9CD982F62D960B34FCD77A79EFA850E
SHA-512:	0C076CC9F75B5E0495575C1FD81758C717FE05C15EED7588D8D914545AF15B4750DD428C590C617CDBA7A66CB3B184D6AA8E9FC59D7D93D1B87F9EFC31A46453
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[......O...O...O..fO...O..pO...O..wOS..O8..O...O8..O>..O...O}..O..yO<..O..aO...O..gO...O..bO...ORich...O........PE..L...n].a...........!.........j......................................................b.....@................................X{...........l...........R..H?...`...&..p................................S..@............................................text............................... ..`.rdata..............................@..@.data....L.......,...x..............@....rsrc....l.......n..................@..@.reloc...=...`...>..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrExt64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	329696
Entropy (8bit):	6.253841397859825
Encrypted:	false
SSDEEP:	6144:yvY2nmcxygauoT0NkSahd64KQYsHRL4ZmgaX9GY:iY2nmcxX7iSazKQRXX9GY
MD5:	E0EFB247B9D7E2A9B1D0BF22885943BB
SHA1:	C031FFA60057C839E5021CCFC49736C4EB22380D
SHA-256:	1640D770434F15014C4A8FCBD41D7C23E8DC1DB633AFE6E767A29733233E0D0D
SHA-512:	C3D56E09CA4EBAC2AF1185716FE4642A28954DE3B1B4DA7E2914BC263734E61F06C3B33CF460D98034B221A7C90CE3EEF17B6A460E9D74C77634781E508C90A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%..[aq..aq..aq..h....q..h...jq..h...q..F...gq..F...`q..F...~q..aq..^p..h...}q..h...`q...#..`q..h...`q..Richaq..........................PE..d....^.a.........." .....4...................................................@...........@.........................................0....................l......X2......H?...0......PW...............................................P..`............................text....3.......4.................. ..`.rdata.. ....P.......8..............@..@.data...0g.......&..................@....pdata..X2.......4..................@..@.rsrc....l.......n...N..............@..@.reloc......0......................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SoftMgrLiteBase.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	355400
Entropy (8bit):	6.542323792350481
Encrypted:	false
SSDEEP:	6144:GTpBZ9Cy4exYXnAwB8fl2NOSjcXpAO2JqKu3ym+XLnMG+t5tWe3cF+NopJZ:yZ9Cy4exYXnAwB8fl2XIXpAOwqKyym+l
MD5:	28B1260CC28FA93CA05B484D2B1609FE
SHA1:	9EBC17E9F6B2E7A20171F7CBBB969EC39F3096AE
SHA-256:	F36F483B2C49AF091E81E9996B203F5457FF4A6057B527383599558C12C46E76
SHA-512:	7B080EBAD4AA849BFC3EF98786BCD99552B4712673C929594F7205303494D6420F0FB805DB697EB2456A4A34F5F1105773F2FC7EE964B0F34EDD374D90FD5A4F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^.N.^.N.^.N.&.N.^.N.&.N!^.N.&.N.^.N...N.^.N...N.^.N.^.N._.N.&.N.^.N.&.N.^.N...N.^.N.&.N.^.NRich.^.N........................PE..L....wL[...........!.........&............... ......................................s.....@.........................`...x............ ...............4...7...0..8...`#...............................e..@............ ...............................text...o........................... ..`.rdata...... ......................@..@.data...XY..........................@....rsrc........ ......................@..@.reloc..0S...0...T..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SoftUpdate.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	483952
Entropy (8bit):	6.516790328229404
Encrypted:	false
SSDEEP:	12288:mZLp16CyKGObhIt5CQ4c0RHSteSxKAAyCxJfTnKjQ:i1dywOKhJxdn0Q
MD5:	1597753FA4C2759A7C03404F3EB279CF
SHA1:	A795F6AB9EEFF02859F5B7F1C8ADF18E23730E4C
SHA-256:	540CA058FCD8A1DCB038F6E77FD7C022D952D23D1260EF643212DACD9200365C
SHA-512:	C7B0A331559742C798CB933729B08D2A94D1A60F00EC032DF693D3187B9F1CAF4E48AB85F310B1496BB75A74F4FBFCE9FE3B0F7562E004607FDCE661A9C88617
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'*RTcK<.cK<.cK<.j3...K<.j3...K<.j3..>K<.D.Q.dK<.D.G.\|K<.cK=.\J<.j3..ZK<.j3..bK<.}...bK<.j3..bK<.RichcK<.........................PE..L...[.LU...........!.....h...........U....................................................@.............................K...l........ ...............L.......0...K.....................................@...............H............................text....g.......h.................. ..`.rdata..+............l..............@..@.data....\|.......J..................@....rsrc........ ......................@..@.reloc...s...0...t..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SomAdvUtils.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1583560
Entropy (8bit):	6.577060691849299
Encrypted:	false
SSDEEP:	49152:c7hpqj4CdVob2ucHfcHKUmg9EqhTBz0HUDPXr:kge2ucEqU1Poq
MD5:	E360B4805637FDAEA4D952118A45658A
SHA1:	D3A83A56C2A23AF152DFF2553C2B2B0006981A35
SHA-256:	C9E148CD484760A2B71E0A604E20A778F24DA39E531BFEB72583F32084C64340
SHA-512:	77379FF68559092C001EC21FEEED445BD7CDC8303443BFC13632E182C2E0E49222CEC22881FAF66EEF681C8C27138336BBA00477F2A3ED52F9930B4237E3E549
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a.cS%...%...%.......&...,..>...,..s...,......p`.-....pv.6...%...D...;..-...,.._...,..$...;..$...,..$...Rich%...................PE..L......b...........!.....8...................P...............................`......q.....@.................................0........@..................0I...P......`U..............................`...@............P......t........................text...\|7.......8.................. ..`.rdata...P...P...R...<..............@..@.data...8........<..................@....rsrc........@......................@..@.reloc..F....P......................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SomPlugin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	994536
Entropy (8bit):	6.804868194190052
Encrypted:	false
SSDEEP:	24576:o5LLu4L/cVwB5xdfeL2jK+2KKuHFA9aVEaTJa9Tj0sb:YmLiZdfeKjKsKufEaTGTj0sb
MD5:	39D28D643CE7E9354A84707AC873A4A3
SHA1:	1F0B6007CF3694305265DF2180C0167A3D0E2E13
SHA-256:	ED418E4F4468C7ABB44454F63CB1A9E12C4152A55DB73F2E4E0E43E1504D670B
SHA-512:	3607F04535F1FA33D99554C0C8C519EBE91146E62F5CCE77DA842B845318C2FC4CFA8BF6CFBEC21DF6F357D0F14515018F931BCFD06B76F08CD027315D9E90E1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9j.jX..jX..jX......hX..c ..BX..c ...X..c ...X..M.i.mX..M...CX..jX...Y..c ..4X..c ..kX..t...kX..c ..kX..RichjX..................PE..L....(Vd...........!.........d......e"...................................................@.............................P.......@.......................P,... ...... ................................k..@...............X............................text...-........................... ..`.rdata.. P.......R..................@..@.data............J..................@....rsrc................6..............@..@.reloc....... .......<..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SomProxy.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	500968
Entropy (8bit):	6.588411424843017
Encrypted:	false
SSDEEP:	12288:j0fCiJUmeO8+zrmCzb+gbEyX6KZZ1aeHIcUCY7D17BcSFNlZLwt:x4yeHU17BBBGt
MD5:	9FC415C22AFAEF5589C27E7FC51C69DC
SHA1:	4A80183341D29ED1768C8D4921790304CBA34758
SHA-256:	3197F2B656C76AE351B7C4C3FEFC9B6831596477029EFC3B1B958C30F256DA5C
SHA-512:	F92537EED9A56FB9D7854D8C06AC8B819A5E8C21C26D72A682829059D5AFFB7275D3BCA171246B9C53A9DAEC40C2C31BB0E620B55C010BD08CACB372CCDEEEF2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~.............8P5......g6......g . ....g'............................g)......g1......M7......g2.....Rich............................PE..L....WCe...........!......................................................................@.........................P.......\........`..p$...........x..P,.......@..@...................................@............................................text...*........................... ..`.rdata..f8.......:..................@..@.data...\f.......(..................@....rsrc...p$...`...&..................@..@.reloc...U.......V... ..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SpeedUp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	215616
Entropy (8bit):	6.587014873697098
Encrypted:	false
SSDEEP:	3072:xc9X0+ClfdVKeDxmO+kdWA+oVZlLLocujrlTow7N2voF+JaJI5Kz0fyE9XY:3lTFYILJZhzujxl7f17yh9o
MD5:	B3C0D03BCBE6475ACE2064CB486F9CEA
SHA1:	37D7ED0F1F93545E9BF432FF3E0A85A5213FF291
SHA-256:	DACEAF39C955D29ADD7483078CA16BDA4E4ECAC517DE5A1968701B80B3A201B5
SHA-512:	FC22C01A703EA544473385A885F59D8772C1065B3BE0C6352682FE1FD0109F5A223BAAB0238417BE0A066AF434E63AAC45B8C301AF7680A6567A64D1E892B7B2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.5...f...f...f.V.f...f.V.f...f...f...f...fE..f.V.f...f.V.f...f.V.f...f.\|.f...f.V.f...fRich...f................PE..L.....g^...........!.....\..........dm.......p...............................p......f.....@.........................@.......X........0...................7...@.......r..............................`...@............p..X............................text....[.......\.................. ..`.rdata...e...p...f...`..............@..@.data...<J..........................@....rsrc........0......................@..@.reloc...)...@...*..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SpeedldSetting.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	494824
Entropy (8bit):	6.7211879463477295
Encrypted:	false
SSDEEP:	12288:HN1n2WNDtM/OOerqMllz9UH/4jlpC5Wy3gnQAoqG:XtuVeJJUH0nC5YG
MD5:	AECCE429815042492564045407D5CFA4
SHA1:	695036425CB6C2874EA971F51AE0C2AE9697E841
SHA-256:	0F42CC7238A03E9BF293D52756E8F5E381EEB96B18C985578A401622F6544D4C
SHA-512:	ACE28F042F65A40ED0E6B2A7DCF393D1504109066A6C31BD324B5E33D24DD15D88900F83765D040E8D20CEB917DE809667B5EC894378B2D9B4C8A0BE76DED721
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................q.....`.....g.X....`.....A......A..........n.....v......p......u....Rich..........PE..L.....$e...........!.........F......q........0............................................@.........................`.......\........`...............`..P,...`..0=...4..............................@...@............0..4............................text............................... ..`.rdata..J....0......................@..@.data...\|S.......&..................@....rsrc........`......................@..@.reloc...\...`...^..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SpeedupOpt.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2817768
Entropy (8bit):	6.625744631785977
Encrypted:	false
SSDEEP:	49152:eJi7T7+ObcxerBzFCAli2l44fNrvfF16LXmDk5CDJhgLwY98jXNq:kSCEl44lb+UW
MD5:	008A75AE0209268D6CDF2A53F0CC7BB0
SHA1:	BC74D9B22224DF6C199BC56D67F64081899EC96A
SHA-256:	C3B754C74D26513976AEE0906805403F9FC3E34413250332CE6C01387A53EB7B
SHA-512:	2768ACD6B8392BB29D62C4D73EF2725C504CE5835CF98F589E6FC71C7F53456501F56964B6B51786479CDB1CCEDED4FCE45E9F47E8238A0C3F208356B6303BDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@..G!..G!..G!..(W=.F!..U..B!...n..E!..NY..[!..Ys..O!..NY...!..NY..!..NY..\!..G!..S#..NY..B ..NY..F!..Ys..F!..NY..F!..RichG!..........................PE..L.....d...........!.....H...................`................................+.....N.+...@..........................+$.......$......p%.\.............*.P,...@).\|...@q..............................`5!.@............`......,.$......................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data....$...@$.......$.............@....rsrc...\....p%.......$.............@..@.reloc..\|8...@)..:....(.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\StartSD.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	269640
Entropy (8bit):	6.227555772699694
Encrypted:	false
SSDEEP:	6144:I3QfE2oDrkPuLdYtEZsfj764yo7Y5hI9pmndoElOm+p:4Q2Uu/sfj764yo7Y5hIvQdoEl
MD5:	F82D6F732A74F41C06DB26AFAA36F6F0
SHA1:	7C19D4FCB996E873D9D2DCB6C97C05660DFAA222
SHA-256:	A81BB2D355A28899E1F6943906D18B2545190CE90BA76CC4428E3534FB6B0DCD
SHA-512:	8F49E4D4F39A3C847BCB5C34424C668FF66EF05B483B85A1FD038D6D4BA08C0E8B772268F73BCCD3F314EC6BB67C9EFE11EF56C336A7469D59BA8CE87F2284F5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4'/.pFA.pFA.pFA....rFA.y>.zFA.W.,.wFA.y>.hFA.y>..FA.n..sFA.W.:.kFA.pF@.gDA.y>..FA.y>.qFA.n..qFA.y>.qFA.RichpFA.........PE..L......S...........!.........V.......\|.......................................p......>................................\..R....E...................................(......................................@...............<....D..@....................text...'........................... ..`.rdata.............................@..@.data....x...`...<...H..............@....rsrc...............................@..@.reloc...u.......v..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SxWrapper.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23464
Entropy (8bit):	6.617971536749939
Encrypted:	false
SSDEEP:	384:rFBzx9Jl92M/9VaZDc2nYPLvReeMh+mIjoVWAHKnH0:rF/tICyDc2+C+mIjoiH0
MD5:	0D4ADB43AA1512D086EB5B7CBC61ABC7
SHA1:	E39E2713C63840D513FE03A4368BD97A2923822F
SHA-256:	ABDA03831F8F609259F52865070257363D8A36B4C09D12D57BA42803F05FBF22
SHA-512:	E8897FAE264309E233C1BF91FC9D24F71D2EFBA7737F2066ADF847C64F33BC7D77A0E14915342DDA8B7E9D91E2D1A69AE8C331E0449AEBBE8E7E6EBF10616126
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............u..u..u..t..u......u......u.....u......u.....u.....u.Rich.u.........PE..d....D-X.........." ................h..........p.............................`............@.......................................... ..6.......(....P..x....@.......&...5..........p...................................................p............................text............................... ..`.data........0......................@....pdata.......@......................@..@.rsrc...x....P......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\SysSweeper.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1160936
Entropy (8bit):	6.670277076150087
Encrypted:	false
SSDEEP:	24576:kQ8Kays0fNrrQIyXb/AsZIi8gm8cIrfPDuRzp:hFvprbcAsZl8gm8csKRzp
MD5:	C9F7566911B636034D8625A24BB45908
SHA1:	6B95CD7789F50B3921C1C53032D2A8272578C8EE
SHA-256:	3ADED775182B5DF503A635654DB3BFF7ADFB23462BC77FB33A2C4813305735D4
SHA-512:	F9E1768E4258CA76150FC2A57EBE1944F919172BD7E6160DD54C88DDFE21C0C852451A95ECC3D3C7771211AD7BA8CE918AC7BC43656779F77F33A5BF319E9497
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q>.z5_.)5_.)5_.)...)1_.)<'.)s_.)+..)1_.)...)1_.)<'.)._.)...),_.)5_.)p^.)<'.)._.)<'.)._.)<'.)4_.)+..)4_.)<'.)4_.)Rich5_.)................PE..L.....e...........!................Z.....................................................@.........................@0...................7..............P,...@......................................"..@............................................text.............................. ..`.rdata...b.......d..................@..@.data...(....@...b...&..............@....rsrc....7.......8..................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\TEngine.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1025592
Entropy (8bit):	6.508299413819746
Encrypted:	false
SSDEEP:	24576:utmmjsuasiX4QpVVmqzszaHpYaSEB7itTEOEM49HvCL/9:utmmG9z5JYaT9itTEOEM49HvCL
MD5:	08E5E8BB42F4681E82F9C1DF9663339D
SHA1:	322847778D3C73079AA3B0AAAB855A4C27A75DDE
SHA-256:	D6669036184D0D6DCD03B7CAF60B0991E58464C995D83857A0B825BB9A5C6682
SHA-512:	4DACFAA82FAF65C55EA4CEB478925978A575391312FA35C8B68B3D62B37C60EC0033D991E2B48C81CCF9DB06D27AC73B16D23AFAAD9EEBF2A7D2A1F239894168
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t..;...;...;....Z..>...2m..%...%G..?...2m......2m..f......9......."...;.......2m..h...2m..:...%G..:...2m..:...Rich;...................PE..L.....^...........!................................................................k.....@.........................@U..T...<=.......................j...;......L...p............................... ...@...............4............................text............................... ..`.rdata..............................@..@.data....m...`...6...J..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\TP453990d4df32.TPL

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	719
Entropy (8bit):	7.636883058252472
Encrypted:	false
SSDEEP:	12:+eVpCPLWLm2D5ICHI0rBj0rj6PyfzuPhzILsSKnB8kjNQvmyfaoVtS8:Np84mw5ICHIkyfaWsfJcfDtH
MD5:	D7314EBB79E5DEB9F2679B98B971263B
SHA1:	50C855220C557F9341827497CA2D55A8055A5C75
SHA-256:	7C4C2E9A483115A60EC93CA4D7764C51F39D04258270AB90CE641E24A467875C
SHA-512:	CFC95DEC7A53EADF8F1AF18F524B2E51C642244163C020E990AD3631A8E9F91BE8B2218F97CA731FE18CF022BD30457B08443536AB9682485BE175B98AAB5FED
Malicious:	false
Preview:	7z..'.......p.......?........`c.5$X.qx.j...i.....ST>9...!"t..IdRc.FB..cVXl.xaad...^..F..oQ...3.@BF..uz.G.h.-.&..m.a.&k..F.: m....gPG.\..rE...H..,.+.Y.....\SHL...+.15...T......zwV....}6......7..p..hqe..U.zx.:o..I>........I{.R......b.!"+!...bi.h..R...{'0.p.JH...S...R..b.....3.@.Wqk..4.....iG...p.F.F.I&uT..Q.H{\|S..]..+fE+[D....Y.....d,0j....[.cH...g.%.^..Mh....U+....R.R.>U.-.>.^..M.f...N...7e-.z"".M}?..r...X...m~B.>#...`.(y.G~...3.7dz..._F+..4.....n.c91...Xc<...S.<8.$O..-g....?._L..i.F...N..}.._.u.Y...].z..9P....y.V..3..,.p4......q.w..%.$....i.9.j..W7..N..N...n0.......(.....b.....d....A...".......d....KB."o................$.....S....m<o...* @.'J.#....]............8..9..

C:\Program Files (x86)\DnLIMGKCARTO\TengineEx.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	274248
Entropy (8bit):	6.457818153771843
Encrypted:	false
SSDEEP:	6144:KzufnJplm0qGYR+gy4Otz0xGADAJjcacfxO4:oWnRWNRly4OtCGADAJjcrJ
MD5:	E33C16EAAAEAA8E7555186272664405F
SHA1:	A05139D610C5E6285D9277866F24C92DA2EB79C9
SHA-256:	58820D2A23A361A27512CB8FC24C6D6E6AEE7361819C68E9A3614501F0F83AD1
SHA-512:	1BEFCAFFE696D1602255A3D721F20E6EA914486F4B728CB45743C77E9C6E5CBE9C23EBB6AEBCFBA438914B75824344F5459043363DA1EC0E93A79572D651EBC1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Y...7V..7V..7V..V..7V..V..7V..V.7V.SLV..7V..6V..7V..V..7V..V..7V..V..7V..V..7VRich..7V........................PE..L......S...........!................k........0...............................p......['....@.........................`...o...L........ .......................0..h$...2...............................r..@............0..L............................text............................... ..`.rdata......0......................@..@.data....V..........................@....rsrc........ ......................@..@.reloc...8...0...:..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\ToastImage.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	270152
Entropy (8bit):	6.863193873213617
Encrypted:	false
SSDEEP:	3072:JXqkafznkWtvE0hI32sfvAYMeE7acvQjTPeSyFTBfCwAg0Fuk/aS5haOxrr:41nkWtM0hK2sXAucvGTPEFTBqwAOkFF
MD5:	42AED31F35779D8EF9EC0266B960EF02
SHA1:	0E06F268CB683D5374E3FF183298F2F71F2DDF9A
SHA-256:	C559D7D19934BE56953446CB9EBFC0DF5BA7A9793C45CC36092CB2E49EE307A0
SHA-512:	397F057FF9C18B508A422A5FD4ABC37E458CB782C3D2916E31B13C92F374E387E2C7C7EB17829E84E250616095358D583E478F0435CB01720FB0200D96C20E5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............K...K...K..AK...K..WK;..K./.K...K..PK...K./.K...K./.K...K...K...K..PK...K..^K...K..FK...K..@K...K..EK...KRich...K................PE..L.....MS...........!.........H......y........................................P......X.....@.............................[...H............0................... ..(....................................w..@...............8.......@....................text............................... ..`.rdata..;...........................@..@.data...(:..........................@....rsrc....0.......2..................@..@.reloc..8-... ......................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\TrashClean.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	577360
Entropy (8bit):	6.560390974036568
Encrypted:	false
SSDEEP:	12288:ivJZDDriv1yiHjw72Y/fqJosC/B2ZqzeGev9O:igDw6+UosC/0Z8rev9O
MD5:	77F5FF16184451B9F1B4C7296404E372
SHA1:	0785FE72BFFFFCC9A4D2DD9E51C73936529C5AE1
SHA-256:	A3F253E2EABD7D50B4076BF515A830C19B9521039C10E5BF2D0AB380BCA5D483
SHA-512:	56DF445258E01AB20B97DCE7F111D60D3033C05F2AE8A2CBEC6C0DEB240063919E6C56BBCB2B3D18F190E203E15CBB53E3A5BD47DD3446282FCEB523FF35E6FD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............R...R...R2.OR...R..LR...R..ZR'..R..]R...R..]R..R.\.R...R.\.R...R...Rn..R..SR...R..KR...R..MR...R..HR...RRich...R................PE..L.....F`...........!................................................................/*....@.................................\........P...................8...`..pi...................................-..@............................................text............................... ..`.rdata... ......."..................@..@.data....U.......(..................@....rsrc........P......................@..@.reloc.."....`......................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\TroPox-B_Plus

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	710888
Entropy (8bit):	6.630506217753264
Encrypted:	false
SSDEEP:	12288:5n9CCUQ0bGwLt1n/iswKJLUY2XOrEO/6awL7wU0s6OzeoXHhS6ckqIbpieFGrh1l:7+tLt1aNYrfBB6BAqZkyQgJ0VL
MD5:	C4A08B391245561157AEFD0FE7C40A11
SHA1:	28D15D43A1BDEBC83701AFD89E6EA9C24F90DB33
SHA-256:	53D7C8F2FD109E85FC9302B7424875BAD22A148D6EDC6C7FD8E4589E97259BFA
SHA-512:	24C7608346B76694BF9D8227FF6A794B26D73C0DA93FD231A2331CD371ACC86F293FB9093850F5513DFBE1D269114A56F47DCADBA11BD98C691AB38472A6CCC6
Malicious:	false
Preview:	Ta+....................[...............................................W.osp.....r.xt.~xuu...y\|...u.pu._jn.t..\|............*3}...........l......l..Y...l..... 8..... 8..... 8..............&..........~;.....~;.....~;.....~;.....~;.....ip~s...........................k\..W.....d..................u...C.......Y............[......................................[..........................................+..?...........#7..k....;..+r...W..o............................W..[.............................................\|.....Sw.......u.....................{...x.x..?0.......1..................[..[..x.x...Oi...K......................[......~...?....+.......A..............[..[..\|w.~..+r...;...s...Y..............[..Y........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\TroPox-E_Plus

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	54272
Entropy (8bit):	5.93759856622623
Encrypted:	false
SSDEEP:	768:84ZiY/4bFznHIFrduXNWvbJa38eZ7DAks8EA885ee0ZjjDCL5Ab:1ZizjohdudWvbY7DiJA885eeEuL5Ab
MD5:	1999663102E57D49FACEAB3360CEFE8A
SHA1:	32F38D84ED4B762213B0BEABED0F22E727988A20
SHA-256:	4DACA1889E9CA478550D22DCA129E68F4D808C5F91CD1A069C9E0015B2D611F7
SHA-512:	EDED16F83960F9EC438EF08BE7092CC07418BD98A6400F9212BE2A92C04399B347BA0EDFB5F0CAFB1BBB23B2A7B4ECDD425A695C70851ABA42BB1031E91A061A
Malicious:	false
Preview:	Ta+....................[...............................................W.osp.....r.xt.~xuu...y\|...u.pu._jn.t..\|............9.........................@.......C...............).......G.....................ip~s............k\..W...U.r....................................+............................................[............................n............................................................................[............+..k.............................\|.....S..............................{...x.x...J...+...K..................[..[..x.x.............................[....\|w.~.............................[..Y................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\TroPox-Z_Plus

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1390312
Entropy (8bit):	6.599443687044707
Encrypted:	false
SSDEEP:	24576:znhMjKSFXpFEzq7zZvjyswjzYnOAjPSy36c9RCvirRMNJbd3g:jhMt/nVo2O56tibxg
MD5:	C77EE913C46510A705A9DDDD91DE8302
SHA1:	CB5E045FA27186B9F23E4919590387478B9343D5
SHA-256:	092689651DB7B81A6816B1F78F8CF81476945D493E9566762F5791ADFC5BDA31
SHA-512:	A6C080D04C92EFBF8A1A4A1D1423837B1282E4CFC0E77D9DA4BC9F78E235AA6CD8AE3468B588FD9D35BA656A7A1B27AAE805662EB6C84B053D0149855F4A6514
Malicious:	false
Preview:	Ta+....................[...............................................W.osp.....r.xt.~xuu...y\|...u.pu._jn.t..\|...............K<+.K<+.K<+..@x.D<+..@~.P<+..@y.<+.y.,.<+.y./.<+.y...<+.@..H<+.@..B<+.K<(..<+.#...O<+.#./.<+.#.,..<+.#.+.H<+.#...H<+.#.).H<+.ip~sK<+.......k\..W......~.............................B.......;..........................................[.........................k...........k...................#...k..........K..............................k..[............;..7.............................\|.....<..............................{...x.x.......;......................[..[..x.x...K...;...O..................[......~..............................[..[..\|w.~.............Y..............[..Y................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\UDiskScanEngine.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	332544
Entropy (8bit):	6.635882811141054
Encrypted:	false
SSDEEP:	6144:nrANFkfATA5+uIC955uwY5QZTJnTd4KiDeo9TBkzZaeeY9d:nrANFdSNIC954qrnT66o9TGzZL9d
MD5:	C4E503A0CD52EFCC173060CB2A210B82
SHA1:	AEF209CF2D973DECE2EAB847AC86273372BC3DC0
SHA-256:	538D54B99A4F6A658E4755F52237A42F2F840326AFCBA33ABEB4C905356FA87B
SHA-512:	BB897B5482AC98B2A6352BD74F3B62EF7C34C72CEA3D18FF1E7A3C205A7C449FA38188A7D7DB7C2AF7DED68770C81E4E889C06BBFF42D33FF7C0E6F56553B9EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;Xg.hXg.hXg.hQ..hLg.hQ..h.g.hQ..hgg.h...hZg.h...hMg.hXg.h.g.hQ..h}g.hQ..hYg.hF5.hYg.hQ..hYg.hRichXg.h................PE..L....E~`...........!.....n...\.......!....................................... ......."....@..........................p..}....`..........p...............hB.......&..`...................................@............................................text....l.......n.................. ..`.rdata..}............r..............@..@.data....N.......(...d..............@....rsrc...p...........................@..@.reloc...9.......:..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\UnifyCommon.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3427560
Entropy (8bit):	6.80730841012121
Encrypted:	false
SSDEEP:	98304:0RFEPq7kqY6ramU+knz/+5ZZ5sX+r2h7bwtwt67PvOzIkC:04q7C6OgkzW5ZZ5sX+r2h7bwtwt67Pvz
MD5:	5ABDEFBD44AC15D0857EEE79958D1F11
SHA1:	0A2C26843F4057ED3A598AC6A2C72831E2AB0BEE
SHA-256:	3FC9DCD1F26A08DE2ADF9D1603BC1AD53582F50C934DD5A9DF4AFE925FB39E05
SHA-512:	338AA807EDC5F706AE2067265574EB4EE907124E416B4F320A1138ADC5C84B0159999BCEC051A04B77C9477151912E572F025BB63231E74C4308F4D800E3B702
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......u;.1Z..1Z..1Z....[.'Z....Y..Z....X..Z..8").3Z.../..;Z..c2..+Z..c2..OZ..c2...Z..8"9.*Z..1Z...[..1Z..'Z.../...X..P ..9Z...3..,Z...3..0Z...3U.0Z..1Z=.0Z...3..0Z..Rich1Z..........................PE..L...\|..d...........!......&..V.......e#.......'...............................4......S4...@...........................1.(.....1.......2.............. 4.P,....2.D...P.0.T...................P.0.......0.@.............'..............................text.....&.......&................. ..`.rdata..H.....'.......'.............@..@.data.........1..z....1.............@....rsrc.........2......J2.............@..@.reloc..D.....2......P2.............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\UninstAgent.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	584304
Entropy (8bit):	6.4349103160648315
Encrypted:	false
SSDEEP:	12288:P6TyUZvFWlsxw1uj+3vIqzrQCM6iXIAc3eIZvP/RSa41b01:0zUsxPdarQT6iMe2vPAa4i1
MD5:	62DE8832F54584985FE7290C126BE2AA
SHA1:	543E609E0E3DD9CE3C3A42709959BEB851CFC7AF
SHA-256:	2A8D4F7EB4E7D8E9F487DDD19F2FEA8EA640DF597C57C85A7AA595FA80DCAC8A
SHA-512:	33F61DA1A9FE30BBD43E1854811DEF61186B735218FE1FAC8EE859255717A2AE4365DDC946908F02426F1D2BC84B2834B3DC234B8349849430D69A2EF8290940
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)V..m7i.m7i.m7i.dO..p7i.dO...7i.dO..57i.J...j7i.J...r7i.m7h..6i.dO..V7i.dO..l7i.se..l7i.dO..l7i.Richm7i.................PE..L.....5U...........!.....v...X......zc.......................................@......K.....@.........................`...h...............l.......................`i......................................@............................................text...9t.......v.................. ..`.rdata...g.......h...z..............@..@.data............J..................@....rsrc...l............,..............@..@.reloc...............4..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\UninstDisplay.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	313400
Entropy (8bit):	6.739961523183869
Encrypted:	false
SSDEEP:	6144:zhtWE/fEYO17Bu/2DKeqKPiR0M+mx6jgi9:zuEnfOdBu/ZeHPiKNjN9
MD5:	428746F79CC15E57B40C5F726A8B0EF9
SHA1:	60EDFD4B405375CC3CE7166873DF9465B408DFCC
SHA-256:	0223659CD051395E82AD5F782A52B3D3AF014CD922BF24CAC1D78AC0220BC207
SHA-512:	6403EC0128E5CA0B4ADE7AE7007029EFC950D6AD7FDD63B855382AF66579A945B32F5C37E2B0248014D041C70C3A5F5F1C627E8FD77F49B821040F88C7326FF3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3.].3.].3.].KO].3.].KY].3.]...].3.].3.].3.]...].3.].K^].3.].KH].3.].aN].3.].KK].3.]Rich.3.]........................PE..L...F..^...........!.................>..............................................M.....@..........................[..R...\M.......... ................;......d%...................................,..@............................................text...7........................... ..`.rdata...{.......\|..................@..@.data....5...`.......D..............@....rsrc... ............\..............@..@.reloc...%.......&...d..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\WDRecord.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	191816
Entropy (8bit):	6.578995841750193
Encrypted:	false
SSDEEP:	3072:X7Gibv6e0mL7N3WSLS8nCgY3EMbNVxV+Kw3ETPg6moQA5bGkdK3Fz:X7Gi7AOBK8Cg6PxV+Kw3ETPDvE
MD5:	2307166A21A812C0B7846C192E60836C
SHA1:	333F0E0F93DF5B9EB728DFA372027C793B6961CF
SHA-256:	50B92016D6C3D1896967AA781D9F39D2E02217C72D03AFD052B55F020563E8C1
SHA-512:	A7000289F1DC1BCFBF006E61DFFE2041434EB898AC487B59C7531F225282551B8592FD35A882402E873D1DBDE104DFEE8B72A51FE8DF257F57405D1655A54549
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&B.b#..b#..b#...l0.`#..k[3.p#..k[%..#..k[".X#..E...s#..b#...#..k[,.~#..k[4.c#..\|q2.c#..k[7.c#..Richb#..................PE..L......]...........!................X...............................................#v....@.........................@v..c....k..d........................6......4...@...............................@P..@............................................text...2........................... ..`.rdata...f.......h..................@..@.data....G...........`..............@....rsrc................~..............@..@.reloc...*.......,..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	516448
Entropy (8bit):	6.795771007069589
Encrypted:	false
SSDEEP:	6144:chM31nI5wT3LBHTNTHW3GlvM7lEWTvh365TnypuvUNaJicopnish+e1Xz1XvZ:4M31nIK3BRiAM7phqxny8vW9pi6RR
MD5:	74AE70EDD4674372D007CC67BD5008E2
SHA1:	721FCCE70AB1085FB553564103BA0842F2A3704C
SHA-256:	B3A888A145AA0B3146D661EEF292AABB6CA28279B16CB6B963BB8BF888707737
SHA-512:	3FCAFA83BBF2CCB65CEF0B24A1E5B52E1981F7EDDD1E58D50A837514DD6BAE12872D2FED76FAB0C6BABE97B265D171799FFD07C10BFCF203DA105A69B4372595
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........rM.s!M.s!M.s!D..!W.s!D..!..s!D..!..s!j'.!L.s!j'.!^.s!M.r!..s!D..!..s!D..!L.s!S..!L.s!D..!L.s!RichM.s!................PE..L......]...........!........................@.......................................V....@.............................g....v...........................4..~A..X>...................................................................................text....)......................... ..`.rdata...F...@...H..................@..@.data............J...v..............@....MAGIC..............................@....rsrc...............................@..@.reloc...P.......R..................@..BQProtect............................ ..`................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3557784
Entropy (8bit):	7.784085056422432
Encrypted:	false
SSDEEP:	98304:DSPdIaedyBu6/1xQjlJRQQ34T977E5Gf2:DZdGVxERLaRV2
MD5:	36A0DFF437629FC21D98C998C4B597C9
SHA1:	A865CEF3784C0B8BD5CD76AC76F8252AD8058F0E
SHA-256:	C7D713DF5E24AC7726CBD2D327AB8BEAD32881F05AA17CCF28A86692F23ACCEE
SHA-512:	5002A5F06925F15EAE54302B23D822A69E7B76ED25889C631D7EC800A8129F70FE207000A7E56758C237A9F1398046637362780E97ADE3B9C4432CEE343AC6AE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....k.c.........." .................zC......................................PY.......6...@......................................... .A.g....=......@Y.......X..T....6..I...0Y.......................................................=..............................text............................... ..`.rdata..g....0......................@..@.data........ ......................@....pdata..XP...0......................@..@.MAGIC..............................@....code0..............................`..`.code1..,.5..0#...5.................`..h.reloc.......0Y.......5.............@..@.rsrc........@Y.......5.............@..@........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\WiFiSafe.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1071120
Entropy (8bit):	6.488214903743234
Encrypted:	false
SSDEEP:	24576:IPHR62s8fQvd3rwOvPKEV0+DfMJHqsPQkyDO1P9O:HZ8c3rttVVkHqsPQkya1E
MD5:	677D39F6AACB13F92722D78AE7F11DB6
SHA1:	F40643E19D2F762CB77F0023517B478893401DD0
SHA-256:	077734051997415A15D0F1F2CAC30C85308F5EA5E98245A545FFC3EDD1122C18
SHA-512:	A516ADAD8AE726EF6A4588DF0A8190481FC088651C6B19AE679FA3793DD94261046C48A9D451595E36E2E2E601E4B3BC2FA755E02DF7FBCDE5C881187EB1D1A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........4u..U...U...U..F....U..Q$...U..y....U..=...U..=...U..S....U...<...U..Q$...U..P$...U...-...U..B<...U..}<...U..G<...U..G<...U..}<...U..=...U..4'...U..4'...U...U..T..B<...U..B<...U..B<...U...U...U..B<...U..Rich.U..................PE..L.....sb...........!.................t.......................................P.......i....@..........................;..h...x;..........X...............xC.........p...T...................h...........@...............\|............................text.............................. ..`.rdata..<...........................@..@.data....@...P...2...@..............@....rsrc...X............r..............@..@.reloc.............................@..B................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\WindowInjection.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	60592
Entropy (8bit):	6.645723421805483
Encrypted:	false
SSDEEP:	1536:1TI67ShpHfUIA1WWoYgihd83KskSl7jDxa:m67S30foYg8C6skSJ4
MD5:	9BE546331E54BC130D014C3097838F98
SHA1:	1E11D2C1620E58EAD05D9D64A73F2BCB845F8CAF
SHA-256:	2D056101AD9E8A02D2F1C503BA559D59EB3741F0C6F2F1874218E8BC6A59AE67
SHA-512:	27AB898FF68417518B3637337EEBF906E638211AC5ABABA9AD40807A52DAC73E05AEA27A9A0AB16015BDA4C47409FEB8A3419F6FD6BA5DB23083609EDA9700AA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yn..............w$.....Oz......Oz......Oz.......d......Oz.......d.......d...............z.......zH......z......Rich....................PE..d.....Rc.........." ................/....................................... ...........`.................................................d...................x........,..............p...............................8............@...............................text....)......................... ..`.rdata..0....@......................@..@.data...............................@....pdata..x...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\X64For32Lib.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64992
Entropy (8bit):	6.7012831663710655
Encrypted:	false
SSDEEP:	768:eSJSPDihy5w2MW/he0Z0kl9O2luUARPZVvHC01yRoMRWDDu9KyhaM7DGCiKjKj9c:9JSbt9hjZT9OuARPf8RkDu9lOeMa
MD5:	8239EFED88D656D30E32F4F1A8638638
SHA1:	4DFF685282667C9933205855E6AFE5C0FD6719A7
SHA-256:	70D6AF6748A59613A799E4880EFFF041523F497150C4CD60CACFD8E4FE185380
SHA-512:	2FDB30DD2AEBBD8D94E09FA773F07241F335EF2BE35B5A85BE623EE41102B19F384311AD1DDC4A18648A231719BFA92A04FABCF936D51BD4FA3D82704759C855
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........s...s...s.......s.....s.....s..z....s...r..s.......s.....s.....s.....s.Rich..s.................PE..L......a...........!.....v...B......u#....................................................@.........................p..........(.......................H?..........0...............................P...@............................................text....t.......v.................. ..`.rdata........... ...z..............@..@.data...<...........................@....rsrc...............................@..@.reloc..N...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	710888
Entropy (8bit):	6.630506217753263
Encrypted:	false
SSDEEP:	12288:6BMGnPEAEuRNz2HuiEJe0z6h5KEuEVv4D1wEM50+OD2evinKqcQUuWnI8:6BMGnPEAEyXiEw0xXD2evincvFnn
MD5:	FAE7D0A530279838C8A5731B086A081B
SHA1:	6EE61EA6E44BC43A9ED78B0D92F0DBE2C91FC48B
SHA-256:	EEA393BC31AE7A7DA3DBA99A60D8C3FFCCBC5B9063CC2A70111DE5A6C7113439
SHA-512:	E75C8592137EDD3B74B6D8388A446D5D2739559B707C9F3DB0C78E5C30312F9FCCD9BBB727B7334114E8EDCBB2418BDC3B4C00A3A634AF339C9D4156C47314B4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........f..............U.......U..B....U....................................................c.......c.......c.......c.......c.......Rich............................PE..L.....]d.................n...8......dB............@.......................................@.....................................d.......................P,.......g..pL..T............................L..@...............(............................text...Hl.......n.................. ..`.rdata...............r..............@..@.data...4R...0......................@....rsrc................:..............@..@.reloc...g.......h...B..............@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\lockkrnl.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	628184
Entropy (8bit):	6.631864802737484
Encrypted:	false
SSDEEP:	12288:Q9tUcJqS8DI9baOCmIJkPI9VYxPmb3pJ3xW2orMvM79G:GWKqS4OjlPUkmrpzWdSM79G
MD5:	BFF0CE8D5C44994EF19F63D63CC29EEB
SHA1:	B2837190927EE952721DBD5127C426D28FED9230
SHA-256:	08C6DDD72CD481672476625BAB435993F2F0C85F835B0313C593F46C49DE6781
SHA-512:	F527BB56DA57CA6BACDBA7871D65E48CA6ADEFE7F61240D766A6881C301B63C60063A09FA73E8BC64F40A01AD038B446B660A8ABC7719B84F1C6FE3654551420
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........<W..]9X.]9X.]9Xh-:Y.]9Xh-<Y=]9X.5<Y.]9X.5=Y.]9X...X.]9X.5:Y.]9X.5=Y.]9X.5<Y.]9Xh-=Y.]9Xh-8Y.]9X.]8X9]9X)40Y.]9X)49Y.]9X)4.X.]9X.].X.]9X)4;Y.]9XRich.]9X........PE..L....k%b...........!.....^..........=X.......p......................................c.....@.........................`................0...............V..@?...@..8F..pp..p............................p..@............p...............................text....].......^.................. ..`.rdata..jy...p...z...b..............@..@.data....8.......(..................@....rsrc........0......................@..@.reloc..8F...@...H..................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\mcommu.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3064552
Entropy (8bit):	6.880024408897335
Encrypted:	false
SSDEEP:	49152:KG3Vu1NMfK79ujn0y7IXf9NVOGHL6Joq8tOWJjkIST8TGGnW5RUwOGX6ZX:l3Vu1NMO94af9qGHuJoq80W85RKp
MD5:	9AC7B239AFACD78B78CCD853D1E2C8CC
SHA1:	39F12AEB844E7E0FC3830720F66F528E492CC724
SHA-256:	C96836CA5B833F16C97FC5A9BB7B99ABE7AC3B72E2DC9B9A3831ED3044645762
SHA-512:	97177E1B42EA1C42C7A4886811C38DAD0142D6157EEE58AFBD8AFBB34025904ED186BDF46DF92A6C81789607EAB4C3B81AC6DB3ACA7F53F190353A77A3BDD77C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w.=D..nD..nD..n+`RnI..n+`fn...n.YZnK..nMnYn`..nMnHn3..nMnOn...nc.n@..nc.no..nD..n...nMnFn...nMn^nE..nZDXnE..nMn]nE..nRichD..n........................PE..L......d...........!.....T!..<......\........p!...............................2.....{2/...@.........................@.(.......(......`-.................P,... 1.d....x!..............................................p!.d............................text....S!......T!................. ..`.rdata..Y....p!......X!.............@..@.data... .....)..`....(.............@...DLLShare..... -......<).............@...DLLShare.....0-......>).............@...DLLShare.....@-......@).............@...DLLShare.....P-......B).............@....rsrc........`-......D).............@..@.reloc..T.... 1.......,.............@..B................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\mobileflux.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	117064
Entropy (8bit):	6.436398487030181
Encrypted:	false
SSDEEP:	1536:pxNcrXn306zvccqtaGYvPCa/I7206aawWKxocUoiZw+BpQR9oLMm:pXcD30gccqtanCM0Wwiw+BpQR9oL
MD5:	80907BE35290D47A8C6DF50A0B44DECF
SHA1:	DBDDA59DD78716AD28FD37BF2619FC183D27CAE0
SHA-256:	4C4853E4F3990FFD0B3D6EB1436A885559564C1065C26490B777EC9D3586A5C4
SHA-512:	09D05C3133569548F4F231F0E06F6F29D57195C927B908F973CB05ABDE6214CA1E07399CB32EA5EC02635D81409B2A8F8F6BDA21F6B51B2A02115C2DF95B3B88
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)g..)g..)g.. ./.8g.. .9.Mg.. .>..g......:g..)g..g.. .0.!g.. .(.(g..75..(g.. .+.(g..Rich)g..........PE..L...%..S...........!.....,...\|......H........@.......................................O..............................P.......4u......................................0B..............................._..@............@...............................text....*.......,.................. ..`.rdata...A...@...B...0..............@..@.data..../...........r..............@....rsrc...............................@..@.reloc..~...........................@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\netmstart.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	171592
Entropy (8bit):	6.633100643329799
Encrypted:	false
SSDEEP:	3072:2g5d8g4gNv+wAGzpjdNwCR5t9Owr5HQ6UnsaP5YCnF+wFxDA:xDRpSs5t0u5wbfQ6E
MD5:	FF07224F63F62ECC5C6F2DED09DEB0AF
SHA1:	D3ADF969B20A3E42032E60A87DBD69834A748C1A
SHA-256:	A9F37F82413889A66F7063991F5C2E6DBA05A35A245891039204A478DE318357
SHA-512:	92B763A682C9F479F539AA945F245940351983EC04829FB6D614BB7ABCADE60E2205244C583F63547CF83F4819503529FF01411E08C9CBA26972222D2520AA4D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..X.y...y...y...+-..y....<..y......y....-.y..5....y...y...y....#..y....;..y...+=..y....8..y..Rich.y..........................PE..L....].[...........!................F.....................................................@.........................`...........x....p...............f...7..............................................@...............4............................text............................... ..`.rdata...N.......P..................@..@.data....L... ...(..................@....rsrc........p.......8..............@..@.reloc...".......$...@..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\np360SoftMgr.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	243944
Entropy (8bit):	6.56760832272308
Encrypted:	false
SSDEEP:	3072:YdtvVq01U5wXzfoUEwDTw3lCovmHDBYOfdv2xJ82wEdl/NPgqddBumr5365mwkq/:yNI0O4awI3AYqYEv2QIdZTJJYD1Y1a
MD5:	FA85435627D31663BECB82EFFDFBE2BB
SHA1:	C3D9EEA92EF90E652F500A1F900DA4E20A010C2A
SHA-256:	7E0343BC0108526442E8B3FE7E538272FA6240E425BD8F318924573B59BD9DFB
SHA-512:	7DA0E76E88D8E78D23E7E6BE0A184BF52DF5032113DFEBE087C3463AD990BE38CD4FD34586CCD367B381AE749F16E04573CF91E4B3D7A235A865D175FAACBDA8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................f.*......)......?.......8......}........z.....6.............(......-....Rich...........................PE..L....6.e...........!................3.....................................................@......................... G......\:..........h...............P,..........................................@...@...............<............................text...x........................... ..`.rdata...x.......z..................@..@.data....D...P.......<..............@....rsrc...h............T..............@..@.reloc...-...........\..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\npaxlogin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	404296
Entropy (8bit):	6.509440609680588
Encrypted:	false
SSDEEP:	6144:iwa9e5G4aES0Qux3nNj43ziT7U2mSBzRD44shPBTLaqqDL6UbwHUu:Y9exL3u0U2pBzm4sxBTrqn6Unu
MD5:	630AE5740C702AF919BAED414DE8CFE3
SHA1:	26A50EFF049B2DBC24BE11411032172E82B37B04
SHA-256:	C3F08B4843DAF466148EE99DBD0D300B2A92BB695FCDE001E288189A3582300E
SHA-512:	A714A6F13CE33D8EC31772F180F611C491110D438019D4FCD88F2EB114B41FBD28878B8B9C6BA723D892405DC825917EF1D4868FFB66069ABE49E5AF286F491F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t..,t..,t..,}.\|,y..,}.`,n..,}.f,o..,t..,h..,}.v,...,}.q,...,}.g,u..,}.a,u..,}.d,u..,Richt..,........................PE..L...[AVS...........!.....N...................p...............................p............@..........................x...... f.................................. 5...s..............................8...@............p..d............................text....K.......L.................. ..`.orpc...3....`.......P.............. ..`.rdata.......p.......R..............@..@.data....Y.......:...\..............@....rsrc...............................@..@.reloc..hc.......d..................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\ntvbld.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS-DOS executable PE32 executable (DLL) (native) Intel 80386, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	60896
Entropy (8bit):	6.847633229504993
Encrypted:	false
SSDEEP:	768:NnCuEmXB5UMI3nhKrbZCWg/0/NC8hUDVsa0T1zj9KyhaMQNDG0uKjKj9MPgkz:N7Rx5Ulll8/H+x0T1zj9lHeMy
MD5:	690612154E7E5233AA980016CEAEDEDD
SHA1:	9B16E2F3D799EA506AA6A8F53FA4DEB36D73F5D4
SHA-256:	FFB81D34A14B5837AC713657F7892E790F85564BC2BA792025B0F9E9E0959AD7
SHA-512:	1F93AF0CA40DB562F7ECDBF19A0D899044BCF1F181B03E57E6B6F2C72F532652798023612BE9DEFE6261D631D10898D30ADB28EEFF922B72734B4DB27189C210
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!........h.T.....................q.......q.......q.......q.......q.......q.......q......Rich............PE..L......a...........!.........\......2=.............p................................s`....@.........................p...........(.......h...............H?..........................................0+..@............................................text...v........................... ..`.data....F..........................@....rsrc...h...............

C:\Program Files (x86)\DnLIMGKCARTO\ovftool_open_source_licenses.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	28
Entropy (8bit):	3.553090083530327
Encrypted:	false
SSDEEP:	3:rKq5Ly:eqo
MD5:	E9C011751E3F6B87D9FBE3DA3DBC6BE3
SHA1:	5C45FBBA98E0FB43B608AB3B0977A1DBC400191A
SHA-256:	56DD16BDF345B47FE15FC1B3FAB509C78085280733C588C1C02804292C770B5C
SHA-512:	0E815B1DFA539E578B0B9B3893B6659D206BB5259AA62A4680AC7A76B1B50C82F45D9A5729F808F677B10DAADD430BDCFBB3F62C41EBB8692654E4D75B0FB361
Malicious:	false
Preview:	ovftool_open_source_licenses

C:\Program Files (x86)\DnLIMGKCARTO\pluginmgr.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	171848
Entropy (8bit):	6.451554967739461
Encrypted:	false
SSDEEP:	3072:NQbFXbsJHCPNUzpNd0hq6pPyNVD/fAudYMi429OYHUMu73zE55C8f:atWpnztVLffdYLN8YHa7w
MD5:	9828C8A355EA0F393260D6E3F7D511E5
SHA1:	DC587D4215DC083A35E4BBEE095FB3FB07A73C33
SHA-256:	B0D6D85D02E7650E03AB9AD04E90341EF6F5421DDC2AAA7AE65692944C298671
SHA-512:	178D1AF5ABB116762C37714F2C142DB02BE9AF8B0C9BCD4948DE122583A9C815E1AB1F709E3167A096947CCCCD6ABEDC4BAB7ED405D207F097BD35640926205A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........xL.+L.+L.+..+M.+E..+^.+E..+1.+E..+u.+k..+].+L.+..+E..+].+E..+M.+R..+M.+E..+M.+RichL.+........................PE..L...P.LS...........!................D.....................................................@..........................2..M....'..x...................................P............................... ...@............................................text...'........................... ..`.rdata...S.......T..................@..@.data...HU...@...,...(..............@....rsrc................T..............@..@.reloc...#.......$...^..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\probe.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	304640
Entropy (8bit):	6.443933218835315
Encrypted:	false
SSDEEP:	6144:1AXDdMpEeHyH/D1kApvwp+ZniFARcRdhAGXPR:1Az6WeHyfDOAdwp+doARcRdh5Z
MD5:	BB752561CE0859324FF01369BA8D25CC
SHA1:	8C42AA1FF9060E58CFFD0EE9997DF134FB3E8739
SHA-256:	A243D55655789EF26972546B7DC9723953564F52AE1C46087CCC2DB96F5B8D83
SHA-512:	0C493C6868F4E2D90E3FCD6B71116769F2FA2F61740BCB9671B1DEEFC4628BE05E4441CA2008F6AD3F72BAE7C14028A7565CC2FBE68478E620F3CF9418357182
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&PLYb1".b1".b1".kI..s1".kI..^1".kI...1".E.Y.o1".b1#..1".kI..n1".kI..c1".\|c..c1".kI..c1".Richb1".........PE..L....r.\...........!.....`...........?.......p......................................Cd....@.........................@%..B...X........p...............n..h7......@#...r..............................(...@............p..d............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data....6...0......................@....rsrc........p.......2..............@..@.reloc...0.......2...:..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\qex.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2322152
Entropy (8bit):	6.743036380076271
Encrypted:	false
SSDEEP:	49152:zGpgL5KH4fC/9OdL9Fyi9I4YToBT/zP2BDjWWC:zGiLY46/9gLbyi9Pf/zQq
MD5:	1A3FF3A13D0D1A1833CD0B06874E9019
SHA1:	30E5B3AC5DC440342FD22E226B50246167F4AFB5
SHA-256:	F13623397C7FFF988F7DBE606D51DAC45D6C3C953E0BEBC308A29C7C4AFF6147
SHA-512:	340C04022A94819AA84F0A18D55FC7C3A7432BCD0A59CE5DD97AA0B47E6C688D2AA2588D3289A83400F8B9878524B57918EAAF90304D85ACEE57CD566E5F9817
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: C:\Program Files (x86)\DnLIMGKCARTO\qex.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........4..EU..EU..EU......WU......U.....dU.....GU..~...^U......FU......LU..~...{U..~...aU..L-..GU..L-..RU..EU...U..#..DU..f..DU......BW......DU.....DU..EU..DU......DU..RichEU..........PE..L......d...........!........................ ................................#.....K.#...@A......................... .P...." ...... "..............B#.P,...0".....0...8...........................h...@............ ...............................text............................... ..`.rdata....... ......................@..@.data...@....0 ..l..." .............@....rsrc........ ".......!.............@..@.reloc.......0".......!.............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\qroscfg.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	138056
Entropy (8bit):	6.637936005523512
Encrypted:	false
SSDEEP:	3072:LKDfRbUTKLoDy1wSSH/2Lq62enAhXx2+EKI:KJITHu1wZf2Lq62UAh6
MD5:	F62317FC61CA698D45A54C0F7A8A78B8
SHA1:	F61D256EA3E3DD85CE7C44DC61AACC93E720F692
SHA-256:	59DC54DD624E26D07EE8A908476EE67DCC3B6BA690F566C30B5522B6DCB8EE85
SHA-512:	C06E046EDB18EE40D63411AA689280A73EBBEF3CE6977C51F629C43E6A6314895BCF2270E43CB1D9DD847B33874BC812778ACCEC07ED0FBFB9791556027FFCAD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./.j&k..uk..uk..u...ui..ub.uz..ub.uR..ub.u...ub.ux..uk..u...ub.u\|..ub.uj..uu.uj..ub.uj..uRichk..u........................PE..L.....,S...........!.....N...................`...............................P.......T....@.............................L...\........ .......................0..T...0b..............................8...@............`...............................text....L.......N.................. ..`.rdata...k...`...l...R..............@..@.data....A..........................@....rsrc........ ......................@..@.reloc.......0... ..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\qutmipc.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	170856
Entropy (8bit):	6.55483314591404
Encrypted:	false
SSDEEP:	3072:4JJiNkByXIzFu3wK672soO82qUyleRR2v6eY8lMnu+wqH6F3:477yIzFfKTsS2qUKeXC5lRR
MD5:	7EE49A57339ABCC35FCDE25D3F5EE8D9
SHA1:	7A7F471DADD973CA57C79C43D93828B4496570E8
SHA-256:	DC477A4B41CA92D94CB7092B458F35DEF2EF6F9A0B23A237A363E341E22AEABB
SHA-512:	F978F6C882D80CFD87B2EF75EBB1C18C9BFB6759D28C0F503395217373AE241E5B08212D4D42373F6B94AFFBF775959E06BD1CAD5D09C488DC139906A0D4AB4B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$...`..R`..R`..Ri.]Rk..R.BRb..Ri.ARr..Ri.WR...RV..Rb..RV..Rc..Ri.GRq..R`..R...Ri.PRZ..Ri.FRa..R~.@Ra..Ri.ERa..RRich`..R........PE..L...f..]...........!................K.....................................................@.............................a............................f...4..............................................................d............................text............................... ..`.rdata...O.......P..................@..@.data....n... ...(..................@....rsrc................8..............@..@.reloc..<#.......$...@..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\qutmload.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	111336
Entropy (8bit):	6.7222941004358425
Encrypted:	false
SSDEEP:	3072:PTxwTSQCdxm/78XLv6JYZeD9GIn+uowP0T:PCzCeeeYAD9E5T
MD5:	8719E73BC84D506FE7F0D367AE46ED20
SHA1:	D60A1FF7B2478ACDA7C5C1730E0B963594311FB9
SHA-256:	C110E1FF4F233669F1E035129E137ACED1A3632D17A8302502D160DC16FA9AF0
SHA-512:	AE00044E9EE7B5AF66105067877AFD68D79ECEB6C945CC07F390D15A2E1C0832C578146E6B0657FD8A29F865EC6DB78DEFEB7C1BA7E3AF0D1427EFD22A67F8B8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........z...z...z.f.'...z.....z.......z...{...z.....z.....z.......z.......z.....z.....z.Rich..z.........................PE..L...Z.Xd...........!.....Z...........A.......p...............................`............@..........................X..[...TM.......0..................P,...@..t... ...............................8%..@............................................text....Y.......Z.................. ..`.data........p.......^..............@....rsrc........0.......d..............@..@.reloc..f....@.......j..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\qutmvd.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	102496
Entropy (8bit):	6.557778827364857
Encrypted:	false
SSDEEP:	1536:LvHAH74ugMR7NrUCga4UkvmWKvOT2lXgODuqAo+rvnyfe0qmofvghl:LAbQkNUhajPXjDuq7+rvyfe0qVS
MD5:	2CEFF7B131BF05F6D98318C309F225B7
SHA1:	9A218DC20C839A7E64A82CC66ACE83AF210D4063
SHA-256:	70F19BE3113626A79783D68F5EEBC080D376F5DF6B647FB95FB9C5D7479C4FFC
SHA-512:	E285A1435D640A6CC457ACC32EEDA70C8E57C58E76D0A951800890D4FDDB25B32A46932A20432F536FD8C6A2AB1B9D271EBF80F2E5E424C7AB33BD7D4D6D55EB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w3\..]...]...]..n....]..n....]..n....]..n....]...\...]..n....]..n....]..D....]..n....].Rich..].........PE..L....Q.Z...........!.........p......l ..............................................p.....@..........................6...... /..(....................Z...5...........................................%..@...............X............................text............................... ..`.rdata..V7.......8..................@..@.data....K...@....... ..............@....rsrc................8..............@..@.reloc..T............>..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\ramengine.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1153496
Entropy (8bit):	6.942405258763643
Encrypted:	false
SSDEEP:	12288:Y7q8Cmtvv8T/2xkz88j8F7mA2CgVuHjnbbpyqTsziz824xzoxzD9+zNzXXVoyf92:wKEMqxkzvIdTjbbwqT5z8YuXVRf92
MD5:	2172263E6F1E7EEFB2C54517B1215243
SHA1:	0EF23327AA2F0EA7F2C74BA7A90C3FCD03A37238
SHA-256:	30423D3CA90C921D2A727B0A5F8C4CEC1A63823283B84BB6135C866CE33FA23D
SHA-512:	CCAA6CAD97380B4B70CA80B119B04D2D50BB4F1C018C168F185EBF7CAAED00F7E8679F2BC898B86A99F9B6EC15D6A4337EAAD2A2A03DE3E6D71A11D57762DD14
Malicious:	false
Yara Hits:	Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Program Files (x86)\DnLIMGKCARTO\ramengine.dll, Author: kevoreilly
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h.rE,}..,}..,}..2/..(}....q.-}...2..-}..%...1}..%...`}....g.9}..,}...}..%...&...%...k}..%...-}..2/..-}..%...-}..Rich,}..........PE..L.../.=b...........!.........................................................0......`.....@..........................I.......8.......`...............Z..@?...p......................................H...@............................................text...`........................... ..`.rdata..dz.......\|..................@..@.data........P...j...4..............@....rsrc........`......................@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\safe505.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	369760
Entropy (8bit):	6.607770750782929
Encrypted:	false
SSDEEP:	6144:473BJ75gdTR5O998Zo1H9T+h78cjiLxfV0jg36+YC:47NgdTR5OP8Z6k7djidf6j+CC
MD5:	A768269EE00AB4638DCC5A460926B253
SHA1:	19103167045C7412AA541340CE0346E3A806034B
SHA-256:	53D419051D9B93E142D592DCADEDBA4C419C31180CA76258ED80694FE7DC96EF
SHA-512:	1E2CFA00743D5BC73F59F90D3CFED8FF9315FB17F6F3D48997692CA109F36D5108D15604B5B1147FDFEE11305AE2666ABC78E52B80A1DD9C77B31F194C5F6D72
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V.............9......(....../.]....?..............&......>......8......=.....Rich............PE..L...:.$Z...........!.....:..........T!.......P...........................................@.............................................0v...........n...5...........S..................................@............P...............................text...'9.......:.................. ..`.rdata...i...P...j...>..............@..@.data....G....... ..................@....rsrc...0v.......x..................@..@.reloc...+.......,...@..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\safehmpg.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	703720
Entropy (8bit):	6.771739665522189
Encrypted:	false
SSDEEP:	12288:qHYltqwFRk6aev4ys/F3RZ6kjn+Kh0ayTJBJqrdvSdK2vV+N:qHEtqwF+oqr94vV+N
MD5:	2AF326EE56FFA7E49BA762C5D10F4AA7
SHA1:	00254A380996435EB22E101E3FF8B49CD3F3F226
SHA-256:	C454AA353AA32E66BBC9248901D82B8C1390A84965A2D2672FC763E5CCC84ADE
SHA-512:	BA6BE274609AEAE8C216FFB3AAC5561742861A8597B1940FB1B371658781740494EE00FEC1BCF1BC433A6DE3DED56429BCC51A7EBEA0C3812DCD50D3172E5626
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@7r..V.F.V.F.V.F...F.V.F...F.V.F...F.V.F...FUV.F#.qF.V.F#.gF.V.F.V.F:W.F...F{V.F...F.V.F...F.V.F...F.V.FRich.V.F........................PE..L...B@.d...........!.................2....................................................@.................................<...........................P,.......h.. ...............................08..@...............x............................text...m........................... ..`.rdata..............................@..@.data...\|(.......b..................@....rsrc...............................@..@.reloc..*...........................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\safehmpg64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	652520
Entropy (8bit):	6.448272877372563
Encrypted:	false
SSDEEP:	12288:hfi1q0q2sAOWd1ws5Q3F2mOWLt+0fTN1hNbPr+0UABa:hfi80MAr1ws59mHU0fTNXV7UD
MD5:	720E64BF6B33ABBCC122B68C9D695A9F
SHA1:	DAE0ECB2377C8E2C6A5DCD36DD52049F12A51E54
SHA-256:	D8402FF2B310B297D27D58DC353B4044B8BB47D0B53075C629B69AAECB8EA33B
SHA-512:	1F32E2CD50F8BD7EE536C330190B9DB19D9826EEACC8DE55025AC910A41EF83CBFEEACC7BA22495C08C353D68F4CB18E71811473EB60A17DB0500E3A9DC9D533
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}...........)....................!~....!.....!h.........................................Rich............................PE..d....>.d.........." .................o...............................................%....@.........................................0........................0...a......P,......4............................8..(....................................................text............................... ..`.rdata...:.......<..................@..@.data... .... ...>..................@....pdata...a...0...b...J..............@..@.tls................................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\safemon64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1978600
Entropy (8bit):	6.120484699876494
Encrypted:	false
SSDEEP:	24576:oFh9A7slFrZupqSUrmpnf5+LMHYHTuzVqCIuUzwHVu4UzSego1fTX8tmApd9DzH+:oFVlZEpqApnh+Le8qEZXnvzDTX81C
MD5:	68BE66953DF2CE4063120FC9341DC8A0
SHA1:	7EA1B1BC531C5A1E82C59BFA4E549604BE378DF5
SHA-256:	7DB7FED955AFD3F809C9F05F37A082D755C218580524CF87CB6EFA9B8DADE84E
SHA-512:	80D2343BC12F1B1019534AACD31C86479654B74E6C4F7687BAC54884A3BE5E4037F0571F72184D3CAD05AEF59BF58806181E29DAD57CD36DF9BBB624CF76CA2A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........qr.M..AM..AM..A._.AH..ASB.AH..ADh.A...ADh.A...Aj.qAG..Aj.AL..Aj.gAh..AM..AJ..ADh.AY..ADh.A...ADh.AL..ASB.AL..ADh.AL..ARichM..A................PE..d....B.d.........." .........X......\.........4g.............................0......;.....@.........................................` ..........@.......hi..............P,......d.......................................................P............................text............................... ..`.rdata..}a.......b..................@..@.data....B...0...h..................@....pdata...............t..............@..@.share..@....p.......b..............@....rsrc...hi.......j...f..............@..@.reloc...1.......2..................@..B........................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\safemonhlp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	919784
Entropy (8bit):	6.137864164977724
Encrypted:	false
SSDEEP:	12288:mdMC/9/eMFo5CnfGquRbNQvNynGcgfHh6Q1FWdAcAyTreixh41Hh:mdMC/9/LfGquNFGcgfHh6dA7yTxxh4Nh
MD5:	01515E6DB9E455E81F550A8E10FD007C
SHA1:	6705DE998ED07C348788580C6163AE711672756C
SHA-256:	D1B434F173CF6AE0A47441D4CF4EF74C1122E01A44ADB39FC27A3FB4350222A0
SHA-512:	E912A2B236F7BC68495FCC89AC451008F187FDCBDC88139C5339B70DF702E555E5F4D283B1FB3524EB1DC111B496B8C9E57407C14B60EADDECDA544C23FDC3ED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+q.BJ..BJ..BJ......FJ..K2..]J..K2...J..K2...J..e.r.JJ..e.d._J..BJ..jK..K2.. J..K2..CJ..\...CJ..K2..CJ..RichBJ..................PE..L..../:e...........!........."......nB..............................................7.....@.............................................................P,.......F...................................v..@............................................text............................... ..`.rdata..............................@..@.data............b..................@....manifst.G.......H...*..............@..@.rsrc................r..............@..@.reloc..ja.......b...x..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\safewrapper.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	46824
Entropy (8bit):	6.3718471080572385
Encrypted:	false
SSDEEP:	768:NQxyqGBvGVIFDgOLVScurGht5OQpLOI2/3V1VaXLkj9:NXvGV2EmSNGht5OQdOIU3P0U
MD5:	B5BC117906C4ABE912C05D21833BBDE9
SHA1:	BF8E06A3E00131885D6CF71CC2787C6701CBAA6D
SHA-256:	40D425FDEAF7EA3AFEFEFDC57A4886BDFC764EC7A240BA409180D4AC3523473F
SHA-512:	94FA9ACFBE586C3EB514B837CFEEE65B240308759D5FE4AB3827E3A996BB7C73E99CE063A2F6BAA2910A652C49DE0AE7EEAE6CE103ACCA9AA7087DF9EEC3044A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................f.......v......g......\|......a......d....Rich...........PE..d......d.........." .....R...B.......T.........p.....................................{....@.........................................0...c....}..(...............(.......P,..........@q...............................................p..@............................text...:Q.......R.................. ..`.rdata.......p.......V..............@..@.data................j..............@....pdata..(............z..............@..@.rsrc................~..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\safewrapper32.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34024
Entropy (8bit):	6.327492825656285
Encrypted:	false
SSDEEP:	768:hKskBJrdjjSRwvr6oMY7E2/d1V1VaXLkjF:lkzdj16oMY7EU/P0k
MD5:	B20C9D59DC0C12E7AE71AF20D8610BD8
SHA1:	37DD1D60B9EE1B0DBC62A614E7AFCCD263970352
SHA-256:	BAF7E72EA5CD525E5D3BEDFD6AD9A6F24EC306E433C1B6E2613A505B4358F080
SHA-512:	88AF78818D06E8EF4639E188BADA9B9C7D8F69F5E15BD34CDDB07086F21AB36F7903E8BAAF9CE5DCC1BC039432F06A840214C5EA56498DED0DDA09AD63740BDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................................Rich............PE..L...Z..d...........!........2......:%.......@.....p......................................@..........................K..c....G..(....p...............X..P,...........@...............................................@...............................text....(......................... ..`.rdata..k....@......................@..@.data...D....P.......<..............@....rsrc........p.......H..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\sbmon.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	376320
Entropy (8bit):	6.699956048285194
Encrypted:	false
SSDEEP:	6144:vdwxI+FMRNjYyxEeVU85PaFLz4Ux3qM1rio9TB1KlgDli:yxI6QNjYyeeVU8RaFLzbx6ario9TNJi
MD5:	0C8FDCD5FE400719EE5ED07CB32F8E5C
SHA1:	143569797ED124FE9C222BEFE7696FFEFAA36079
SHA-256:	41BEB055696B626CEDCA5B14C6613AECDD2B73DC389A61C961EA30029C6BFC1B
SHA-512:	2CFF0EB4D636F287FC742FCB5DBE81AE7D6733F566660FDCF936DDEAFB385E5F51856A2D71CDB5C4E26BE55C583F5D22A97742632E2935CA478D86B9E63B6FCD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.(.1.F.1.F.1.F.8..(.F.8..=.F.8....F.8..*.F.1.G..F.8..f.F.8..0.F./..0.F.8..0.F.Rich1.F.........................PE..L...W..^...........!................D.....................................................@.............................i...............................h7.......0.. ............................... ...@............................................text............................... ..`.rdata..Y........ ..................@..@.data....}... ...$..................@....rsrc................0..............@..@.reloc..2H.......J...:..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\settingcentercfg.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	296168
Entropy (8bit):	6.537790365460336
Encrypted:	false
SSDEEP:	6144:q1AV4DwqZh2u+GUUYGekXEwiqBNgHsXUUbQ:Dir34UGkXEwiqBNxU1
MD5:	C7989632E6C0C5859ABD9A142E8DE5A7
SHA1:	E1135468989051AB951FCAF57615E7CA6621FA72
SHA-256:	EE39FF4ECD99E7688FC99257BF746CD9A00CEE90EAB9BB57A4CDA04B8C641FBB
SHA-512:	8C026D01CAA09431CE56FB67BF6D217886561659759278D7B195854017B4768DC80B3F7AD06310955906C4EFBE1C64A2EF5A63B384960064F82C378A498DD228
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$..uJ..uJ..uJ.q:...uJ......uJ..'...uJ......uJ......uJ..uK..tJ.....PuJ.....uJ......uJ..'...uJ......uJ.Rich.uJ.................PE..L....upd...........!.........F............... .......................................'....@.........................0.......h........@..d+...........X..P,...p...&..P$..................................@............ ...............................text............................... ..`.rdata...... ......................@..@.data....d.......(..................@....rsrc...d+...@...,..................@..@.reloc...A...p...B..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\shell360ext.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	285024
Entropy (8bit):	6.42559804173613
Encrypted:	false
SSDEEP:	3072:99Wn7gp0UNCivmDCbdZcB0L6rOSQHq8qAEHsZwrooOaj4yFDXmqwgjczAdeyOy5T:9s7gmOWaGrOSUEH5rowVZJ9jcs3ZQdyx
MD5:	55720D486DF26BCA2517120018BE4526
SHA1:	AC8D6B78E5CACB0DB04DABE371C9B4DB3F75861B
SHA-256:	F109944B22046FEA6532067B73CF8159629AB6115A1F5765A6631F91596EC20D
SHA-512:	98474BB3CE5D90CB7625ADB28A2A862336116E38F629B4E19FFF59BBC5062453D402C4C5CA06C92371E75C1D8743D9DAF6750B6E52439847AFC9F7511EB7DCBE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..J7.j.7.j.7.j.....5.j.>...%.j.>...:.j.....4.j.......j.7.k...j.>...r.j.>...O.j.>...6.j.)...6.j.7...6.j.>...6.j.Rich7.j.................PE..L.....^...........!.................................................................H....@..........................g.......T...........h...........$...4...P...!......................................@...............p............................text............................... ..`.orpc...3........................... ..`.rdata..............................@..@.data...@c...p...B...D..............@....rsrc....h.......j..................@..@.reloc..J0...P...2..................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\shell360ext64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	337768
Entropy (8bit):	6.135707746088789
Encrypted:	false
SSDEEP:	6144:zzP3ynTk8o5nI863JGetFsPX0J91AVwWxNiUBEDBk1:3PinTk8kvYPtogwx2DB
MD5:	3BE0E20A43D852D54EB1A060EAE2CF71
SHA1:	CDDB97396A7BAF016A2F0C90D8E1A782265D6805
SHA-256:	C61FE57C613010CFB49D772F17C33D702CD7B152575C87F82C55015049E27775
SHA-512:	9040D3CCDEAD3C662E145796CC570C32945F25729A8D5EC01193E3F2B1E07926CA92EB003665E54D724A1FF4154AE6A1D27E481A21D6AEA2C3963237C750D036
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v...v...v..B91..v....2..v.......v.....v.....v...v...v....#..v....$..v....5..v...$3..v....6..v..Rich.v..........................PE..d......^.........." .........................................................P......."....@.............................................................\|h...............4...@..P....7...............................................0...............................text............................... ..`.orpc...5.... ...................... ..`.rdata..`....0......................@..@.data....~... ...V..................@....pdata...........0...L..............@..@.rsrc...\|h.......j...\|..............@..@.reloc..`....@......................@..B................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\sites.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1478720
Entropy (8bit):	6.243233564535013
Encrypted:	false
SSDEEP:	24576:8212+7QSyDgGz1FwHS2NH96QbxGO7yVBVtLWQb93:8S2+7myy2J96QbAO7MBVVd
MD5:	3F03F2C6000D713BF0C2824EB6021FE7
SHA1:	B03401B07BC2EDA58C4749E8A5EE14AB5CD056D4
SHA-256:	43923DD9F19E5089947F8376BE5E59A9683C4C9B566CE6FEB46A02D8A6E12C28
SHA-512:	CAFDDA7E6D67E3906E8DABECEC018DC45CDA69E505D074CF93DD3CB1A4E967263D8486A788EA97809E633036E06CED1257BBD96D23B441242E7B8ABC05948B37
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......<<.x]..x]..x]....7.~]..q%4.]]..q%(.u].._...p]..f.%.}]..x]..M_.._...g].._...y]..q%"..]..q%%..]..q%3.y]..f.5.y]..x]6.y]..q%0.y]..Richx]..........................PE..L......`...........!.....^...*.......a.......p............................................@.........................@...................8-...........X...7...........y.................................@............p..T............................text...V].......^.................. ..`.rdata...C...p...D...b..............@..@.data...8...........................@....rsrc...8-...........4..............@..@.reloc..T............b..............@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\spsafe.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	817368
Entropy (8bit):	6.738529048176569
Encrypted:	false
SSDEEP:	12288:uOUfiU0mT/a6QgN3GlNZ73udM/iJ2FyNRk/9nNV6hPyDHK9Tud8wgQ5wud59c:v+QgNy/XKRuV6hP19TSgQZd59c
MD5:	75D3BEE4F0D52A12BEB677AF61FA439B
SHA1:	1A4747E8A32C68DEC8CE4A3C5FF6423D894AA857
SHA-256:	39A593FB9BA310A32D3931F6E7D5634439DC34F15434C69499958DAB6D888636
SHA-512:	8C8FA0EB35EC7BCCF388E45694855BFE32695BD1FD38AB095F45F6BE0E4DD511CEF7974C9CA27B64EA87E0362FE2684D357B54D3A5FA6D811845CAB9723A7EA0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Xj..69..69..69...9..69...9..69.0[9..69.0M9..69..79..69...9v.69...9s.69...9..69...9..69...9..69Rich..69................PE..L...<._...........!.........j............................................... ......H.....@.................................P........P..0............>..@:...p..Hy...................................j..@............................................text...i........................... ..`.rdata...7.......8..................@..@.data...\|.... ...d..................@....share..8....0.......n..............@....hlpsec......@.......r..............@..`.rsrc...0....P......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\spsafe64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1111032
Entropy (8bit):	6.367597371319365
Encrypted:	false
SSDEEP:	24576:kkCtooV3NfPqy2qhkEmqpb6ik9TaGvU+Rg9e:kNow3NwqhQbTaXY
MD5:	0008371C62FF56FBF645A86F1C0E593D
SHA1:	E8B0F01777C6E2A44548C3355F5187159AE22AB0
SHA-256:	99E5A986C084144406DDC7BB15965859F10C1AB79B4B1323A8F59BFBB7557851
SHA-512:	214F7F961A73EC8145B61179BFA90D462AAE178C00E1647B68E261EF3B4073C7418447F9DB5F2782DCC50A93322F6D6BD2772C66B48147286FD2B526A8AD5877
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........YIN.7.N.7.N.7.G....7.ifZ.I.7.ifL.Q.7.N.6.v.7.G...7.G..C.7.G...7.G..O.7.P..O.7.G..O.7.RichN.7.................PE..d...;.._.........." .....F...f............................................................@.............................................................<....`..,.......`A...........j...............................................`...............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...pD..........................@....pdata..,....`......................@..@.share..D.... .......:..............@....detourd.....0.......>..............@....detourc.!...@..."...@..............@..@.hlpsec......p.......b..............@..`.rsrc...<............r..............@..@.reloc...).......*..................@..B........................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\statslib.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	143176
Entropy (8bit):	6.455813710383163
Encrypted:	false
SSDEEP:	3072:FrP8rNMpP/7CZjxyHWDqZ0tnkg5X5VBh:FroNA7cjxs6qGtDB
MD5:	5583AABC6B11C4A3BBB9981296F9FF1B
SHA1:	0C513EBA49A6363DFF931C4D492DAFAC2B553D1C
SHA-256:	B501774B6B363C32A60B93313EC340F61942F2F1A9AE85B77B4E57A5C37D8689
SHA-512:	BAE0F1B71D1A104B2047B0DCB89304A3F237A88CD9E8801B4F14522C36C4AB82C9B531059839C8F54397C0443441B284E274A7987D97578247F851764256DFC4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@nV.!...!...!..=n...!...Y...!...Y...!...Y...!....{..!...!...!...Y...!...Y...!...s...!...Y...!..Rich.!..........................PE..L....s.S...........!.....v...................................................p.......3....@.............................L.......x....@..d....................P.........................................@............................................text....u.......v.................. ..`.rdata..,H.......J...z..............@..@.data....R.......&..................@....rsrc...d....@......................@..@.reloc.......P... ..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\svcMonitor.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	287312
Entropy (8bit):	6.386260935863853
Encrypted:	false
SSDEEP:	6144:1s/nrf85ZwuovjyUWtlcojm2IifjxVSEnc/B7uSKxHFzJzcZ5ZH1V90/:1s/nrf8fwuovjyUWtlc8fjT2uftrzSHs
MD5:	858E2E9A81C7BF962F7002AB92FA2314
SHA1:	15D271B2075A29F34575D226DFFE907B9F58DC3E
SHA-256:	BC08141FF1715A940CE3EA9779E9A1C9BDEB332A7EFAD85CBDAB46A7AEFC4017
SHA-512:	9E4C07658F4BF62E052FA641B340BF2D01FB8B7F37FA8F052868FBB2C4FCB4958C88876705B7CB0B92A37BA1BDFB2A22D51D08149DA650E1BFAB6D5F40CB3E97
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........27..\d..\d..\d...d..\d...d..\d...d..\d...d..\d...d..\d.#'d..\d..]d!.\d...d..\d...d..\d...d..\dRich..\d................PE..d......a.........." .........(..............................................p......1.......................................................`........P....... ..@/.......I...`..4...@................................................................................text...r........................... ..`.rdata..............................@..@.data....O....... ..................@....pdata..@/... ...0..................@..@.rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\swverify32.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	111072
Entropy (8bit):	6.701224873797745
Encrypted:	false
SSDEEP:	3072:GQbFkKX/BAEHeC8mskn9qs4xDXZSBT5NyUK9yeML:GQbFbBAxS9qfDXcxu9u
MD5:	09B2D099C336C74B9CC6C299B6DA5A74
SHA1:	0151CADCBF5C2A0C584D48761028D0C3734D0E08
SHA-256:	DD02201425427832BD095F91EF3162BE8666D17467E0D208E874E458052E3FE1
SHA-512:	6932B59AB76EAE60B63FC7776557161C1526881AF7B9579D35DF0676B882CFA3616747AB0A8F4689188CC604B46C3F4831DEFB07C00794449A9A66270FBB8969
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........wU.q$U.q$U.q$\..$p.q$\..$D.q$\..$0.q$rG.$P.q$U.p$0.q$\..$E.q$\..$T.q$K..$T.q$\..$T.q$RichU.q$........PE..L...)..a...........!.........b......2k....... .......................................4....@..........................M..{...dF..<....................r..H?...........!...............................A..@............ ..L............................text............................... ..`.rdata..K.... ...0..................@..@.data....0...P.......>..............@....rsrc................T..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\swverify64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123360
Entropy (8bit):	6.490240359394299
Encrypted:	false
SSDEEP:	3072:JuTpkdF2q12lOyUbQdgBFL0M12bqv5lDwCx9geMq:JEu2c26vBFLvJx9p
MD5:	D06C9847CAC97EB184F5D3DAB9EE30EA
SHA1:	525D808680CD0D8DA05562C1FE6B7A9A65674322
SHA-256:	3A6AFEA3F96AE04F79891BB23D8C2499E44EA775810FC7D2D0F8B687F3C504C0
SHA-512:	2FDBCA6AE7D0098CCEFEDAD585560CF7A5529B783EB402F0F9C5B2DFC0548955F7702EEB100E3D1E803FC9AD1FC887BFABDA81FF26574ED59F2BEC2A8FD137A1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t. .0qNQ0qNQ0qNQ9..Q.qNQ9..QRqNQ9..Q9qNQ..5Q5qNQ0qOQWqNQ9..Q qNQ9..Q1qNQ.#.Q1qNQ9..Q1qNQRich0qNQ........................PE..d...0..a.........." .....&...v......................................................].....@.............................................e....w..<.......................H?...........C...............................................@...............................text....$.......&.................. ..`.rdata...@...@...B...*..............@..@.data....:...........l..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\sysfilerepS.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	296448
Entropy (8bit):	6.525001769554265
Encrypted:	false
SSDEEP:	6144:akQR4/gW/ulyJQks7fA8kbJHP9wgZLtGvZxZcy2:WRjW/ulyJQksrA8kFHP9wgFsvfw
MD5:	080B406556B06942C740D1B27E35B76B
SHA1:	DF0E1AAD009CFE0436C476619E9A046C74957F67
SHA-256:	B6D32F193CB1309963E0566ED54551854ECE722660726460C76713E1358896A6
SHA-512:	9256D83202FBC79469DB533CC0FF5E779B2A07AAFE4CCE39AAF7CB96006A91B2AB2F62E43E6EBCBC32B053326FCB1764866B5698B85951FB7C6959D41E4CE616
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........hUX..;...;...;..q....;..q..f.;..q....;..[....;...@...;...:.S.;..q....;..q....;..[....;.......;..q....;.Rich..;.........PE..L...7..\...........!.....0...................@............................................@..........................................@..H............N..h7...P...$..0C..............................@...@............@...............................text..../.......0.................. ..`.rdata......@.......4..............@..@.data...\|=..........................@....rsrc...H....@......................@..@.reloc..<;...P...<..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\sysmon.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	258376
Entropy (8bit):	6.381415913731279
Encrypted:	false
SSDEEP:	3072:5CXOfw2KvPOgIb2KelFX9yHikM+CEQnROYUYycCBmxa65ENnxMqH7N2La+5rs370:5CXOZKTnxKikDCVnuYxa6MxHAjE
MD5:	361F2EA84360B6A2F24AC4647E2D0A91
SHA1:	2CF1D0538DAF45BCF7C79BF429355AE78F47CF74
SHA-256:	29734631E6E901CDCBF7F6FBC62EE513EA3F11BDFBA65963D5F7C598793546AA
SHA-512:	7907AB407449611BEF00EB2678B4B3B24B721B1E2A08237DBF826E6A3017164B44C42164FA0BA81D1EC484A22B87723FE4B1A4387C3788EB4427187B507EB1FE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+4V]oU8.oU8.oU8.....nU8.f-..wU8.f-...U8.q...jU8.f-..PU8.H.U.nU8.H.C.rU8.oU9..U8.f-..LU8.f-..nU8.q...nU8.f-..nU8.RichoU8.................PE..L......S...........!................+........................................0.......u...............................i...... X..................................(!..................................83..@...............@............................text............................... ..`.rdata..............................@..@.data....`...p...8...Z..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\sysoptm.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	290656
Entropy (8bit):	6.600061339720852
Encrypted:	false
SSDEEP:	6144:KVA8XAqnlpVQgOakhfOM3WYMBhdJ6fo2KZjCoGR:KVA8XAqlpuvasOMm9Bh36fotjCZ
MD5:	307897B0DC7DB6F9CC95C11842A3DF53
SHA1:	BCBCDAA63A2F4482652C363A40C61F133D475E8B
SHA-256:	625A27386FFA51417CA2FA71A95051A77267A49631853EE44340CBF0E1C64316
SHA-512:	513134558006639DE122932B7E6BEDEB3CFDA6BFF457821F8AAE46CB8822ADBA94BE1C4786B79A6B96252513555CE6B016A0763FA2B62AD4B0C415E0E5A0F8A0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........P@...@...@.....E.A...I.F.U...I.P....I.W.}...gb..A...gb..[...@.......I.Y.a...I.A.A...^.G.A...I.B.A...Rich@...........................PE..L...m<.]...........!.....&..........l........@.......................................`....@.........................0.......d........0...............:...4...@...%...E..................................@............@...............................text....%.......&.................. ..`.rdata......@.......*..............@..@.data....L.......,..................@....rsrc........0......................@..@.reloc..X:...@...<..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\uni_links_desktop_plugin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	567984
Entropy (8bit):	6.423612441750911
Encrypted:	false
SSDEEP:	12288:A3Akvssp2hEOe4C6Eos37/t4eIroNtRT7tl4KO2TUyT611yOhYhn8rcRkoIx5pZh:AwNkUYhn7qHx5pZfrDjaA
MD5:	AD303BE2FD780FEC8DD371CF371C0539
SHA1:	0B177653F8457642717AA6A4E1C62432E6E92B39
SHA-256:	D7C3DA9AE5E8C6F33E4972784A0E73034B31576BF47248E5512F34D4BEB0F8C2
SHA-512:	1EC4BD2BBED3B4D783611A2943C93854425A4B6EAE070D37D61135F4CE826672A960FD0BDF1D4E7687B47A3B01CE6958E3F8C60B6DF4AC274C627CF0966BB498
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i}..-...-...-...Hz..'...Hz..?...Hz.......i..#....i..'....i..k...Hz..+....i......-...Y....i..)....i..,....i/.,....i..,...Rich-...........................PE..d....$)e.........." .........d......\|....................................................`.........................................0...........d............`..<B...~...,..........HO.......................Q..(...pO..8............@...............................text...`,.......................... ..`.rdata.......@.......2..............@..@.data....I.......2..................@....pdata..<B...`...D...&..............@..@_RDATA...............j..............@..@.rsrc................l..............@..@.reloc...............n..............@..B................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\uniconft.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	625896
Entropy (8bit):	6.808713443080818
Encrypted:	false
SSDEEP:	12288:non3WvMMk82bHdpvs9PBXy+S43znHwHIxDgb1ovXuY:udHdVW9zHwoxWaXuY
MD5:	DE5914A6EE0CAC54604E9F787F286055
SHA1:	2B9046B3BE75E4838E1A8AA37E03EBFFF81A67AF
SHA-256:	3494F5E4F6973BD8B0F0A826951BB411B4B6658CCFCF4BCEC916911541FE7F92
SHA-512:	6216953F9DBB73F6A5108C2540D9C37739A9761880976EBB6F2ADFF55B4BB2657C0E19DE8F0DC497673478B9369DAB34B9A97BDBB6929B1C5295E9EAE395D8B2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u...u...u....K.q...\|.H.n...\|.Y.?...\|.^.....R...y...R...b...u...u...\|.W.....\|.O.t...k.I.t...\|.L.t...Richu...........PE..L.... :e...........!.........T......Y........ ...............................P.......l....@.........................0...7...............\............`..P,......PT...%...............................g..@............ ..x............................text............................... ..`.rdata..g.... ......................@..@.data............:..................@....rsrc...\...........................@..@.reloc..nk.......l..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\uniconft64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	671464
Entropy (8bit):	6.467168734612751
Encrypted:	false
SSDEEP:	12288:ippXt1116sqOSsER4TvmwW/BoRseYX/WaWf7A6d7DEnIQcXizFry:Epn116sqvsEWT+wIBoRsBbWf7AgscXd
MD5:	7865D331C84B915DDB07D1F53BDA48FB
SHA1:	9B48C11FCC174C8ACF257E4D56985F3EAF489A4B
SHA-256:	67A60766372CA75BD26C1B6DAC7A92110B74844B20705D040F0E6DE17BDFB9DD
SHA-512:	D69BB5DDEBC011153B1620BAF205DD79146DD9640A4E00D9CADBEA2F9FB43971BD1D74C0DED9FDA752919688518EB1672AB7CC27377AE7E2C349F89B72755901
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5...T`..T`..T`.M....T`..,...T`..,..cT`.....T`.....T`.....T`..Ta..T`..,...T`..,...T`..,...T`......T`..,...T`.Rich.T`.........PE..d..." :e.........." .................\|..............................................D$....@..........................................d..7...hO...............p...^......P,...........7...............................................0..X............................text............................... ..`.rdata...4...0...6..................@..@.data........p...H...P..............@....pdata...^...p...`..................@..@.rsrc...............................@..@.reloc..n...........................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\url_launcher_windows_plugin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	340144
Entropy (8bit):	6.329282571887064
Encrypted:	false
SSDEEP:	6144:fF5bcRP41QtrfOacuF5Zt6cqgE6MohM5dm6c5rusFDpiJx:95bcm1QllP36flo+5dY5rushp0x
MD5:	F007F46A79FE228E5AADBCEACA242703
SHA1:	C0F347ACCE2EA2025D9E1EB35E4EB829344A30FD
SHA-256:	027E70B91A2BA89F40B768F3B3EB6C12792F422C931A310F097BDB992131AA6C
SHA-512:	524E11F557395D025D3658C035D87A909EEED7C2C3E89209869E0A1F000E998FF71C4BA3FB69836D44B5116B4FF56C2F1F0EAEB7DF3496421F3D1DB42354F4A4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k..k/..8/..8/..8J..9%..8J..9=..8J..9...8}..9!..8}..9%..8}..9f..8J..9)..8...9,..8/..8[..8..9(..8..9...8.?8...8..9...8Rich/..8........................PE..d...y$)e.........." .....,..........p+.......................................`............`......................................... ...\|.......d....@..........h........,...P......h9.......................;..(....9..8............@..X............................text....+.......,.................. ..`.rdata..xt...@...v...0..............@..@.data....5..........................@....pdata..h........0..................@..@_RDATA.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\urlproc.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	771816
Entropy (8bit):	6.687066668581742
Encrypted:	false
SSDEEP:	12288:t0JqX8wh7HCMdK/m8HBMZT7gcgx7KS/8SpbFtjmoTIiDuSFEna0VujIOI0eo9TX/:tPX8wBib/Qg1hpbFxmEIidCnaIujIgjV
MD5:	4F097904954CD6DEA1F8852E1E25B7A3
SHA1:	0B195A2CBDF09EAC55D8660860A9E9198C0BAB4B
SHA-256:	D883D681804C612FEE3D2EBC14946C789F7324F12AC0D1FFDA5F12863F326A65
SHA-512:	7E7AD7C922D731B8FEFDA9F86F3263701AEBA69C5F8475C8EAF944BAED82F660843CFF8B0790C2E0E95FFD97C74BC449F6B1CB9FDE2516C380FDAB1761AE0955
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........S.I.=.I.=.I.=...K.=.@...R.=.@.....=.@.....=.n.P.H.=.n.F.T.=.I.<.L.=.@... .=.@...H.=.W...H.=.@...H.=.RichI.=.........PE..L...d.,e...........!.........~......"........0......................................r.....@.............................?...(........`..................P,...p...b...4...............................3..@............0...............................text...S........................... ..`.rdata......0......................@..@.data....y.......B..................@....rsrc........`......................@..@.reloc..j....p......................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\vccorlib140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	264032
Entropy (8bit):	6.5509781606253386
Encrypted:	false
SSDEEP:	3072:Fd5S7spsLVDInjnhQWHaMMumlH+B9AI9eSxuUSfomwCapFR6gmDC2WYs3nPKsXO:P5Skg0njhQWHaMWlad3oUqomTaZwibXO
MD5:	BC928E85601A6826045D0E90113F8EFE
SHA1:	1A87B8A42F9C16409BCD0329C0913355A622760C
SHA-256:	9CD77163AB9A421D3512C7C95B76EF96160B341A31AFE83A77A9625AF0D5C517
SHA-512:	D8274E3C56182FF674E6EAD7EA43BCCAA4FA01489AC52B9D74D9D556193E83AEE3B7396608AA4AF22D09E96D5CB1FA9889EF86A555E14D93F5E15BFBD81E79F2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y......I...I...I..\|I7..I&..H...I...In..I&..H...I&..H...I&..H...I&..H...I&..H...I&..I...I&..H...IRich...I........PE..L....PZW.........."!................@........@............................... ............@A.............................=..............................`-.......Q...D..8............................D..@............................................text....,.......................... ..`.data....=...@...:...2..............@....idata...............l..............@..@minATL..............................@..@.rsrc...............................@..@.reloc...Q.......R..................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\vxproto.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	177264
Entropy (8bit):	6.8079906844124745
Encrypted:	false
SSDEEP:	3072:eIRXpGKDHXyf4zAEs6T/ZM4x+qkQTBfCLOLTt/u:eIhAEXYatnjkQTBKL25/u
MD5:	C44FD91C1FBF416174B7B40BD8C30D70
SHA1:	4E69E42AD67D81E835D5AFD5E507639112EB662A
SHA-256:	4EE61ECA19E8FFDFC3036AA3EF69452382F32C61BDDC6D8ADBE2D50E771256E2
SHA-512:	E8CDF246A6A034444CBB6E5D510733F4EECAE7F41EFCABC3AA49659CFB29FA2E55EC5657FD80050BBB09095F0C67AB7EFC7BD3E58DEF8FB4B8E28F8F1FDC2FC8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.3...`...`...`.Ye`...`.Y[`...`.Yd`...`.s.`...`...`...`.r``...`.rX`...`.Y_`...`...`...`.rZ`...`Rich...`........................PE..L...O>mU...........!................;....................................................@.........................`q......4r..P...................................p...8............................c..@............... ............................text............................... ..`.rdata..............................@..@.data....5...........h..............@....rsrc................~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wddisam.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2555112
Entropy (8bit):	2.7387589142497575
Encrypted:	false
SSDEEP:	12288:6pL8J2LiKWfo28YxtTOPTOPTKW+IUTHN0kBSbXHE:6pLG23YhTtTOPTOPTKW+IUTt0kBSbHE
MD5:	7394D42315891F0CCF3BE07B3AD05A72
SHA1:	F439123D1A50885203416E5D654A98C9E6A8AD20
SHA-256:	6B997B5404AB09E06C995991559D19B046438F448F1C37A4F0581A515B8C7B7C
SHA-512:	8059F64EBEBE194EE2F8719552125659F36E4092573589B669603E82D1F0BA5812F804736CC555CF91206C34452A7EDF153FD851ECA4F85E864BC4948D5486F5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w...............w.......u.?.....t......~.......~.......~.......n................................y.....................Rich............................PE..L...HZ.d...........!..........#...............................................'.......'...@.........................`.&.P.....&.P.....&...............&.P,....&.l6...r&.p...........................@s&.@...............L............................text............................... ..`.rdata..&.#.......#.................@..@.data...l.....&.......&.............@....rsrc.........&.......&.............@..@.reloc..l6....&..8....&.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdefence.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	158120
Entropy (8bit):	6.6036652086687475
Encrypted:	false
SSDEEP:	3072:r1OJQ+ekyb4aeTqvw3dJ5e5AfH9F757qDu3eCVn:r1w9seuvwtLe5AfljF
MD5:	835212E2D46361902835E35582133CF1
SHA1:	B17686F86A0517077D2386228F820E78EF4E6B48
SHA-256:	A7BB626C295E968E58297FADA6BF7FAD94436D8C5F8594DD84A5D323B62C2D50
SHA-512:	AEA4E226019C72546B21E25A5D62DF991D1AB208B4B1D4EBF86E71A158209675CDA99BDE8FC5149266D05E1835936E11BB61FC6D49A09E3DDD779553075E688E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.}X........................`...........=.h.................$...........................Rich....................PE..L......X...........!................v.....................................................@.........................0...G.......P....P...............4...5...`...... ...................................@............................................text............................... ..`.rdata..w[.......\..................@..@.data....N..........................@....rsrc........P......................@..@.reloc..b%...`...&..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdexhelper.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	105056
Entropy (8bit):	6.599290957656915
Encrypted:	false
SSDEEP:	1536:xa+VGSaCuW4B6+dcbJFS9dSkyrSdgq+r5dLbUFKd5okghM:dcSaCuwOcbWyEgq+r5dLbUIdKK
MD5:	4083E8CA56DBD193C1A2BC14C6F31F2D
SHA1:	DDE611369CC1864649EFAA550E2E9C8C817C029D
SHA-256:	E1944E23B2057913BBC77370FCF334CDE7B882E9662F18D05EE6098B01447419
SHA-512:	9EF369DCB65095A944DC58745886855C1763EEA342766676B9274738164CA66135734E7FACB8D9489B30D70149AE908D66559028CFA23AA40076BCF028B2701E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0...c...c...c..Ec...c..Tc...c..Bc..c.y.c...c...c..c..Kc...c..Sc...c..Uc...c..Pc...cRich...c................PE..L.....Y...........!.........l.......m...............................................B....@.........................`E..I...,=..P....................d...5..........................................X-..@...............p............................text............................... ..`.rdata...5.......6..................@..@.data...\|....P.......,..............@....rsrc................>..............@..@.reloc..p............D..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdexhelperx64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	132000
Entropy (8bit):	6.339466105998257
Encrypted:	false
SSDEEP:	1536:thmg9KxUvO94qfftyLElW+aKsbNKNfrsivHl3JnSFfKh2MYC8To5OY9u8o1Ygh:nmgF27KE0KGSDRvJnh2M18To5OY9I
MD5:	EA7DE7494A466832B1E17A0628EA7830
SHA1:	44370CD1376A2BBED6268837003EB08901DD632B
SHA-256:	A6066AD5E9FA49163871BF7B6B4223B02B8D31DFAF9CB8463C58880C6F649929
SHA-512:	B83458FFE5958C9F14F078E6BE3E44496A596F4568029F6630FFCBE217A3ED70167A22598F8101868B6C6F05CD4EDC155DA2D2F1404A85D1E0B400E92D9E3F7E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......cA.A' ..' ..' ...X... ...X..y ...X..- ...... ..' ..H ...X... ...X..& ..9r..& ...X..& ..Rich' ..........................PE..d.....Y.........." ....................................................... .......#....@.............................................I.......P........................A......0....C...............................................@...............................text....)......................... ..`.rdata..)X...@...Z..................@..@.data...x9..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdres.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	133192
Entropy (8bit):	6.613875361519417
Encrypted:	false
SSDEEP:	768:oDbvQ6mxE5tCWOiFDQM1no4ARzK2ORyALKk35LlKnI1w+HadlVQOFLQJpv5bJ8Nm:oDeYOi5BiQRdLj9/H44phbyGoWz
MD5:	AA503D702228E0F8E530CFC8D7194017
SHA1:	B9500C69197E87AB70D164C2B4E30058431E4A59
SHA-256:	B6F73E0B73F9AACB85EB0132DAC3662D6A8B3D7110B20D90BC9E31506ED3FEE7
SHA-512:	54F2FAD96825CD4AFC58A0A99EE3BFC6E7BED5BD5E0A8BF09083E72B6D34A7CED5BE77DBE8294D73FB092187C22CE943A1CB9BA130C3135A233B9AABB51FBBB8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.`.[.3.[.3.[.3.#R3.[.3.#C3.[.3.#U3.[.3...3.[.3.[.3.[.3.#\3.[.3..B3.[.3.#G3.[.3Rich.[.3........................PE..L.....[...........!.....d...f......M.....................................................@.....................................(........................7.......... ...................................@............................................text...Tc.......d.................. ..`.rdata..L".......$...h..............@..@.data...\...........................@....rsrc............ ..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdtHelper.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	361704
Entropy (8bit):	5.5673332951295516
Encrypted:	false
SSDEEP:	6144:UrIBDsruqjFm0MBU5Cv14COb+ZV8xuMYlWA6qU:UrEDsrLFmXBU5C9Sb+ZV8jY89
MD5:	AF271E2FE0E91A8340CF377F3934EAD1
SHA1:	11A29B7802A204FA3FD13789CE521B549C403A00
SHA-256:	42C330B5C5F2F82EA8A49A5149354D17940726AAAEB7551B63EB3009C0F341AB
SHA-512:	D0998CD6CBA7B1755FF9CBAB26CFCFA5E07E3B143156AF7E8713E12425914A265F95B545100C1173B47E3359F1254624C16A80929303DB9EC791F959AEDA929D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......).$.mcJ.mcJ.mcJ..,..ocJ.d...\|cJ.d....cJ.d...^cJ.J.'.ocJ.J.1.\|cJ.mcK..cJ.d...\|cJ.d...lcJ.s1..lcJ.d...lcJ.RichmcJ.................PE..L......d...........!.....b..........y.....................................................@.........................P................p...............X..P,......h%..`...................................@...............$............................text....a.......b.................. ..`.rdata../{.......\|...f..............@..@.data....l.......8..................@....rsrc........p......................@..@.reloc...4.......6... ..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdui2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1318632
Entropy (8bit):	7.1335534012386415
Encrypted:	false
SSDEEP:	24576:7hdgcG8llGny4MIxwhQlcONuG0ipbzMTKdL24biHUE4:EctGy4DxkocONuG0S4TKdrboUE4
MD5:	11DD5A778F13875767EC13A7641BFD39
SHA1:	D3E4E6CD393C3345D3ABFE33988671A41954D625
SHA-256:	2802030D0255BFC68151ED66C645A2D333E0D0AC6F0FC8E68E1B458FE628E007
SHA-512:	01914FB89FA3472D66DD7F28C7BC919CFDB1E1DA309E69A210FBA373B0B2AC10AA3F388E23E0BFBE87995C62ACA10F5D756E1F366E7B7EF5E403F88FC1A48D08
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..x&..x&..x&.]7...x&......x&.....Kx&.....x&..K..x&..]..x&..x'.y&.....x&......x&..*...x&......x&.Rich.x&.........................PE..L......e...........!................\'.......................................`.......N....@.............................[...$...,.......$...............P,..........................................H...@............................................text............................... ..`.rdata.............................@..@.data...<...........................@....rsrc...$............4..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdui3.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1094888
Entropy (8bit):	6.920698803896278
Encrypted:	false
SSDEEP:	24576:T5UVbnvH4EKtwgoZdwaN6N+Vi/VBdT2heApbeQ1DLzV:TdqjwaN6N+g/VHT2hveQ1DLzV
MD5:	DFFDFB7167BCF65E8F2A28283E34B2C1
SHA1:	B99275B7F2961E54D094E707401E9D4DCA0D39E1
SHA-256:	70F29595B45DB1284EA39898566D09191A4E81B5C3922F70C23E76C380D3B85A
SHA-512:	F081C44EBA05EA4CAF8D7550FA179A00F4341582BBBCA00F547D94D4906B311DFD358CCBDA96A839485E38FEF59A2920B136578B8AD5A78BCA6EA6EB8FAD5502
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hJ.h,+.;,+.;,+.;.d4;.+.;%S7;.+.;%S!;.+.;2y&;(+.;%S&;e+.;...;(+.;...;1+.;,+.;P*.;%S(;k+.;%S0;-+.;2y6;-+.;%S3;-+.;Rich,+.;................PE..L...V..c...........!.................................................................%....@..........................$..M...............xn..............P,...P..8...`...............................8W..@............................................text...L........................... ..`.rdata..............................@..@.data...<....0...X..................@....rsrc...xn.......p...l..............@..@.reloc..n....P......................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wdzerop.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	238560
Entropy (8bit):	6.640593169975473
Encrypted:	false
SSDEEP:	3072:0VsImuW35nWIFuw3m8mjrzYb+aejgO2PKyjePvX/SIYlYFqah5+UT/8p9IR1eMv:2mD5t39m86nzyjePSI7Fm6/8p9Q3
MD5:	FCEA1FCBC94A5E75273C2B042DD4F8ED
SHA1:	4D017C718D732E8C18709332F0A69729CDBABEF0
SHA-256:	6392DCEF8AA143239D4E043A95DD9ACFB731CF7DAE3C88DDC8FDEBE54B79F946
SHA-512:	40671799109438C4D59E5A3242290C0E1DBF3D22853EA70102A4B16FEF430BCFCD515A7B9A699AD122710FC027C18530698D64E8EF05304090CB0A709EA2454B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l...^..^..^..^...^..^...^..^..^.dy^...^..^v..^..^..^..^..^..^..^..^..^Rich..^................PE..L......a...........!.....z..........P................................................V....@......................... ...K.......x....p...............d..H?..........p...................................@............................................text...hx.......z.................. ..`.rdata..k............~..............@..@.data...\|M... ...$..................@....rsrc........p.......0..............@..@.reloc...*.......,...6..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\webprotect.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	244552
Entropy (8bit):	6.4522910932056625
Encrypted:	false
SSDEEP:	3072:gIFk1jgk0hTxCvdRQeTfb0ydJdwcYsqmzm4RmkCaMsDfEFhA8VZv591zOgxx:l7BeUMXLwcUmzbpMs651
MD5:	5EBB43C91176A23B800D5A27DC1098C9
SHA1:	EB3CEBB63A522D97CDAD4F96CB91ED014A67D9E8
SHA-256:	2E42E4D5FCA0203A07341CD0307FA11F288DDB1C7ACCAAD6E66D07B4897EAF10
SHA-512:	388B5B21873827A0AC4AD7B05BB2BD8B0900F1BEB94908B66E906F28D23D4F63F2D9250BB62EA955C810F651BE09EC5006EE10B78568CD840834D958325044DE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c.P.'.>.'.>.'.>...%.>....0.>.....>.9...".>......>..hS.&.>..hE...>.'.?..>......>....&.>.9...&.>....&.>.Rich'.>.................PE..L......S...........!.....`...:.......U.......p......................................:.....@.............................P............P...`..........................0s..............................8...@............p...............................text....^.......`.................. ..`.rdata..0k...p...l...d..............@..@.data...\|l.......:..................@....rsrc....`...P...b..................@..@.reloc..z1.......2...l..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\window_manager_plugin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	612016
Entropy (8bit):	6.4174165848719955
Encrypted:	false
SSDEEP:	12288:Mg6WuC+Cyifm5/EiQ2JBhThEYYExBx5wBUvxbUwWmXB/e9YZJxSEzzoOCbdpZfjo:MgzV2JxS+zCbdpZfjHsFx
MD5:	F14F9BE66E48C18118C45CF9FCD3309B
SHA1:	1D290BE804D926F60BED30F8F850BDB085515A92
SHA-256:	4A80B9DBA44153735810E7531395A15476733F8A90A69F8FC5939A2C323873A1
SHA-512:	03B74AADC9A85C65024F4CC43AC6DDA1558A157708B26B2C655249034FE0617EB8C03E5D6158AE2AC197CE51B8947262A6450E1A4F41CE0CBDEC9A9F5CE4A0B1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6...X...X...X...[...X...].R.X...\...X...[...X...]...X...\...X...Y...X.N.Y...X...Y.o.X.;.]...X.;.X...X.;.....X.;.Z...X.Rich..X.................PE..d....$)e.........." .........~......,I....................................................`.............................................x............p...........E......,......H...............................(.......8............................................text...p........................... ..`.rdata..............................@..@.data....B.........................@....pdata...E.......F..................@..@_RDATA.......`......................@..@.rsrc........p......................@..@.reloc..H...........................@..B........................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\window_size_plugin.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	564400
Entropy (8bit):	6.422469848275101
Encrypted:	false
SSDEEP:	12288:jEUEku6bXor/fKooWkyE+J3DXih1sf8KM7sniCf9JRn+TF4Jt+jL2T/g/You/dpa:oUozsjL2lf/dpZR9ZgjP
MD5:	8147BD2F71221360338CD14E3E7EA323
SHA1:	E59AC3F40454E7A4E8ABD63945994B836F283C80
SHA-256:	E0976CCEACED3FCB2C93821D760381ACD8BCB59B02D2E4DF8468CD021C65D96A
SHA-512:	F7FAAC494AA4347545B7A17EF56F3E05751D43425A17B80B9C9923924251CC5DFF306E5CEED18F856C84236A5AE174519C5FCB91726352B7B31ED73F399400B2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.^.]...]...]...;...]...;...]...;...]...(...]...(...]...(...]...;...]...(...]...]...]..e(...]..e(...]..e(...]..e(...]..Rich.]..................PE..d....$)e.........." .........V......L..............................................._I....`.............................................p... ...P............P...A...p...,......(....M.......................O..(... N..8............@...............................text...p,.......................... ..`.rdata.......@.......2..............@..@.data....A.......*..................@....pdata...A...P...B..................@..@_RDATA...............\..............@..@.rsrc................^..............@..@.reloc..(............`..............@..B........................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wuhelp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	78808
Entropy (8bit):	6.57997288223318
Encrypted:	false
SSDEEP:	768:KG4sS22vz/mn2/vftVzXsY1Vf6PnGwlNkptKbEYHm5ItEtrha+pedW3jX+4qCGo/:K392sz/sdup+BXsvk+0c3jOZo/
MD5:	59377AA3DE07D487BE3B434FB2864DC4
SHA1:	DD92A3C14A26973D9C32181584D738A7AE2F06C2
SHA-256:	AF398242657D8A8838104CF635B98B4E5CF7E2322D96C097AE0D810FC0197E16
SHA-512:	F6A011AC8A4A0E05FD429C4349051F5F526A96B06902307096E1331CFD935206B35D894F19903D61A2757DC50C8F30F465E361E5BC17ABA63F2947DD0EFD79AE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L..."O.."O.."OV..O.."O...O.."O...O.."O...O.."O...O.."O..#O.."O...O.."O...O.."O...O.."ORich.."O................PE..L......Y...........!.........X.......>.......................................`......?.....@.....................................P....0..................@/...@..H.......................................@...............\............................text...a........................... ..`.rdata...(.......*..................@..@.data....0..........................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\wuhelp64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	86288
Entropy (8bit):	6.353633574899183
Encrypted:	false
SSDEEP:	1536:lU0yrG/FM7gb5vP3iSbmnyXS9IgWgR5sZhoQ+JLXe9HJo2PpJvvvvvvvvGzboEPO:lCOZtbmnoS9h5GPg69Hy2PpIoEJg
MD5:	D6E2A0D34AA617FCB82D832642E5470A
SHA1:	68125F81883B8BBBE65B16D2C0E0A5983FC59C20
SHA-256:	048EF535E135B4B13D85E4689268B404DBB97A0B29983BA9BF4FC8E97D2D051F
SHA-512:	A7ACFEF5858AFCFD8E43DEC41A1A9334645B10C00BAC65A474A438DF4CE1131983BEF47B5CDDAB69D5CEC4C2B0FC21C202CD844BD6BA3E11CB6D2C409ABC9B5C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4.i.4.i.4.i.=....i.=..j.i.=...>.i.=...3.i.4.h.V.i.=..=.i.*...5.i.=...5.i.Rich4.i.................PE..d...~..Y.........." .........`......\L.......................................p......"y....@.................................................X...P....P.......@..l.......x:...`.......................................................................................text............................... ..`.rdata...2.......4..................@..@.data....;..........................@....pdata..l....@......................@..@.rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yhregd.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	500968
Entropy (8bit):	6.598421975074313
Encrypted:	false
SSDEEP:	6144:q0tNHboDyDCVV/wrNuO5oJE9fCt7swJHcES+hfxsPipKg8ytAHfN6pISWjnHF1ob:q0thobXuuOuKzifxsP3ytK6pynHFm
MD5:	799918EF88A366AD37D33C2CFB5E8B43
SHA1:	93F782B07C2859CE4489692A9BA6334AC2011661
SHA-256:	B4EF6B60BF2799B487646046AF290D1FA84E92FE81A445C3FC9CB2E1B72CE25B
SHA-512:	DEE59DFC238BB237125C15C405242CC8540818D60D67D1B731ECBF2FC5F6FDE8A52738E9FB72F8A740B4FD2A61445382C522B5116A280B91D8DC14B1DA0BDD5F
Malicious:	false
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$........I.Y.(...(...(..Wv...(..@Y...(...@...(...@...(..B.p..(..@Y...(..AY...(...P...(..h.E..(..SA...(..lA...(..VA...(..lA...(..VA...(...@...(..%Z...(..%Z...(...(..@)..^A...(..^A...(..^A}..(...(...(..^A...(..Rich.(..................PE..L...h#?e...........!.................u..............................................0.....@......................... ...P...p...........l............x..P,......tK..@...T...................8...........@............................................text............................... ..`.rdata..Hb.......d..................@..@.data...@R...0......................@....rsrc...l............ ..............@..@.reloc..tK.......L...*..............@..B........................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	691760
Entropy (8bit):	6.65005121490335
Encrypted:	false
SSDEEP:	12288:z9dSp9WkHCGswmfwHaG3qNeNCGWmQ47/KkRjDMfZVt1UE3HZyr9oUTB2O:Ra7HCXwmfwHRI+HWmQ4HRjDIZVt1UE3a
MD5:	938C33C54819D6CE8D731B68D9C37E38
SHA1:	5DEBC5AECEA887D17E342E3651006E1DB351034F
SHA-256:	E705895392ACD9768F413E35545C6581B3BAC8C05DCE97BC9AF6A37BE7CB7DE3
SHA-512:	16DEAF3B8C9A29B73D6530474F2A0BF5AC756D44A04D2468464FB78C9048CA9F1E1EBBCC91ADFC74963B7083B0381A47F76C70BADDEB44026C969125EA1C929A
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe, Author: Joe Security
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c..........................................@.................................6............@...............................-...p...~...........:..0T.........................................................................................text...P........................... ..`.itext..t........................... ..`.data....5.......6..................@....bss....le...............................idata...-..........................@....tls....8................................rdata..............................@..@.reloc.............................@..B.rsrc....~...p...~..................@..@.....................:..............@..@................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\FLIEAC

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	2713088
Entropy (8bit):	7.9358560764847
Encrypted:	false
SSDEEP:	49152:gCE0mvBnEwvJm7T8UyHNzeBBHKZlYU13/1wUqq7vf2h0Vw:gCZmvBEqUyHcclt/mUCOa
MD5:	C625FE50C8CBC877CBFAF1D5212F02C0
SHA1:	90763CBEB446C7638F80851E55AF9976285DC56C
SHA-256:	F8890DFA4609D9CB2CA685339468C5256356066CF91AB13C9A771A3B8A566D12
SHA-512:	898703B75D27A9EE5055965BE16D7DEFA482A4199D6C008E539A0102230743AD4540945B76E78804F4CFA99D3DE79B9584D91F6C74C3FF2E6B8F4CC09E7F472C
Malicious:	false
Preview:	...SLSSSOSSSPPSS.SSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS[SSSA..AS.J...R..................................FFE.SSSSSSSB.....t5..t5..t5..x5..t59..5..t5y.~5..t5...5..t59..5..t5..u5..t5...5..t5..t5..t5...5..t5..p5..t5......t5SSSSSSSSSSSSSSSS..SS.RLSd..SSSSSSSSsSA.DRISS.SSCSSS3.S.E.SS#.SSC.SSSSCSCSSSMSSOSSSSSSSOSSSSSSSS..SSOSSSSSSMSSSSSCSSCSSSSCSSCSSSSSSCSSSC..S.SSSSC.SCMSSSSSSSSSSSSSSSSSSSSSSSSSS...SGSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....SSSSS3.SSCSSSSSSSOSSSSSSSSSSSSSS.SSs....SSSSS.SS#.SS.SSOSSSSSSSSSSSSSS.SSs....SSSSSCSSSC.SSOSSS.SSSSSSSSSSSSS.SS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....S....FJKH

C:\Program Files (x86)\DnLIMGKCARTO\yybob\HipsdiaMain.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	6.561876036819077
Encrypted:	false
SSDEEP:	768:iRsOLyueUFANmFloKvQX29dQ0pkZloKvQX29dQ0pkfo3MbvM1kvdCr+y:iRsJgO4lCXy60AlCXy60vcbvM1idCv
MD5:	0252D997E8633929A793DA5CD9F1A078
SHA1:	1C266679F251E9A82E64C0E0E3B0EE41842417DB
SHA-256:	246EB43F8272FBE34A5F45C5F91D109DD38C3A2B6967DF47D9A88322449F767D
SHA-512:	9FA44873C27638465485A427EBE486D0E047BB143F32E89CCF9FC0D360030D10ADAAA10C75742ABC3035C5A1428C258E49E8FE83C162743CDEE01D2E5B9A63ED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Jo.TJo.TJo.T%.UTHo.T%.WTOo.T%.cTAo.T%.bTHo.TC.ZTOo.TJo.T.o.T%.fTNo.T%.RTKo.T%.TTKo.TRichJo.T........................PE..L......g...........!.....>...................P............................................@.............................].......P.......................................................................@............P..D............................text....=.......>.................. ..`.rdata..M....P.......B..............@..@.data...$...........................@....reloc..(...........................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\PackageMgr.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	107120
Entropy (8bit):	6.416041804489009
Encrypted:	false
SSDEEP:	1536:ABHJ2sevEPtUiDHPsG78SkqRsEKk2UaWD+Ug1phiaeBvNdiizK3xg+rd3XjxxyhS:eHAR6tHDp/acgrItvNdiizK3xg+FXOS
MD5:	773D6EC38151B301FB8E45B4043E2E9F
SHA1:	475A42DD7FF0417D6826187F37AA3B5FFA65AE50
SHA-256:	E15E52A68BA167C0E6683EAFA3102079BBD0262EF5BF1005FE5A3B492374F66A
SHA-512:	FFDEEA69581B7C25CF5DC83A9803E94AB83D6C19254F5DE474240DAD3B630386D8D401B7A5EA25F97B1BF068D95266D53AD6324362E7CF94B1F326DAA9B5A1EF
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......L.,7.iBd.iBd.iBd...d.iBd37Ae.iBd37Fe.iBd.0Ge.iBd37Ce.iBd37Ge.iBd..d.iBd..d.iBd..d.iBd.iCd.iBd.7Ge.iBd.7Be.iBd.7.d.iBd.i.d.iBd.7@e.iBdRich.iBd........................PE..L.....3b...........!................(...............................................&.....@..........................=.......>..,....................p..p2......$.......T...................d...........@............................................text............................... ..`.rdata...P.......R..................@..@.data...$....`.......:..............@...minATL.......p.......F..............@..@.gfids...............H..............@..@.tls.................J..............@....rsrc................L..............@..@.reloc..$............^..............@..B........................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMAVProxy.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	99952
Entropy (8bit):	6.458473763443854
Encrypted:	false
SSDEEP:	1536:ZAUmWga/j5/IEHE2BzIfjwpDvdxeR1Ay01A4F1519hTnZmjjxy:jm+JrHElE9SRuy0hFX19hTZmM
MD5:	D902AF6BDCB8F3D47CC7A26B7F5AF840
SHA1:	B42E2C429F60551CAFDD92F5024DA7EDEC1270EB
SHA-256:	ADD79DE18ECBDEEC06D9765B2308FDBEAB3F788382A07D6235B614CA58BDA2B8
SHA-512:	1D55DC22AD3317622C3AE502B4B329B25DA6EB03D5FE8D2F4F7319110A196CDF08BD5E5DBB6322D6FC12B3C4472C629F9F64523FB23928E0433F96D0C8098911
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J...J...J.......J...N...J...I...J.g.....J...K...J...O...J...N...J...L...J...K...J.ys....J...K...J...C...J...J...J.......J...H...J.Rich..J.........PE..L...!8.d...........!................1...............................................v.....@..........................;..T...T;.......`..`............T..p2...p..t...4...p...............................@...............0............................text...%........................... ..`.rdata...h.......j..................@..@.data........P.......8..............@....rsrc...`....`.......<..............@..@.reloc..t....p.......@..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMDns.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51312
Entropy (8bit):	6.588801090147588
Encrypted:	false
SSDEEP:	768:gmaAkOI8/UgAXuuMnw415frUK5yPPTnDG3318RU7yw2MvZDGjENAMxaJ:gmPNN7wU5frbcba318aJjjxaJ
MD5:	BF125A12E9CE8568AADD6A9EE11C696D
SHA1:	4B8CF25506F5729D485171DECAA152B32EF2AFBF
SHA-256:	72C9E45E029115541AEBA55243BED56CCB5E594E50CE26DEFDE76D35B5B892C4
SHA-512:	B2FDCE478034312D7C7911F83E5A56DA505F9D5FF351CA74A8718B4256BB91DCBF341A268349DC992C7232A9B012BD986224BD650F7141261F8D38E9DCC43318
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T...T...T...].f.X......._.......W.......B.......P....;.U....>.]...T..........v......U......U......U...RichT...........................PE..L....1.d...........!.....H...R......7L.......`......................................qi....@.........................`...4...............X...............p2......p...p...p...............................@............`..d............................text...3F.......H.................. ..`.rdata...7...`...8...L..............@..@.data...\...........................@....rsrc...X...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMEventBus.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92272
Entropy (8bit):	6.543211290485113
Encrypted:	false
SSDEEP:	1536:5MUmmeVWAcHeFzyWQ+lh5W0pkw01pPafkNA0tDq3NnqFBjxxP:5MUsVF6eFvPPWBw01ofkNA0E3NnsBj
MD5:	23E97B1438152A4328FA97552F8B9AA1
SHA1:	F95D191EB1E6DDBCA5B20FAC2D0746FEBB0B2C12
SHA-256:	17CBD8771713566BEB469B300D34782986EF325582DCB575C4FB35C1FB397A9E
SHA-512:	FA497B5F806D851717C920755E245E65CDBF5CEFCE0975DA33A43C88005474F87D006FFEFE111A199ABF4FC68CA640CD18709FEDFC376FC64E6D6CC272D816A7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X\...=.N.=.N.=.N.E.N.=.N.2.N.=.NNH.O.=.NNH.O.=.NNH.O.=.NNH.O.=.N..ZN.=.N.=.N.=.N.._N.=.N.H.O(=.N.H.O.=.N.HkN.=.N.H.O.=.NRich.=.N................PE..L....2.d...........!.........z......e................................................[....@..........................&......('.......`...............6..p2...p..`.......p...........................8...@............................................text...}........................... ..`.rdata..VS.......T..................@..@.data... ....@......................@....rsrc........`.......$..............@..@.reloc..`....p.......&..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\TDPCONTROL.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1063616
Entropy (8bit):	6.674869382282474
Encrypted:	false
SSDEEP:	24576:2ODivXdRxWmQOhfbV5l7kZLWfGPeu/PUw6WmARlXDMmH6PBzT/Cn+m4q:2OuvbfGZGGKJT/Cn+Fq
MD5:	4FF45827EC92E40935F9939142CD40DC
SHA1:	CAD74928F3387E6BF28C3625803706061E956B34
SHA-256:	012ED8D16E9F7586FE44C0AFFE5BEA6FF68F27231A6526D439643869A103E434
SHA-512:	A3DFE7976E5FFB4BA0C68E218C0924568D343E7937ABB50785107DE5E0ADC11AD58A86E02FABB455845FBE8E545E48B57A67EB647C664390ED521D255FF3BEFE
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...~/._.....................j...................@................................. ...................................{........3.......................@...........................................................................................text...0z.......\|.................. ..`.itext.............................. ..`.data...D...........................@....bss.....e...@.......0...................idata...3.......4...0..............@....edata..{............d..............@..@.reloc...............f..............@..B.rsrc................V..............@..@....................................@..@........................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\TDPINFO.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	7.484270190239562
Encrypted:	false
SSDEEP:	768:tUqX/E3rJA4ZX6xUrLGwk9xAlvcuHnYoq7MNC3Il:tUc/+vKGnax8ESY17WkI
MD5:	63F6D9FECB240388D69CB668CFE50C00
SHA1:	2B67BB8AA45A9D0383E76F15E631C1131B28BB1E
SHA-256:	678D6ED15F6150BFD5BA8E823CF877C32BB492E8557E107FAC77143DAD3724F1
SHA-512:	176B096493206D2DADB17D778E959855DEEF0EC8D5343C09790CA6C067A338ECE44138FA9081888CAA2228A041D2A8C71B085AD8FEFAFE479505F667F6D2B7E6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#;\.gZ2.gZ2.gZ2..F<.rZ2.Q\|8..Z2..Uo.bZ2.gZ3.7Z2.Q\|9.sZ2.gZ2.fZ2..E9.eZ2..E6.fZ2.RichgZ2.................PE..L.....lf...........!.............p..................................................................................0...l...........................................................................................................................UPX0.....p..............................UPX1.............v..................@....rsrc................z..............@......................................................................................................................................................................................................................................................................................................................................................................................................4.21.UPX!....

C:\Program Files (x86)\DnLIMGKCARTO\yybob\TDPSTAT.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	388808
Entropy (8bit):	6.5956896905460125
Encrypted:	false
SSDEEP:	6144:B9su6Bohl2JJmgk1G8M0uQoRkQsKwxBF6CaSIU9ILZxxB5ARUWvAX+E:BSohl2JJmgk1U3QMkQsTx3paSIUixGRI
MD5:	B8253F0DD523BC1E2480F11A9702411D
SHA1:	61A4C65EB5D4176B00A1FF73621521C1E60D28EA
SHA-256:	01CEE5C4A2E80CB3FDAD50E2009F51CA18C787BF486CE31321899CCCEDC72E0C
SHA-512:	4C578003E31F08E403F4290970BC900D9F42CAA57C5B4C0ACA035D92EDC9921BF4034FC216C9860DA69054B05F98DADE5F6E218AC4BEE991BC37A3EF572FE9A0
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...8..^..........................................@..........................P..........................................c....p...........N...............<.......g..................................................Ts..P............................text...T........................... ..`.itext.............................. ..`.data....).......*..................@....bss....<X...............................idata.......p......................@....edata..c...........................@..@.reloc...g.......h..................@..B.rsrc....N.......N...d..............@..@.............P......................@..@........................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\Toolbox.ico

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	MS Windows icon resource - 6 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	104864
Entropy (8bit):	3.9053747079480448
Encrypted:	false
SSDEEP:	384:0ePYp7777777777FaTLcbLLLLEW/+Z+Z+I1m5aaaaaaaaaMsJju5wU4XcG8jUEPE:n7sAacGgUEc
MD5:	6CCA9307DEAF7B167C92BBE3D2AC59CA
SHA1:	FE2A51B84BD203BA0AEA43D50D664B1632F3B0B0
SHA-256:	771E0C7FF0514650DF7C62E237A8D8DDFA2D156A8B18473AE647E6684A483178
SHA-512:	C1E4639BCFF0C18713116973524E7527BEE31307C33AF2048F617CE0460580A2FEE88FF6E347F87C799AC990F4BCCB97A2FCEBCB82AD4A926EE95F211A033368
Malicious:	false
Preview:	............ .h...f... .... .........00.... ..%..v...@@.... .(B...;........ .(...F}........ .2...n...(....... ..... .....0....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v...w..w.........u...w..w..w..w..x.......\|...w..w..w...n...x...x...x...x...x...x...x...x...x...x...x...x...x...x...n...o...w...x...x...x...x...x...x...x...x...x...x...x...x...w...p...p...n..y...z...u...u...u...z...z...u...u...u...z...y...n..p.......p...s..w...w...w...w...w...w...w...w...w...w...s..p...........................m.p.p

C:\Program Files (x86)\DnLIMGKCARTO\yybob\UPSDK.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1165576
Entropy (8bit):	6.491752155251347
Encrypted:	false
SSDEEP:	24576:ptf4OLWmQQ3b6ZVtecP3Ufy/ilDqzybXIZ0xKHpWq0dGcz7msH0WQWmAdA7yJBzA:tLDlDgRGxKHpSJ28TU
MD5:	D75E14313FC8A0850F3190CE67509475
SHA1:	74474830BC0706E5C0A8B455A4E1B47D9F1DE741
SHA-256:	E5C711BDB99AB55EBD96B3636C7396566C98ACFFD03DF735A15F1E18936A718A
SHA-512:	A4260F1A9A77BC41FC54532BDBF51F831004767E08150BFF95374663930BBE4FCA81790AA4578C062674557A02A698EA798CFC00F2355F6B8FA71BF2915CBAAA
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......`..........................................@..........................0.......4...............................`..e....@..v........^...............A...p...Y...................................................C...............................text...x........................... ..`.itext.............................. ..`.data....".......$..................@....bss.....Y...............................idata..v....@......................@....edata..e....`......................@..@.reloc...Y...p...Z..................@..B.rsrc....^.......^...*..............@..@.............0......................@..@........................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\libcurl.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	333824
Entropy (8bit):	6.389952178495305
Encrypted:	false
SSDEEP:	6144:WyEhWbJNOcWd55OHSCw1ohITXVvrJGqdK2Dug6dGXLSuMAFi2TBfR:Wlu1IjOIohILJrc4Ezui2TdR
MD5:	EC9483F4B8C3910B09CAAB0F6CB7CD1B
SHA1:	9931AAA8E626DF273EE42F98E2FC91C2078FDC07
SHA-256:	4D9CAE6E2E52270150542084AF949D7B68300E378868165FF601378A38F7048F
SHA-512:	84B60FE3CD0EDE19933B37AE0EAEBA1F87174A21BC8086857E57C8729CEC88F9FEF4B50A2B870F55C858DD43B070FD22FFEC5CB6F4FD5B950D6451B05EB65565
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..S...........#................ .............$k................................. ........ .........................c.... .......`.......................p..\|$...........................P......................."..h............................text...T...........................`.P`.data...t...........................@.`..rdata..L.... ......................@.`@.eh_fram............................@.0@.bss..................................`..edata..c...........................@.0@.idata....... ......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc..\|$...p...&..................@.0B........................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp100.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.297676823354886
Encrypted:	false
SSDEEP:	12288:koBFUsQ1H5FH3YUTd/df0RA7XkNvEKZm+aWodEEiblHN/:dFUsQ1H5FHdGKkNvEKZm+aWodEEcHN/
MD5:	D029339C0F59CF662094EDDF8C42B2B5
SHA1:	A0B6DE44255CE7BFADE9A5B559DD04F2972BFDC8
SHA-256:	934D882EFD3C0F3F1EFBC238EF87708F3879F5BB456D30AF62F3368D58B6AA4C
SHA-512:	021D9AF52E68CB7A3B0042D9ED6C9418552EE16DF966F9CCEDD458567C47D70471CB8851A69D3982D64571369664FAEEAE3BE90E2E88A909005B9CDB73679C82
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..-`..~`..~`..~i.4~b..~{.;~c..~`..~...~..?~a..~{.9~a..~{..~P..~{..~Y..~{..~e..~{.<~a..~{.=~a..~{.:~a..~Rich`..~........................PE..d.....M.........." .........f.......q........cy..........................................@.............................................m......<....P...........=...0..P....`.......................................................................................text............................... ..`.rdata..-...........................@..@.data...0L.......8..................@....pdata...=.......>..................@..@.rsrc........P......................@..@.reloc..R....`......................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp110.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	661456
Entropy (8bit):	6.2479591860670896
Encrypted:	false
SSDEEP:	12288:akhiz9iVQi6mpiyMATITfluR3G1YdpTzYJQIbRdJN2EKZm+DWodEEt2L:WaQeIJN2EKZm+DWodEEt2L
MD5:	7CAA1B97A3311EB5A695E3C9028616E7
SHA1:	2A94C1CECFB957195FCBBF1C59827A12025B5615
SHA-256:	27F394AE01D12F851F1DEE3632DEE3C5AFA1D267F7A96321D35FD43105B035AD
SHA-512:	8818AF4D4B1DE913AAE5CB7168DCEC575EABC863852315E090245E887EF9036C81AABAF9DFF6DEE98D4CE3B6E5E5FC7819ECCF717A1D0A62DC0DF6F85B6FEEB8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.:..si..si..si~`.i..si..ri^.sis.i..si...i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..siRich..si................PE..d......P.........." ........."......<........................................p......L+....`..........................................3......l...<...............0E.......=... ..,....(..............................`...p............ ...............................text...:........................... ..`.rdata....... ......................@..@.data...p.... ...:..................@....pdata..0E.......F...D..............@..@.rsrc...............................@..@.reloc..FJ... ...L..................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp120.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	660128
Entropy (8bit):	6.339650318935599
Encrypted:	false
SSDEEP:	12288:t2TOv4Zur4nRc4RwlG4xH2F+O+/i2UA3YyB2hxKM5Qrt+e2EKZm+GWodEEwIP:qRhxKM5U2EKZm+GWodEEw4
MD5:	0A097D81514751B500690CE3FC3223FA
SHA1:	7983F0E18D2C54416599E6C192D6D2B151A2175C
SHA-256:	E299B35D1E3B87930A4F9A9EF90526534E8796B0DEF177FB2A849C27F42F1DF2
SHA-512:	74639F4C2954B5959EB2254544BF2E06AB097219FC8588A4F154D1A369B0657176128C17911958C84ED55421FE89BF98C8ED36D803A07A28A7D4598DB88027CE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ca.=...n...n...n..)n...n...n...n.R?n...n..%n...n.R=n...n.R.n4..n.R.nJ..n.R.n...n.R>n...n.R9n...n.R<n...nRich...n........PE..d......V.........." .....@...................................................`.......H....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	449280
Entropy (8bit):	6.670243582402913
Encrypted:	false
SSDEEP:	12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
MD5:	1FB93933FD087215A3C7B0800E6BB703
SHA1:	A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
SHA-256:	2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
SHA-512:	79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140_1.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31528
Entropy (8bit):	6.472533190412445
Encrypted:	false
SSDEEP:	384:R77JqjlI8icUYWhN5tWcS5gWZoMUekWi9pBj0HRN7RA5aWixHRN7osDhzlGs6N+E:R5D8icUlX5YYMLAWRAlypmPB
MD5:	7EE2B93A97485E6222C393BFA653926B
SHA1:	F4779CBFF235D21C386DA7276021F136CA233320
SHA-256:	BD57D8EEF0BC3A757C5CE5F486A547C79E12482AC8E694C47A6AB794AA745F1F
SHA-512:	4A4A3F56674B54683C88BD696AB5D02750E9A61F3089274FAA25E16A858805958E8BE1C391A257E73D889B1EEA30C173D0296509221D68A492A488D725C2B101
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..\4~.\4~.\4~...^4~.UL..X4~.Dz.[4~.D}.^4~.\4..v4~.D..Y4~.D{.O4~.D~.]4~.D..]4~.D\|.]4~.Rich\4~.........PE..d...W8.^.........." .........$............................................................`A.........................................>..L....?..x....p.......`..4....:..(A......p...@3..T............................3..0............0..0............................text...(........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..4....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140_2.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	193832
Entropy (8bit):	6.592581384064209
Encrypted:	false
SSDEEP:	3072:V7vC/HAiCsJCzwneNPXU7tm1hTt8KBDal8zg/0LwhORfewlMi0JHV:VTGAtweN85m1f8KBI9wfpsJH
MD5:	937D6FF2B308A4594852B1FB3786E37F
SHA1:	5B1236B846E22DA39C7F312499731179D9EE6130
SHA-256:	261FBD00784BB828939B9B09C1931249A5C778FCEAD5B78C4B254D26CF2C201F
SHA-512:	9691509872FDB42A3C02566C10550A856D36EB0569763F309C9C4592CAF573FBB3F0B6DC9F24B32A872E2E4291E06256EAE5F2A0DEB554F9241403FD19246CAC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........94..Wg..Wg..WgVt.g..Wg..g..Wg..Sf..Wg..Tf..Wg..Vg..Wg..Vf..Wg..Rf..Wg..Wf..Wg...g..Wg..Uf..WgRich..Wg........................PE..d...W8.^.........." ................p............................................... .....`A........................................ ..................................(A...........K..T........................... L..0...............P............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr100.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr110.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	849360
Entropy (8bit):	6.542151190128927
Encrypted:	false
SSDEEP:	24576:I+9BbHqWVFlB7s2ncm9NBrqWJgS0wzsYmyy6OQ:z9d7M3nS0wV
MD5:	7C3B449F661D99A9B1033A14033D2987
SHA1:	6C8C572E736BC53D1B5A608D3D9F697B1BB261DA
SHA-256:	AE996EDB9B050677C4F82D56092EFDC75F0ADDC97A14E2C46753E2DB3F6BD732
SHA-512:	A58783F50176E97284861860628CC930A613168BE70411FABAFBE6970DCCCB8698A6D033CFC94EDF415093E51F3D6A4B1EE0F38CC81254BDCCB7EDFA2E4DB4F8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........c.O.0.O.0.O.0.O.0}O.028g0.O.0?..02N.0?..0.O.0?..0.O.0?..0wO.0?..0.O.0?..0.O.0?..0.O.0Rich.O.0........................PE..d...n..P.........." ................l3.......................................@............`..........................................E.......1..(............... g.......=......8...`6..............................P...p............0...............................text............................... ..`.rdata.......0......................@..@.data...(q.......@..................@....pdata.. g.......h...(..............@..@.rsrc...............................@..@.reloc...".......$..................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr120.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	963744
Entropy (8bit):	6.63341775080164
Encrypted:	false
SSDEEP:	24576:lQ39+j16xw/86yY4ZOVqSs8cKPkb3vi4vwW1kCySQmWymTXY:S3tPDLfRbiow9Cyo
MD5:	E2CA271748E872D1A4FD5AC5D8C998B1
SHA1:	5020B343F28349DA8C3EA48FB96C0FBAB757BD5C
SHA-256:	0D00BF1756A95679715E93DC82B1B31994773D029FBBD4E0E85136EF082B86A9
SHA-512:	85D6BCAAF86F400000CF991DA1B8E45E79823628DC11B41D7631AA8EE93E500E7DA6E843EA04EDB44D047519DABEF96DCB641ADC2A7B3FAA5CD01E8A20B1F18E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F=&^'Su^'Su^'Su..u]'Su^'Ru.'SuSu.u.%SuSu.uo'SuSu.uh'SuSu.u.'SuSu.u_'SuSu.u_'SuSu.u_'SuRich^'Su........PE..d......V.........." .....j...:.......)..............................................+l....`.....................................................(............@...s...v...>......8...p................................2..p............................................text...eh.......j.................. ..`.rdata...9.......:...n..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................`..............@..@.reloc..8............d..............@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\oDayProtect.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57456
Entropy (8bit):	6.555119730119836
Encrypted:	false
SSDEEP:	1536:h4WOg3TER/nhU8Vbbb8O0WWVYgaatjJxl:h4WOg3TSr78O0WWVYg5tJ
MD5:	00FCB6C9E8BD767DDE68973B831388E9
SHA1:	2D35E76C390B8E2E5CA8225B3E441F5AC0300A02
SHA-256:	1CC765B67D071060C71B4774C7745575775CE46E675E08620E5BAB3B21B2CE79
SHA-512:	2B48701B5F4B8F1EB7FC3EB9A76370883FE6CAF45D92DA607AB164F93E0EED65D6C1369D4EA974A112C902FD0F5BAF06E7611ECB9B50BE3A599F261624B33BA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[..]..............3.....M......M......M......M.......{n......{k............................._.......7............Rich............PE..L...m>.d...........!.....`...R......._.......p............................................@...........................................P...............p2..............p........................... ...@............p..\............................text...._.......`.................. ..`.rdata...4...p...6...d..............@..@.data...$...........................@....shared.............................@....rsrc...P...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\vcruntime140.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	101872
Entropy (8bit):	6.5661918084228725
Encrypted:	false
SSDEEP:	1536:RCKWZGuEK0mOLSTxoPl9GIcuZrxi4hXX9oix8H+NCIecbGShwZul:RFWY1WxgGStJ8H2CIecbG36
MD5:	971DBBE854FC6AB78C095607DFAD7B5C
SHA1:	1731FB947CD85F9017A95FDA1DC5E3B0F6B42CA2
SHA-256:	5E197A086B6A7711BAA09AFE4EA7C68F0E777B2FF33F1DF25A21F375B7D9693A
SHA-512:	B966AAB9C0D9459FADA3E5E96998292D6874A7078924EA2C171F0A1A50B0784C24CC408D00852BEC48D6A01E67E41D017684631176D3E90151EC692161F1814D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w.............t:..............................................................Rich....................PE..d.....t^.........." .........^.......................................................e....`A.........................................0..4....9.......p.......P.......L...A..............8........................... ...0............................................text...2........................... ..`.rdata...?.......@..................@..@.data...0....@.......4..............@....pdata.......P.......8..............@..@_RDATA.......`.......D..............@..@.rsrc........p.......F..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\yybob\vcruntime140_1.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44312
Entropy (8bit):	6.623047237297825
Encrypted:	false
SSDEEP:	768:vG3xRsJTKdiibUoT2zvivbXXyJWqWZ8DZX:vG7DyM22DiJMCtX
MD5:	9040ED0FDF4CE7558CBFFB73D4C17761
SHA1:	669C8380959984CC62B05535C18836F815308362
SHA-256:	6CC4315DACEB0522816C60678344466CB452426267F70C7FAAE925361674E774
SHA-512:	303143006C781260540E9D0D3739ACC33F2D54F884358C7485599DD22B87CCE9B81F68D6AD80F0F5BB1798CE54A79677152C1D3600E443E192AECD442EA0A2E4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j&=..Hn..Hn..Hn@..n..Hn!fIo..Hn.s.n..Hn..In..Hn!fKo..Hn!fLo..Hn!fMo..Hn!fHo..Hn!f.n..Hn!fJo..HnRich..Hn........PE..d....h.].........." .....:...4.......A..............................................?.....`A.........................................j......<k..x....................l...A......(....a..8...........................0b...............P..X............................text...t9.......:.................. ..`.rdata..P ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..(............j..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\zeropmgr.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	415128
Entropy (8bit):	6.6210531109184965
Encrypted:	false
SSDEEP:	12288:l6LJqy9H1aBwUuL7/z+3Eh5sJfcAX09UcO9d:cCuLf7KfcAX09tO9d
MD5:	C499B812979EA663E6ED6A21AFF9255D
SHA1:	FE80FDDA3EB377956E8912868A5171D1D499517A
SHA-256:	DE18B8D7D975E0F757DD943EEABA8F1CFF7C7C5AB1CC14288D7AC5B13CAE49C2
SHA-512:	9D1BB3EC4B3F0679C7DE059B45D19A3786A9CF4E107B804F10638ED01D5A5F4282321CE371B76C3CDCBE2D25857474E8A7C540020EB3A6A3F6B2576866B58ED9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........}[x..[x..[x...76.Zx..R.5.Lx..R.#..x..E$.^x..R.$..x..\|...Zx..\|...Bx..[x...x..R..kx..R.2.Zx..E*4.Zx..R.1.Zx..Rich[x..........PE..L....@.c...........!.........L...............................................p............@.............................................................I... ..@/...................................=..@...............<............................text...p........................... ..`.rdata..............................@..@.data....d.......2..................@....rsrc...............................@..@.reloc..$F... ...H..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DnLIMGKCARTO\zpthdo.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	821640
Entropy (8bit):	6.80570349308525
Encrypted:	false
SSDEEP:	24576:rAwdhdGhfsJRv5SKCqMsPk79yvwXl/N95:rAw7MfsJRRSGMsPkRYqV
MD5:	96AB7D0CE0AB68697D2B5736A2A8EF46
SHA1:	51FF7B82ECF28442C56BAC4F57D30AC3F0AEAA5D
SHA-256:	CE0A8DD9BAD2E32681E475C52852251F1B0A20D67013DADEEDE7C2D501302F3D
SHA-512:	35AD7EAFD8650C89E0B9123B3A7DC839D922CDEC4C22E1969642DAF0E3D9D45D3F60663987802D1915258F6E62A814D9FA89CE740215F00B86E0F0BB9AE4B577
Malicious:	false
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$..........[.z...z...z..u$...z..H....z.......z.......z..`."..z..`.!..z..L....z..H....z....F..z.......z..J....z..N....z..N....z...z...z..L....z....P..z....@..z...z..5{..N....z..N....z..N.,..z...zD..z..N....z..Rich.z..................PE..L......^...........!.........D.......a....... ............................................@.........................`...............@...............R...6...P...d...f..p....................g......pf..@............ ..0............................text............................... ..`.rdata....... ......................@..@.data... i.......(..................@....rsrc........@......................@..@.reloc...d...P...f..................@..B........................................................................................................................................................................................................

C:\Program Files (x86)\WindowsInstallerFQ\DAN_127.msi

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 936, Revision Number: {7CE79A54-E11F-4229-A93E-21F771890BDE}, Number of Words: 2, Subject: Windows, Author: OfTSPRPNPSST, Name of Creating Application: Windows, Template: ;2052, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	3602944
Entropy (8bit):	6.538115356090411
Encrypted:	false
SSDEEP:	49152:sRnlGFAvHZXm1+O0q2+cZfsZU80OO62wOR4UkrfH1OrEMBZX26PH2ca9G/uaJEif:MkFA/qStOwkR2uayisdSHiT
MD5:	1710CA6F5DF19A22D1567959DE401886
SHA1:	1C0788860A40E4AE60B0AFB8589C5B2083B2CCA2
SHA-256:	826AB605E90D51A715C05D91DD249958D56BE5B053B8B9BAB1F61480C506C3F1
SHA-512:	AE33B8131DB853B48C34877B977D47F701CF99DACA8FAADBDA703E97857AA1AC557D199CE3A1DC10E3115AFFD5603EB1E5468CD7D31A1B59745726ADE6870875
Malicious:	false
Preview:	......................>...................7...................................U...V...W...X...Y...Z...[...\...]...^...x...............................................6...............................................................................................................,...-...............................................................................................................................................................................................................................................p...............................A.../...:....................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-.......8...0...1...2...3...4...5...6...7.......9...;...N...<...=...>...?...@...D...B...C...J...E...F...G...H...I...L...K...M.......q...O...P...Q...R...S...T...............................................`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\WindowsInstallerFQ\DAN_1271.cab

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	Microsoft Cabinet archive data, many, 51185352 bytes, 122 files, at 0x44 +A "QKFJSGCGWGRQ" +A "uni_links_desktop_plugin.dll", flags 0x4, ID 1234, number 1, extra bytes 20 in head, 2678 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	51193192
Entropy (8bit):	7.999059623060062
Encrypted:	true
SSDEEP:	1572864:y/hb6GmIcUGtvclhGSjkcrABpYhpeWeiTj:Qheec1tvclsSjsBuhpeJuj
MD5:	E2EE5973CEEAEEC5837DE3C99D4933BD
SHA1:	58725C93C676FFFC44A59F74C8C7F9942A52B2FF
SHA-256:	8404BA9F3312B0D92BD64CFB92A7B3CCD2B2D4358A5F4BE6AC008ECB4416253C
SHA-512:	BA41BEB1AB9D7A8FC947584AD4F4EF371706E96C7C8FB856820F1CC1811F2BC7AA33BC891214684E885ECA0825A817692C5BCA6176D98DE3F93CC2456970AE01
Malicious:	false
Preview:	MSCF............D...........z...................................v.............sY.a .QKFJSGCGWGRQ...........[XRu .uni_links_desktop_plugin.dll..0..a.....[XRu .url_launcher_windows_plugin.dll...........[XRu .WindowInjection.dll..V........[XRu .window_manager_plugin.dll.....q.....[XRu .window_size_plugin.dll.....!. ...sY.a .TP453990d4df32.TPL...... ...UY.> .ovftool_open_source_licenses.log....... ...sY.a .TroPoxE_Plus.......!...fYMI .TroPoxB_Plus..6...k,...dY.. .TroPoxZ_Plus.....A....TE. .lockkrnl.dll.H....8K....L-. .MiniUI.dll.H....FY....D.. .mobileflux.dll.....D.[....U.. .NetDefender.dll.H'....a....D.. .NetDiagDll.dll..>..$.g....WKq .Netgm.dll.`$...Zl...eL. .NetmLogin.dll.Hs..l~t....D.. .NetmonEP.dll.H.....v....N.. .netmstart.dll.......y...3W.. .NetmTray.dll..l...T}...3W.. .NetmTray64.dll..........iV.~ .NetSpeed.dll.pb...`....3F.Z .NotifyDown.dll....$....KW9^ .np360SoftMgr.dll.H+...\|.....D.. .npaxlogin.dll.....T.....\TO^ .ntvbld.dll....4.....\TP^ .Ntvbld64.dll......=.....T.. .PD

C:\Program Files (x86)\WindowsInstallerFQ\holder0.aiph

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	data
Category:	dropped
Size (bytes):	51193192
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	C2AA948E11A480EC3B029E49C0F3A813
SHA1:	4C6D97B643290DF8CD6544E3A9845C796A1FA1C5
SHA-256:	6FD2C3388A9F7986E9D79C7C4747A0AD1800E3BC367060D49EA0C32C243DDD94
SHA-512:	C5118635086A6B595969E6A6900B7D032489B9F8FDEEBDA1D2197B29018AFA3B02B41EBDC21694A6BF07849A3DD831F339F1E05384F37B532252070288CAE049
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user~1\AppData\Local\Temp\1732545569\....\Microsoft.TransCompositio.msi (copy)

Download File

Process:	C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	174304
Entropy (8bit):	6.858552596804119
Encrypted:	false
SSDEEP:	3072:Q0HJ5wo1/MJjozYJimE2BamDKigu/fgl1glfdjgBftJeCE5vLEnM7QrRz:/J5wUmhkmDKVuE1gQJeCERLG1F
MD5:	0D318144BD23BA1A72CC06FE19CB3F0C
SHA1:	91A270D8E872EA2A185309CA9CE5D9F08047809E
SHA-256:	60503684F39425C5505805A282EB010ECB8148BBF7EFE9BBA9CF33C507AF7F3A
SHA-512:	A3F3C7D84644B13868AC324947C2D678620E341E368B781D45F244A53F448D6B24BE7B50AC9908728DFBBB74214FCB46902137910E907F14F601518C0EFD215B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.A...A...A...,...H...,...;...,...Y...z...S...z...S...z...d...,...D...A...........C.......@...A...@.......@...RichA...........PE..L...V.]d.............................#............@.................................Z.....@.................................48..<....p..0............`...H...........*..T............................+..@...............$............................text............................... ..`.rdata...^.......`..................@..@.data........@.......2..............@....gfids.......`.......<..............@..@.rsrc...0....p.......>..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

C:\Users\user~1\AppData\Local\Temp\6002031\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	6.561876036819077
Encrypted:	false
SSDEEP:	768:iRsOLyueUFANmFloKvQX29dQ0pkZloKvQX29dQ0pkfo3MbvM1kvdCr+y:iRsJgO4lCXy60AlCXy60vcbvM1idCv
MD5:	0252D997E8633929A793DA5CD9F1A078
SHA1:	1C266679F251E9A82E64C0E0E3B0EE41842417DB
SHA-256:	246EB43F8272FBE34A5F45C5F91D109DD38C3A2B6967DF47D9A88322449F767D
SHA-512:	9FA44873C27638465485A427EBE486D0E047BB143F32E89CCF9FC0D360030D10ADAAA10C75742ABC3035C5A1428C258E49E8FE83C162743CDEE01D2E5B9A63ED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Jo.TJo.TJo.T%.UTHo.T%.WTOo.T%.cTAo.T%.bTHo.TC.ZTOo.TJo.T.o.T%.fTNo.T%.RTKo.T%.TTKo.TRichJo.T........................PE..L......g...........!.....>...................P............................................@.............................].......P.......................................................................@............P..D............................text....=.......>.................. ..`.rdata..M....P.......B..............@..@.data...$...........................@....reloc..(...........................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user~1\AppData\Local\Temp\6002093\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	7.484270190239562
Encrypted:	false
SSDEEP:	768:tUqX/E3rJA4ZX6xUrLGwk9xAlvcuHnYoq7MNC3Il:tUc/+vKGnax8ESY17WkI
MD5:	63F6D9FECB240388D69CB668CFE50C00
SHA1:	2B67BB8AA45A9D0383E76F15E631C1131B28BB1E
SHA-256:	678D6ED15F6150BFD5BA8E823CF877C32BB492E8557E107FAC77143DAD3724F1
SHA-512:	176B096493206D2DADB17D778E959855DEEF0EC8D5343C09790CA6C067A338ECE44138FA9081888CAA2228A041D2A8C71B085AD8FEFAFE479505F667F6D2B7E6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#;\.gZ2.gZ2.gZ2..F<.rZ2.Q\|8..Z2..Uo.bZ2.gZ3.7Z2.Q\|9.sZ2.gZ2.fZ2..E9.eZ2..E6.fZ2.RichgZ2.................PE..L.....lf...........!.............p..................................................................................0...l...........................................................................................................................UPX0.....p..............................UPX1.............v..................@....rsrc................z..............@......................................................................................................................................................................................................................................................................................................................................................................................................4.21.UPX!....

C:\Users\user~1\AppData\Local\Temp\6002125\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177
Entropy (8bit):	4.880763515526955
Encrypted:	false
SSDEEP:	3:FCB9RhFUOivy0JQlr0TGKS2e/1k8Ve53y2+FXUsKov13wetdQQqi5xQn:FwrFTZ0eJ4GVfeoFXUszv9wgCQPxQn
MD5:	EAB9552FB070D7C48B31FE6A7A9CB0B3
SHA1:	A8F7E04F0C10082A3A66A6D8AD3BF7815D51744B
SHA-256:	EDC57321D853B03CDFFC2F4021834B57BCCB4080D477F5499B01255B5CE8BCA3
SHA-512:	800D26529897047A7B584F3219CA56AF9ADE591949CE8F2504D25BDE4595515413454A597F9C3A5496D57C3EAB3D514B871021A3B709908002AFBADB68A1FC60
Malicious:	false
Preview:	[XLY]..P2=24c6269477f0.JFU..P5=e6ab90d5741a3329XSJ..P4=7c24ad187eeb.NUX..P7=5ccac7f27f4c789fFPK..P3=408dd7481cc3.KWR..P6=d90abf5032721ffaBCX..P0=DAN127..P1=e8a0d5af432b7e64DBD..

C:\Users\user~1\AppData\Local\Temp\6002156\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1390312
Entropy (8bit):	6.599443687044708
Encrypted:	false
SSDEEP:	24576:w4wwwwscgymwef8Z8Zzj6z1el68mUi1m/ONxdDDHNCU+3kvaBW7839l5Qafgb6L1:pwwwwscgymwefyEQ/U6/NnDDHNCTeaBf
MD5:	292575B19C7E7DB6F1DBC8E4D6FDFEDB
SHA1:	7DBCD6D0483ADB804ADE8B2D23748A3E69197A5B
SHA-256:	9036B502B65379D0FE2C3204D6954E2BB322427EDEEFAB85ECF8E98019CBC590
SHA-512:	D4AF90688D412BD497B8885E154EE428AF66119D62FAF73D90ADFFC3EEF086CF3A25B0380EC6FDC8A3D2F7C7048050EF57FCEA33229A615C5DCDA8B7022FA237
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0...0...0...9a.=...9c.I...9b.(...b......b.. ...b..&...9...1...9...7...0........4................1....o.1.....1...Rich0...........PE..L....x.c...........!.........~......x7...............................................~....@.........................P...\|......P....p.................P,..........0...............................P...@............................................text............................... ..`.rdata..............................@..@.data...0........4..................@....rsrc.......p......................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user~1\AppData\Local\Temp\6003062\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	data
Category:	dropped
Size (bytes):	2713088
Entropy (8bit):	7.9358560764847
Encrypted:	false
SSDEEP:	49152:gCE0mvBnEwvJm7T8UyHNzeBBHKZlYU13/1wUqq7vf2h0Vw:gCZmvBEqUyHcclt/mUCOa
MD5:	C625FE50C8CBC877CBFAF1D5212F02C0
SHA1:	90763CBEB446C7638F80851E55AF9976285DC56C
SHA-256:	F8890DFA4609D9CB2CA685339468C5256356066CF91AB13C9A771A3B8A566D12
SHA-512:	898703B75D27A9EE5055965BE16D7DEFA482A4199D6C008E539A0102230743AD4540945B76E78804F4CFA99D3DE79B9584D91F6C74C3FF2E6B8F4CC09E7F472C
Malicious:	false
Preview:	...SLSSSOSSSPPSS.SSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS[SSSA..AS.J...R..................................FFE.SSSSSSSB.....t5..t5..t5..x5..t59..5..t5y.~5..t5...5..t59..5..t5..u5..t5...5..t5..t5..t5...5..t5..p5..t5......t5SSSSSSSSSSSSSSSS..SS.RLSd..SSSSSSSSsSA.DRISS.SSCSSS3.S.E.SS#.SSC.SSSSCSCSSSMSSOSSSSSSSOSSSSSSSS..SSOSSSSSSMSSSSSCSSCSSSSCSSCSSSSSSCSSSC..S.SSSSC.SCMSSSSSSSSSSSSSSSSSSSSSSSSSS...SGSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....SSSSS3.SSCSSSSSSSOSSSSSSSSSSSSSS.SSs....SSSSS.SS#.SS.SSOSSSSSSSSSSSSSS.SSs....SSSSSCSSSC.SSOSSS.SSSSSSSSSSSSS.SS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....S....FJKH

C:\Users\user~1\AppData\Local\Temp\6003093\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	333824
Entropy (8bit):	6.389952178495305
Encrypted:	false
SSDEEP:	6144:WyEhWbJNOcWd55OHSCw1ohITXVvrJGqdK2Dug6dGXLSuMAFi2TBfR:Wlu1IjOIohILJrc4Ezui2TdR
MD5:	EC9483F4B8C3910B09CAAB0F6CB7CD1B
SHA1:	9931AAA8E626DF273EE42F98E2FC91C2078FDC07
SHA-256:	4D9CAE6E2E52270150542084AF949D7B68300E378868165FF601378A38F7048F
SHA-512:	84B60FE3CD0EDE19933B37AE0EAEBA1F87174A21BC8086857E57C8729CEC88F9FEF4B50A2B870F55C858DD43B070FD22FFEC5CB6F4FD5B950D6451B05EB65565
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..S...........#................ .............$k................................. ........ .........................c.... .......`.......................p..\|$...........................P......................."..h............................text...T...........................`.P`.data...t...........................@.`..rdata..L.... ......................@.`@.eh_fram............................@.0@.bss..................................`..edata..c...........................@.0@.idata....... ......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc..\|$...p...&..................@.0B........................................................................................................................................................................................

C:\Users\user~1\AppData\Local\Temp\6003125\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1063616
Entropy (8bit):	6.674869382282474
Encrypted:	false
SSDEEP:	24576:2ODivXdRxWmQOhfbV5l7kZLWfGPeu/PUw6WmARlXDMmH6PBzT/Cn+m4q:2OuvbfGZGGKJT/Cn+Fq
MD5:	4FF45827EC92E40935F9939142CD40DC
SHA1:	CAD74928F3387E6BF28C3625803706061E956B34
SHA-256:	012ED8D16E9F7586FE44C0AFFE5BEA6FF68F27231A6526D439643869A103E434
SHA-512:	A3DFE7976E5FFB4BA0C68E218C0924568D343E7937ABB50785107DE5E0ADC11AD58A86E02FABB455845FBE8E545E48B57A67EB647C664390ED521D255FF3BEFE
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...~/._.....................j...................@................................. ...................................{........3.......................@...........................................................................................text...0z.......\|.................. ..`.itext.............................. ..`.data...D...........................@....bss.....e...@.......0...................idata...3.......4...0..............@....edata..{............d..............@..@.reloc...............f..............@..B.rsrc................V..............@..@....................................@..@........................................................................................................................................

C:\Users\user~1\AppData\Local\Temp\6003156\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	388808
Entropy (8bit):	6.5956896905460125
Encrypted:	false
SSDEEP:	6144:B9su6Bohl2JJmgk1G8M0uQoRkQsKwxBF6CaSIU9ILZxxB5ARUWvAX+E:BSohl2JJmgk1U3QMkQsTx3paSIUixGRI
MD5:	B8253F0DD523BC1E2480F11A9702411D
SHA1:	61A4C65EB5D4176B00A1FF73621521C1E60D28EA
SHA-256:	01CEE5C4A2E80CB3FDAD50E2009F51CA18C787BF486CE31321899CCCEDC72E0C
SHA-512:	4C578003E31F08E403F4290970BC900D9F42CAA57C5B4C0ACA035D92EDC9921BF4034FC216C9860DA69054B05F98DADE5F6E218AC4BEE991BC37A3EF572FE9A0
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...8..^..........................................@..........................P..........................................c....p...........N...............<.......g..................................................Ts..P............................text...T........................... ..`.itext.............................. ..`.data....).......*..................@....bss....<X...............................idata.......p......................@....edata..c...........................@..@.reloc...g.......h..................@..B.rsrc....N.......N...d..............@..@.............P......................@..@........................................................................................................................................

C:\Users\user~1\AppData\Local\Temp\6003187\....\TemporaryFile (copy)

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1165576
Entropy (8bit):	6.491752155251347
Encrypted:	false
SSDEEP:	24576:ptf4OLWmQQ3b6ZVtecP3Ufy/ilDqzybXIZ0xKHpWq0dGcz7msH0WQWmAdA7yJBzA:tLDlDgRGxKHpSJ28TU
MD5:	D75E14313FC8A0850F3190CE67509475
SHA1:	74474830BC0706E5C0A8B455A4E1B47D9F1DE741
SHA-256:	E5C711BDB99AB55EBD96B3636C7396566C98ACFFD03DF735A15F1E18936A718A
SHA-512:	A4260F1A9A77BC41FC54532BDBF51F831004767E08150BFF95374663930BBE4FCA81790AA4578C062674557A02A698EA798CFC00F2355F6B8FA71BF2915CBAAA
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......`..........................................@..........................0.......4...............................`..e....@..v........^...............A...p...Y...................................................C...............................text...x........................... ..`.itext.............................. ..`.data....".......$..................@....bss.....Y...............................idata..v....@......................@....edata..e....`......................@..@.reloc...Y...p...Z..................@..B.rsrc....^.......^...*..............@..@.............0......................@..@........................................................................................................................................

C:\Users\user~1\AppData\Local\Temp\9206\....\Microsoft.TransCompositia.msi (copy)

Download File

Process:	C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	157184
Entropy (8bit):	6.4699325010744015
Encrypted:	false
SSDEEP:	3072:tJpAAXru5+rs45R7H0fABoTRo3hJjfP8mr:tJpAAXru4Fj6soT2LM0
MD5:	C50F56319C92BC129039E3860294AB5D
SHA1:	470ED2516A0FF86F25C7CEBE3084E238CA8879A7
SHA-256:	56E8A343602DDDC6D7B6A787827801A3D2BA69ABAF1C61874EF9286C2D288C6B
SHA-512:	20451481425424167EDF4D8C1562EBD7619D5FA0D4BB46C1C30840C9E63C617F94B281C294E3FBEDD290A76C543E4A1C3518B8E66D919743B9CC1F966D8E0CE0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`. ...s...s...s.w.s...s.w3sr..s.y.s...s...s...s.w2s...s.w.s...s.w.s...sRich...s........................PE..L.....#g...........!......................................................................@..........................=.......6..<...................................................................0...@...............0............................text...C........................... ..`.rdata...^.......`..................@..@.data....:...@.......,..............@....reloc..$........ ...F..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user~1\AppData\Local\Temp\9210\....\Microsoft.TransCompositib.msi (copy)

Download File

Process:	C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	667648
Entropy (8bit):	6.655676024268379
Encrypted:	false
SSDEEP:	12288:G36HjCm6ltuRXQ/g+hVfW2LDzeLA5rJWutAWQSHOALXB:VCm6ltuRXKg+hVfWkDEA5tDuyX
MD5:	BA4ED2E6B25A8C9EDA3DA4CE85A5054D
SHA1:	C3B2EF12347E0C5206B4C3959FA96CD7F064F10C
SHA-256:	31370AB9ECAFEA8528D0C844C34B7721042C93A8E45278C4452B62ABAADE9182
SHA-512:	87C10EA2B82D79BD96CA453D808D937841A45CEE331E5914E5B9A7D6665BB41864D90E08E47F4000C1EEBC64F1E4035B010F545B2068B3604A7B8C87F1D30DBB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........xt..............a.......a..W....a.......l.......l.......l.......a..............l......l......l......l......Rich............PE..L....+.f...........!.....f................................................................@.....................................(.... .......................0...K...[..............................8[..@............................................text...cd.......f.................. ..`.rdata...Z.......\...j..............@..@.data....2..........................@....rsrc........ ......................@..@.reloc...K...0...L..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.1356875516282012
Encrypted:	false
SSDEEP:	6:kKpVL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:/iDnLNkPlE99SNxAhUe/3
MD5:	B066BB9FECFB717E03AFB2C96AB2C3C1
SHA1:	706FCFE6898FC6DDF6C71B589032822C1DE22DBB
SHA-256:	5D3D71D2DA284E2CAEB79828D4A7DED5C95A8C2E1074053CECB4F73C2E96B3D3
SHA-512:	08397E6F80AA55DBA43B07D77CFD1DFEBE3565B9B8903402C176BAD2A97C7FEB0383D77F0A6EFC9055EA779EA7C3A160BA6B35FDD36FA712A0F13CD988438B78
Malicious:	false
Preview:	p...... ..........m.G?..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\tracking.ini

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	27
Entropy (8bit):	4.088220835496803
Encrypted:	false
SSDEEP:	3:1EyEeBn:1BEYn
MD5:	4AE8A010782B10391BA0AF6F4DC3B667
SHA1:	48999DD7C62D642974049463C4418457572177D5
SHA-256:	C0B2445FCAA83FA4F12DCCEB286EAEB5D278E06DC27E549F49E1547B36A046D5
SHA-512:	96C1551461FDAFFDF8B9F37198FB2BC1CD18B0B27494E94705DD6A2AA1F4EA17C5014E0F2C54E6B436D796BED334FD6AD637D374804ED1815488D4801FC183E6
Malicious:	false
Preview:	[General]..Active = false..

C:\Users\user\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\{599386A5-9981-4D4F-9CB0-16E4827A4CDC}.session

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13630
Entropy (8bit):	5.401052588714373
Encrypted:	false
SSDEEP:	384:JCWZSlq40oFpvuvk7T4wFdNXeIHOhlgOvXgRF54HwYF3HCSTRf:JCWZSlq40oFpvuvk7T4wFdNXeIH26Ovr
MD5:	00C31EB6F699F08B12C68BC7EBC4641E
SHA1:	8F6D9A8EB2B242E626227D90EEF5A9A2F4D0CD05
SHA-256:	75731C59D5A44678CC73A6EA99BBB73533204782868573B4D43E4BD31320258A
SHA-512:	7EB0DD0F6E4E2395F34D759F4AB9DACF15AC99975D669D1DBC595EBC98DD7667C8DD7D6A2D3B0ECBE32A139D88AD0C25D95B5BD35F0219894773AC787C9F03DE
Malicious:	false
Preview:	[Hit {B132CA65-E07B-4C8D-80D3-D7717C9EF7D5}]..Queue Time = 15..Hit Type = lifecycle..Life control = start..Protocol Version = 3..Application ID = 6627be3e20a59ade4c1add8b..Application Version = 1.1.6..Client ID = 376C986389975E1DCB5008148F1ADC6F1E9C7155..Session ID = {599386A5-9981-4D4F-9CB0-16E4827A4CDC}....[Hit {B6DBA2EF-FB00-4572-9249-D1FF83FA71CE}]..Queue Time = 0..Hit Type = property..Label = VersionNT..Value = 1000..Protocol Version = 3..Application ID = 6627be3e20a59ade4c1add8b..Application Version = 1.1.6..Client ID = 376C986389975E1DCB5008148F1ADC6F1E9C7155..Session ID = {599386A5-9981-4D4F-9CB0-16E4827A4CDC}....[Hit {10696227-DD14-4639-9DAC-0A8C4F62BE8D}]..Queue Time = 0..Hit Type = property..Label = VersionNT64..Value = 1000..Protocol Version = 3..Application ID = 6627be3e20a59ade4c1add8b..Application Version = 1.1.6..Client ID = 376C986389975E1DCB5008148F1ADC6F1E9C7155..Session ID = {599386A5-9981-4D4F-9CB0-16E4827A4CDC}....[Hit {58EA6508-877E-48BE-ABCD-99BA383A71C0}]..Queu

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\New

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Category:	dropped
Size (bytes):	318
Entropy (8bit):	2.034441580055181
Encrypted:	false
SSDEEP:	3:PFErXllvlNl/AXll/lFl/Ft/HtAiotuZt/nZllBe+llBe+llBe+llBe+llBe+lll:k9ij1BjjjjjTtXGuwtOZBl
MD5:	C23CBF002D82192481B61ED7EC0890F4
SHA1:	DD373901C73760CA36907FF04691F5504FF00ABE
SHA-256:	4F92E804A11453382EBFF7FB0958879BAE88FE3366306911DEC9D811CD306EED
SHA-512:	5CC5AD0AE9F8808DEA013881E1661824BE94FB89736C3CB31221E85BE1F3A408D6E5951ACCD40EE34B3BAF76D8E9DD8820D61A26345C00CDDC0A884375EE1185
Malicious:	false
Preview:	..............(.......(....... ...........................................................................................................................................................................................................................................................................}..................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\Up

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Category:	dropped
Size (bytes):	318
Entropy (8bit):	2.0369361465218003
Encrypted:	false
SSDEEP:	3:PFErXllvlNl/AXll/lFl/Ft/HtAiotuZt/nreBB+eKemhlRhmeemfB+ll5evZ/Xy:k9ij1KBBhK9jwmfBuiKaq5n
MD5:	83730AC00391FB0F02F56FE2E4207A10
SHA1:	139FED8F0216132450E66BDA0FBBDC2A5BD333AF
SHA-256:	573E3260EED63604F24F6F10CE5294E25E22FDA9E5BFD9010134DE6E684BAB98
SHA-512:	E3DBE1956BB743FD68319517D1D993DDA316C12BBBBBBD6F582ECDD60C4FDE24CC4814C7AB36ED571F720349931EAC10B03E9C911BA0F4309B10604B2C56C6A9
Malicious:	false
Preview:	..............(.......(....... ...............................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\WHelp.dll

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39424
Entropy (8bit):	5.761692667947892
Encrypted:	false
SSDEEP:	384:aCjdYQ16MK6APCxrHjdbCN2wF1hwtl5HYsakk71KfEDHIanumItki7wM/foozOJs:aCCQq6nmNrh6pokkgfEDznOxXfooWs
MD5:	C2B7A27ED1C7D3C27BFE77AFA27DF236
SHA1:	BE2751E2E04D3C1DAA17952BFBD5304E9A5A7741
SHA-256:	91CA317876B50D35BF2B8957C5745A13B57620FDE5CE49BD5F7F3166C16DB0EE
SHA-512:	649B447058045B0311F458552DFA51CE0086275AA32FF8EF3C6E6E2C25D59B3CDDB67CCE5B51A4B5DF5B76A348C79CE78EC9B5FCAA44F6FE64D6F3AF9597C91F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.d.&u..&u..&u..I...3u..I...(u..I...eu../...!u..&u..hu..I...$u..I...'u..I...'u..Rich&u..........................PE..L.....g...........!.....N...V......5........`............................................@.............................P...L...P...................................................................0...@............`...............................text....L.......N.................. ..`.rdata......`...,...R..............@..@.data...@............~..............@....reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\blue.jpg

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 355x304, components 3
Category:	dropped
Size (bytes):	7379
Entropy (8bit):	7.675014430898698
Encrypted:	false
SSDEEP:	96:Zs7nc2Efd4WLNlTSGJG8J+F1sGaPEl1M5np44DE4wA2A+fHDeGWhzrd7yf8TJWpC:ZsA2DqTRUUQMT4LxjPWhzrNyiFI5Ip
MD5:	6F1B5342D1B781596A4FEC79112DCB0C
SHA1:	08BDEDC9F65FC3A5F6D13D3EF0502769ABE4BD05
SHA-256:	3986699B9B4BE2F8C1747A37E74943F78870623701F08C90CAA007B4DE17924C
SHA-512:	FAE8A651E1DAF872A24FAE87D477F286CAD599DC232A716DBBAD7F091236DA80C71C30B990B6E2F4FF7E06D4414876DB756B452272A9A3E4B3EC1BC32B9E30D5
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......U......Adobe.d.................................................................................................................................................0.c.......................................................................................!1AQ..aq..r....."2BR.S...b.....#3C.%...c$4TE..&..d.Ue...5F.......................!1Q.."A.R....B.a..............?...}.)I..k....[.W.........z.(..`...[.`..P.kC\|.U...V*.R..X.)5J...).\|.c)..[O.....S.k...wo$.9r......>e.l..8nH.o..}is...{.....8jH....Os..r7$r....F.s..rk]3....;.e...d..8..%...o.W.Y>rk]3......b...?..9..g...\|.........5..x9/w.~....u.....\|#.}..,.o4...&.........Q]....+).....tq..\...w....~0...r......T.......j..\|#..._1...y.}.........>d..<;.y.}..&.?W.......2.....%..E..&.....;...!.....yoW/po..W.hmt......#...v..........o7..R'Uv....O..~a..{..y.......m_....\|...t....}.........>..D......x.\|..6..~..a..>m..~w..oW..Hm'..L.8......vV...nG..w..s.[....3.....<BN..}.If...&..&......\|..s..c}..

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\cmdlinkarrow

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	2862
Entropy (8bit):	3.160430651939096
Encrypted:	false
SSDEEP:	48:QFFZ+f+zd+kHeNTM9/+Xz++++++++YWWS0i6I:QFFEw4Xc+D++++++++ypi9
MD5:	983358CE03817F1CA404BEFBE1E4D96A
SHA1:	75CE6CE80606BBB052DD35351ED95435892BAF8D
SHA-256:	7F0121322785C107BFDFE343E49F06C604C719BAFF849D07B6E099675D173961
SHA-512:	BDEE6E81A9C15AC23684C9F654D11CC0DB683774367401AA2C240D57751534B1E5A179FE4042286402B6030467DB82EEDBF0586C427FAA9B29BD5EF74B807F3E
Malicious:	false
Preview:	..............(...6...........h...^......... .h.......(....... .........................................................................................................................................................wv....."""""o.."""""o..www""......"/.....""......"/......r.........................?...........................................?......(....... ..................................................."..... .". .6.-.9.;.<.;.D.3.,...4...9...O.,.Q.$.M.2.S.:.\.1.U.$._.1.F.G.I.A.`.@.w.q...\|...q...{.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\complete.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.432735724336821
Encrypted:	false
SSDEEP:	192:lN3tnZnyRZF64hc28fwy+aXE25b6K0FHQHVd42oJ2zwZlaw484:lN37Yai8IaD5T0FHQHg29wZla04
MD5:	3EAFE3AE99BF33E9F59D970F21EBEF39
SHA1:	E9895CB920FDEB8907CE37D9666D4999A1DE5D2F
SHA-256:	5F6C78970EE7E3D668EB8A4ACB5D251C76599424A0B0372E7665527516D4C312
SHA-512:	8983717D464AC046A8A272276E90D3D1FD7900D2D89998FC332E420ECA4F01FCFBABB390667B4324C549D0655E62E181E3E7BEED514C5B9B67D0F8D480A9388D
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`..........................................................................................................................................wwww........................p..p........w...........p.w...p....x.....p.....pp........wx.............p....................q..............................................................................................wwww...............................................................................................................................o.....p.................o.....p..............................................................................wwww........................p.......................p......................pp.....p.................p......w.............q........ww`h....................wwp.........p..........wwwwp..................wwwwwwp.....p...wwww....wwwwwwww.gp..............wwwwwwwww...............wwwwwwxwwp..............wwwwwwx.ww..............wwwwwwx.wwp...........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\custom.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.4001074083138745
Encrypted:	false
SSDEEP:	192:lN3tnFnyRZF64BiTfwy+aXE25b6K0FHQHVd4RhE2zwZlaw484:lN3XYa5TIaD5T0FHQHgRfwZla04
MD5:	1B5701D7F753135C22CC1AE694FFAF4B
SHA1:	966BDEF4159022FCC8740B6EB75B8D7AC4212504
SHA-256:	AEBA695175ED96D3EDE9FE30E486DF59C64A5FD802C15CB67F55E03A0537CD13
SHA-512:	4069B6AC1E51703687E0C17EA83527A258FF0C4BB4DC8051C96E5F98A7902C3301B89A5D2B55872711F85F528B0FB9BAEAF94E93B49B0A48BB8912E06A204EAC
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`..........................................................................................................................................wwww........................p..p........w...........p.w...p....x.....p.....pp........wx.............p....................q..............................................................................................wwww...............................................................................................................................o.....p.................o.....p..............................................................................wwww........................p.......................p.......................p.....p.................p......w................p.....ww`h..............p.....wwp.........p.....p....wwwwp..............p...wwwwwwp.....p...wwww....wwwwwwww.gp..............wwwwwwwww...............wwwwwwxwwp..............wwwwwwx.ww..............wwwwwwx.wwp...........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\exclamation.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 2 icons, 48x48, 8 bits/pixel, 48x48, 32 bits/pixel
Category:	dropped
Size (bytes):	13430
Entropy (8bit):	4.339511276304085
Encrypted:	false
SSDEEP:	96:KYvlkFEXFYU2+yCvIFA13cJ/rrrrrpbEn5UnanjPRZfZy1wvI8:bVXuzd6IF0czwNPDZfI8
MD5:	93D722FA20A988A5C257A58BF155DC66
SHA1:	30C0D19F02CB39F8804DAFE6AF483A09C76E2338
SHA-256:	F587867EED0BEC33EF150F3A8525BDE9B6746C705543874E56653AA80EA53225
SHA-512:	BFB91739AE7432DD7D0A919F15B5B721E733675C3C2A4D5238C9955A6517DD4653042FA444F2D2627508908F6DA7DE0FBF22F37CF1A60476F59CBF254F62F736
Malicious:	false
Preview:	......00..........&...00.... ..%......(...0...`....................................-...<...I...L...P...S...S...T...G...@...K...V...W...Z...\...]..._...C..^...`...`...f...a...f..&e.."f..n..)v..3w..5v..2x..7\|..8}..<}..B}..._...e...k...a...m...p...t...r...z......5...M{..............,...0...+... ...,...<...?...<...:.......................................;.......-...!...-...................................................#...#...*...6...5...;...'.../...#...(...,...(...,...:...;...6...1...:...A...@...K...J...L...B...A...S...D...K...V...\...R...M...M...K...M...e...`...`...k...d...m...s...z...Y...e...}.......z...J...G...J...B...E...V..._...]...U...[...Y...Q...L...G...F...B...M...J...P...[...R...\...P...Z...b...i...e...b...l...f...u...~...b...k...g...m...c...s...z...5...<...C...J...N...T...Z...U...X...]...g...c...m...c...h...z...s...z...t...}...i...r...u...t...~.....................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\externalui.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.036354960673055
Encrypted:	false
SSDEEP:	192:q4lYOUfhBJ1gqASunI8FoQaaJ+nkt0p1b+v:q4leXXArnI8FoVa4nP0
MD5:	235E54EB7ACEA02DC322F4065498165D
SHA1:	AD825997EC58A33A164B471FE3BD4B7C74614D9A
SHA-256:	B294EDF73CC936610CC81BCA6B95D1C7D6091595EC074C6B334ECA45D2DC354F
SHA-512:	5AC20371FD09E6A1F8C134FB24C045C36D835544D04E681FB6A51ADFF12A6BF8225C53D865B601EA5452024ABE7C02204A759B317D7410CF59F66ADFBE089D5C
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`........................................................................................................................................www................p..........................h.....p.........................................................................................................................p.......................p............................wwwwp..................wwwwwp..................wwwwwp..................wwwwwp..............p....wwww.................................................................wwwwwwwp....p........p.............wp.....................wwwp......p....wwwwwwp..wwwww.w.w...............wwwwww..................wwwwwwwp.....x..........wwwwwxww.....x..........wwwwwx.wp....x..........wwwwww.ww....x..........wwwwww.ww....x..........wwwwwwxwww...x..........wwwwwwwwwp...x..........wwwwwwwwwp...x............wwwwwwpp...x.........wp.......xp...x........x..........p...x...............wq..p...x.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\fhjyy.exe

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175328
Entropy (8bit):	6.879935553739908
Encrypted:	false
SSDEEP:	3072:jnrQnzMYywmn3h1sp7/WvCnIukR4BbxKigu/fgl1glfdjgBftJeCEEzx4N7mcr5:XQnzXtr7tbxKVuE1gQJeCEMx4p
MD5:	BE4ED0D3AA0B2573927A046620106B13
SHA1:	0B81544CD5E66A36D90A033F60A0ECE1CD3506A8
SHA-256:	79BF3258E03FD1ACB395DC184FBE5496DFA4B3D6A3F9F4598C5DF13422CC600D
SHA-512:	BD4E0447C47EEA3D457B4C0E8264C1A315EE796CF29E721E9E6B7AB396802E3CCC633488F8BEEB8D2CF42A300367F76DEDDA74174C0B687FB8A328D197132753
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............d..d..d...g..d...a...d...`..d..g..d..`..d..a..d...e..d..e..d...a..d.....d.....d...f..d.Rich..d.........PE..L....]d............................S#............@.................................>.....@.................................d8..<....p...............d...H...........*..T...........................H+..@...............$............................text............................... ..`.rdata..._.......`..................@..@.data........@.......4..............@....gfids.. ....`.......>..............@..@.rsrc........p.......@..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\info

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors
Category:	dropped
Size (bytes):	1078
Entropy (8bit):	2.8642269548572474
Encrypted:	false
SSDEEP:	12:hEipI3VFpSyZ9I7imddddGDxxOxzma3ZmRgRtqVtipMLXwHqfM:hEigFpTz1xA6aJmRgwi6LgHcM
MD5:	554FF4C199562515D758C9ABFF5C2943
SHA1:	9E3BAB3A975E638EAD9E03731AE82FA1DBCD178C
SHA-256:	9AE4A96BF2A349667E844ACC1E2AC4F89361A6182268438F4D063DF3A6FC47BC
SHA-512:	E302EDF3DAB3A0E9EEB5AFA34E4910EE177099C017B42F86847CF972143C87E8C40BC47689A3C8845051EAB98258A392CCAF331F414C271A1B6B751F503CE221
Malicious:	false
Preview:	...... ..........&...........(.......(... ...@.........................................................................................................p..............wp...............p...............p...............p...............p..........ww...ww........wp....www..............wwp..............ww...............wp..............ww...............wp..............wp...............w...............wx..............w...............w...............w...............w...............w...............px..............p............................................................................................p......w.......w........wx....w...........wwwp.....................................?...............................................................................?................(....... .............................................................................................................................p.......w..x.....p.......p.......w.................................................w

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\info.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 6 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
Category:	dropped
Size (bytes):	22486
Entropy (8bit):	5.511908704029649
Encrypted:	false
SSDEEP:	192:0DT6aNn0CgAevbxezcSptuGH0BJ1cBYehJjbQypQ6X8rdb:/aNn0DAoN4c8HH031/QQ6XWZ
MD5:	FD535E63F539EACB3F11D03B52B39A80
SHA1:	A7F8C942E5672F2972C82210A38CC8861435F643
SHA-256:	0086BC01150989F553A0A4AE0E14926C6E247CEDDA312E1F946AE35D575742AB
SHA-512:	716EAB95B5535D54359D12C9786F5A53F9560126D2C48EB1A94DB5BD383363B43EA686AC421080564B54450DA35AF9CE3E11CECD485AAF27C0CEAEE7836F4518
Malicious:	false
Preview:	......00..........f... ......................h.......00.... ..%...... .... ......B........ .h...nS..(...0...`....................................B...C...D...F!..H#..I#..J%..L&..N)..Q+..S-..U/..V5..W1..Y3..Y4..[5..\7..]7..]9.._:.._<..c?..`9..c=..d>..d=..`@..eC..fB..gD..hA..iF..kF..lG..kN..kI..lJ..oK..nL..jC..lE..oG..qO..pH..rN..rM..tO..uO..sK..uM..wO..pT..sP..vW..w]..tQ..wT..yV..xQ..zQ..{U..zT..\|T..{Y..}Z..~Z..~X...\..}U..}d..[..^..^.._..W..Y..Y..[..]..\..]..]..].._..f..l..`..q..w..u..t..x..}..{...b..`..b..b..e..g..`..d..e..k..i..n..i..m..q..u..x.....z........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\lzmaextractor.dll

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16328
Entropy (8bit):	6.530762223829305
Encrypted:	false
SSDEEP:	384:POw0cwpdr9ee/PTG3eK4i/8E9VFL2UtCsDkm:POAwLge/PaeKeEdKTm
MD5:	F1F56D26D0244DC52C1932C72BC27D7C
SHA1:	58D42600E3B54227DF0A2C600D8783C1B7B282B0
SHA-256:	43E55A6CBE1AB609A23BA1A462BC688FB1CD4CDD5E6EDFB79031FA8F502E6DDC
SHA-512:	B94D886136016A832663D7F423D6CA9ABB4C1342930CE46B6B8F319AF7C96350C4DB421C79254EEF4A8431831F5CABE758E7C8B3E5FD36A6CE93405AC8334012
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.t9z..jz..jz..j...ku..jz..jJ..j...k...j...k{..j...j{..jz.j{..j...k{..jRichz..j........................PE..L...x..b.........."!... ............@........ ...............................`............@.........................P".......$.......@..h................#...P..\....!..p............................................ ..X............................text...)........................... ..`.rdata..X.... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc..\....P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\minbackground.jpg

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 760x100, components 3
Category:	dropped
Size (bytes):	15366
Entropy (8bit):	7.95557428882131
Encrypted:	false
SSDEEP:	384:ZsgYb2FNX3lLAvWkoFQVHunMJkaCxzpsEo9fDC79Vh4Vcj:ZsgYbuN3Gb/HunMJbWtl8rQ9ffj
MD5:	845B155C2F68096094B443873E5A6142
SHA1:	A1167CADC4ED424BFC9AABF61B3E0EDBE6FFC818
SHA-256:	70FFF5DC4ECCA73EF601BD78A67EAF0141079EBA11FC9659EC4C4A4AA5C78C9E
SHA-512:	60B9165D37600A5EB1563CA8C69579C2DEE8ECFAD8BF60580DEB7307607BDDE33BEBAA07C3E35D94366FDC4D403747049AA758D4096519836E11BF7CE0326040
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......U......Adobe.d.................................................................................................................................................d............................................................................................!1..AQ.aq."2.......B..Rr#3..b...CS$..s.%..T.....................!.1.Q.Aaq......"2..#...B.............?......=.u..[..7M.+v.p.H...6....:Y.........f.O...RK...)tH9...2D.....ZGI......P.QU..M....;1.W....\|J......\O......g.=W..n'......Y.7U.&..._.w..n..UW..k....Q...U^.6.Sa.w....U^..wSTy..L....W....y..)..z..qaq&.c.).gMR.X.&.c.)..C.......u.!....X....j..A..v...MF.D.h..Q....T.4.n..GC.f7H..S..,{.Lt.-..P.i0e./a..^I.&......~.u%d0...J..9..#....(~I.%d........&s].YB....)..,ah.H..b.sY.-..41.\|.4.o#Hm...L..U...x.h.[....vj.....Q.....]upp..Cn...Y2VA1@j8e..d.......n.N....[@.S..US&...$.{1FI0.x....s%i.!...W..,....cJ.......hI.``..P...n$.c..7....e..Q.]..4..I.%...cI..@..D\..iE...4..C..EV...v..&~OQ.a

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\remove.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	3.6742809399919576
Encrypted:	false
SSDEEP:	192:4cYE5eZRboMB6f5iR59urg5N+qdrzt2eYi:4cAshf5quryvdPwzi
MD5:	AA0A5F0280C98006741B6CB56C3A360E
SHA1:	AC820BBEC6D08545A4A4818DF9EB09B521BF2E40
SHA-256:	2AC61CEA48CCDB1751CB6B93BA90267508ED6AC900B2E2AC6EAD172C9B8958F2
SHA-512:	7646B3786039711FD60BD9C82A2CBAC51CAA75626CD1695F29EF4939637F60118F6B32B6B781EC57D6F478091C33DC886B2B6C3751B948CD0E916E617C52B254
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`...................................................................................................................................................w......................wwp....................w..w....................x..w...................w...wp..................w....p..................x....p..................x....w..................x....w..................x....w..................x.....p..........xp.....x.....p.......................w.......................w.........x........x....wp........xp.............p.......w.p.............w.......x...............w......w................wp.....w.................w....wx.................w....w..................wp..wx...................w..w....................wwwx....................wwx......................w............................................................................................x.....p.................x....wp................w......wp..............wx......ww..........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\repair.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.656471862600903
Encrypted:	false
SSDEEP:	192:+q2qe82nprAWkcWFW57oVht/k2VxomK0qHTk4TdrofvMxnVRYAn4vf:ej84ArgojFTVxoz0qHNTdr+vKVRYAIf
MD5:	4DBA3637F5FCEAADD2184BD8A0F0FB95
SHA1:	A858418C32F5D45F15AB01CAFC652B507DE2A42B
SHA-256:	C1AD1E78A112974326B44F75FE302723A4FC8AC1CCD96C9887403F6DDF8E607D
SHA-512:	DA105188273312DD1C79D90C2A1AE17ED584A70C14BCD662EAB3B7FC99D7A91B30957D965498E6FB397E01EA72ED3EA0AB8BDBB4313E68E8E45073B87E412E26
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`...............................................................................................................................................................wp...w............wx..ppw....ww..p.......w.....qx.......pp......w......q....x....p..................x....p................p.x....p..............p.x....p..............p.x....p..............p.x....p..............x.x....p................x....p...............w..x....p...............q..x....p.............p....w....p..................w....p..................w....p..........p.......w....p.......................p.................p..w..p....................w..p....................w..p................p...w..p................p...w..p...wp...........p.w.w..p...wv...........p.w.w..p..www............wx..p.p.wwwww.x....p........p.p.wwwwww.x..x.....w...p.p.wwwwwwwp.w........pww.p.wwwwwwwwwp..x..w..w...p.wwwwwww.ww...ww.x...p.p..wwwwww.wwp.....w..xp.p..wwwwww.www...........p

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\rtlothree_colors.jpg

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 760x17, components 3
Category:	dropped
Size (bytes):	3420
Entropy (8bit):	7.841479572759416
Encrypted:	false
SSDEEP:	96:Q6PKp1qGfXtGjelIs3Qj/y6+/yzyQguDYfE10JeOWMm+1Q:Q6PKpsetGsZQj/j+4jKE11OW+1Q
MD5:	A45540685353D14EB9B2344F556F672B
SHA1:	C540395FAFD4D23A5614B5A692080D3B07DEBCAB
SHA-256:	CE18FC834CEA0215B8BD6EB1C66586B4904FC7FCE758F6CBB1E9EB6FC004F338
SHA-512:	69DAFCD7BDCDF72E352EDFC67DF2C58FDEA22A6779702FB00670B90619DD0D673B8FB74E7047F7CB807AACEC08533A128DC437AFAB054C9FCB911D7C2779FCF3
Malicious:	false
Preview:	......Exif..II*.................Ducky.......U......Adobe.d...........................................................................................................................................................................................................................................!1.AQ.aq.."2.3.......B.#.R..r4........................!1AQ..a..."2...B............?.....}=...5....6..9....u]A@1....G.x.f.~...]i...VpKw....+[f.....q...i.4.M.;Kz..}=.-.....7B...............?...W..?C.........R........K...5...+JU,............^..Oik......dL..".x.q/ ..m.l.k.Z.e..j.L..=..&...K._Px.@h.w..X..[zV...}mk.ZL.....3-c. ....2...... .^...z............Q..E.A..d..h.......\...}6uV.3.....t...!.~.f......l.....J^z.G~.&...e....A.c.$...]PG.(hjF.S^+.].k~...<.[t..Qt2:.d...-..c\.e..y1M...m.....'.{.ei...`d....k...1....2.O.CA..&.'.>O..[...........i.M...>X..B..F..=.s.-...<.......N...6....[Z.943.f....NMr<E.W%I.ro..#..ro.....nj..6......b.F...k..U.B-bu.=.b..Bi........e<...U

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\three_colors.jpg

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 760x505, components 3
Category:	dropped
Size (bytes):	26619
Entropy (8bit):	7.547741155491426
Encrypted:	false
SSDEEP:	768:Zsra5o/C+tKDDPW4I++xCsuOlApLTEDjeEImcF:jaQD6DVCsBSpL0eEIFF
MD5:	718CAFA7E04A8D4D98116BCB4C377D7F
SHA1:	38A1EAC1E72997FFA9FB01BDE2540B18F046A3F5
SHA-256:	FBE48BA8AF8CC23A66906A1E94AC10D86CE91B86A18531CE1C96D6061387C2B5
SHA-512:	0FECEB6C7AC536B985198C63008668424DA51E628656706DE30E472DAEA49380F5D25187A268E8BF2E3740AAB6A8ED1171EC4E2C6A69699BAB7DB5B619CB36EB
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......U......Adobe.d.............................................................................................................................................................................................................................................!1..AQ.aq"....2....BR#....3..b...r..$...CS.....c....vX4.f'G8.......................!Q.1.A...aS..q.."2RC..B...3............?....um.\|:....o..H....e..W'...e."......X.o^.9{.<.sY.........nk;7.....K.S.W....;...$..3Sk..6w[._...k..Y....n......t...Gk....^.k..t...Sg..U..,...v.Y..lw7p....M...v{....<O...^.d{[..0.?{5..I......>y...#..]m$.ztz.)6..z.z.'-K.=:.m.O....W...X&.Ez.8.+q....u..b.=...].m..>.5...8?...k.....(...p.r.=.[H6...6...M.aG....h....\|.I^m.ee9.....e../ccf)-*.....}.LjQP.....m..Y.aW.5+...y.[...k.y..-......:.......p....v..{..m.6.:..bt..-..1JR^..7.\6.CmbR..8.es....&.O......"...sle}].{tU../...iVg)]. ..&Gm.,0.GM.....Kp.km.q..M.g....j.....C.[.DK...U..8BQk....Te...v......a.EJ..

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\typical.ico

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	4.926016576393048
Encrypted:	false
SSDEEP:	192:entnoFoTahmFxRYq7mE25b6K0FHQHVd4oXb2zwNf3i4ij:enWuPFxt785T0FHQHgo2wNf3oj
MD5:	EB3F9054BB5F95ED6B10EC4E16A026BE
SHA1:	35760271A03029996BDA26D5D596CFCC465E3EA9
SHA-256:	E330FA8030AA0465B02880133ADDBA0A8C6011B511F6968B413BF45516F7275E
SHA-512:	B0A96DA5514A9B8E9FA182A294694299388A854245AEC01E835B1108D568F9F1158917D9792BC852568EC56C2ED5E54F9E630E02D1EC79A281E2B28A67167A51
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`.........................................................................................................................................................................p........w.............w...p....x.....p...............wx....................................................................................................................................................................................................................................................................o.....p.................o.....p................................................................................................................................................................p........................w......................ww`h....................wwp.........p..........wwwwp..................wwwwwwp.....p...........wwwwwwww.gp..............wwwwwwwww...............wwwwwwxwwp..............wwwwwwx.ww..............wwwwwwx.wwp...........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\white.jpg

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 493x312, components 3
Category:	dropped
Size (bytes):	1232
Entropy (8bit):	1.290282383283862
Encrypted:	false
SSDEEP:	3:nSullBbsRllAqp/y4FKKn5bbeWfa5QpUolHmBkDt0+EtZtE//Wmst18n:3llxqQ8AfQRGSDt0RZty/Wmsw
MD5:	57D130DDF327FCC5DA636A6AB4D7C112
SHA1:	D674F332D4F79C70D4A97BFD9E504A8F3A2C26B6
SHA-256:	990EAB9FAAAE9F78201EF00A72F7B59773EED2B2FC9EC72250C67F376EE0500F
SHA-512:	E2F2141973CD9B7B52347EBCC89E89FDDEAA5B9721011C2CD7B2F2EAE434EF0F10D02537EB0F1AD6276FA182147AE935277EF9BBE31960EE2D82437C0741D39D
Malicious:	false
Preview:	......JFIF.....d.d......Ducky..............Adobe.d.............).)A&&AB///BG?>>?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG..))4&4?((?G?5?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG......8...."..........K.....................................................................................?..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6684\whitesmall.jpg

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 446x92, components 3
Category:	dropped
Size (bytes):	554
Entropy (8bit):	2.356721207995078
Encrypted:	false
SSDEEP:	3:nSullBbsRllAqp/y4FKKn5bbeWfa5QpUolG5PkDt0+EtZtE//WmstN8n:3llxqQ8AfQRG5cDt0RZty/WmsY
MD5:	4429F170056663EFD1486395E8EB0AF6
SHA1:	AE9B01A44C8EE5AE7146F0523E512EE32DC284AD
SHA-256:	FFE2980D90152EF603555A735B7CBA1917C99BB67061B44D6AC6F12E6384BDD9
SHA-512:	719F4E55944502F7D472F362DD0D1D09649FBAEC0515701C9C84BBB3F32B06CC29E4A4C55022BC034CBC68C9C151A90018A926D1A08B4D5048F117950E9135E9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky..............Adobe.d.............).)A&&AB///BG?>>?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG..))4&4?((?G?5?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG......\...."..........K.....................................................................................?................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\INAF816.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	823240
Entropy (8bit):	6.404576447300874
Encrypted:	false
SSDEEP:	24576:rTaRpuaJXUUxsdScfjP3UtMMnNfXnUCCAs0+D:rG/uaJEisdScfbUiANfXnUCCAs0+D
MD5:	2E25B7DC66FC65D92C998D6FB1D09EF6
SHA1:	719CC9C0BBE12F040E169984851E3ABEA03D9CF8
SHA-256:	A01FB6763B11BA0CBF9B26FC8D45E933C2A6AD313BC9B12ED41AC67BAF2AA8C2
SHA-512:	7D4AF029A01CE60FC0787599C031C0DBFF7069311832A5587F003EA68EF739B22C8B01832E00801B0D17C12983C4D0E7877CDE58DE371886CFB6BE5B490F4C33
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$....................4.....4..H..........................4.....4.....4................................F..........Rich...................PE..L...q..b.........."!... .$...X...............@...........................................@.................................`........................l...#......@...h...p...............................@............@...............................text....".......$.................. ..`.rdata......@.......(..............@..@.data...............................@....rsrc................t..............@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI4DB.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI4FB.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI51C.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI56B.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI5CA.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	823240
Entropy (8bit):	6.404576447300874
Encrypted:	false
SSDEEP:	24576:rTaRpuaJXUUxsdScfjP3UtMMnNfXnUCCAs0+D:rG/uaJEisdScfbUiANfXnUCCAs0+D
MD5:	2E25B7DC66FC65D92C998D6FB1D09EF6
SHA1:	719CC9C0BBE12F040E169984851E3ABEA03D9CF8
SHA-256:	A01FB6763B11BA0CBF9B26FC8D45E933C2A6AD313BC9B12ED41AC67BAF2AA8C2
SHA-512:	7D4AF029A01CE60FC0787599C031C0DBFF7069311832A5587F003EA68EF739B22C8B01832E00801B0D17C12983C4D0E7877CDE58DE371886CFB6BE5B490F4C33
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$....................4.....4..H..........................4.....4.....4................................F..........Rich...................PE..L...q..b.........."!... .$...X...............@...........................................@.................................`........................l...#......@...h...p...............................@............@...............................text....".......$.................. ..`.rdata......@.......(..............@..@.data...............................@....rsrc................t..............@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI609.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	949704
Entropy (8bit):	6.466154972117666
Encrypted:	false
SSDEEP:	24576:sIwVz9EMURaglxM62wOR4H0kXiOfWo1OrEMBZX26PH2caU:n0OO62wOR4UkrfH1OrEMBZX26PH2caU
MD5:	8C98FC0407681EAC7FD69EA06DBF29EA
SHA1:	109C8E1BCF375F6FDCFA5B00F02E092E0678595B
SHA-256:	B4C7B684DDCEEC5D4A809D8A7F4B8D2CF87E5B866E0D83F389018F423295EC4E
SHA-512:	0A24D27B7982F314047977D4D219F53D7F4CBEDA9A2E72E4D328604E1FA183BFA670F0391CC70A5888E5C0747177B7AE5A1298E8F884FD8FD8515EA2FF9683D7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^.5.?.f.?.f.?.feM.g.?.feM.g.?.f.E.g.?.f.E.g.?.f.E.g.?.f.G.g.?.feM.g.?.feM.g.?.f.?.f.>.f.E.g.?.f.E.g.?.f.EAf.?.f.?)f.?.f.E.g.?.fRich.?.f................PE..L.....b.........."!... ............~...............................................k2....@......................... ...t............................Z...#......T....L..p...................@M.......L..@............................................text............................... ..`.rdata..D...........................@..@.data...............................@....rsrc................X..............@..@.reloc..T............^..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI92DA.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI92FA.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF8E3.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF990.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	949704
Entropy (8bit):	6.466154972117666
Encrypted:	false
SSDEEP:	24576:sIwVz9EMURaglxM62wOR4H0kXiOfWo1OrEMBZX26PH2caU:n0OO62wOR4UkrfH1OrEMBZX26PH2caU
MD5:	8C98FC0407681EAC7FD69EA06DBF29EA
SHA1:	109C8E1BCF375F6FDCFA5B00F02E092E0678595B
SHA-256:	B4C7B684DDCEEC5D4A809D8A7F4B8D2CF87E5B866E0D83F389018F423295EC4E
SHA-512:	0A24D27B7982F314047977D4D219F53D7F4CBEDA9A2E72E4D328604E1FA183BFA670F0391CC70A5888E5C0747177B7AE5A1298E8F884FD8FD8515EA2FF9683D7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^.5.?.f.?.f.?.feM.g.?.feM.g.?.f.E.g.?.f.E.g.?.f.E.g.?.f.G.g.?.feM.g.?.feM.g.?.f.?.f.>.f.E.g.?.f.E.g.?.f.EAf.?.f.?)f.?.f.E.g.?.fRich.?.f................PE..L.....b.........."!... ............~...............................................k2....@......................... ...t............................Z...#......T....L..p...................@M.......L..@............................................text............................... ..`.rdata..D...........................@..@.data...............................@....rsrc................X..............@..@.reloc..T............^..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIFDE.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	823240
Entropy (8bit):	6.404576447300874
Encrypted:	false
SSDEEP:	24576:rTaRpuaJXUUxsdScfjP3UtMMnNfXnUCCAs0+D:rG/uaJEisdScfbUiANfXnUCCAs0+D
MD5:	2E25B7DC66FC65D92C998D6FB1D09EF6
SHA1:	719CC9C0BBE12F040E169984851E3ABEA03D9CF8
SHA-256:	A01FB6763B11BA0CBF9B26FC8D45E933C2A6AD313BC9B12ED41AC67BAF2AA8C2
SHA-512:	7D4AF029A01CE60FC0787599C031C0DBFF7069311832A5587F003EA68EF739B22C8B01832E00801B0D17C12983C4D0E7877CDE58DE371886CFB6BE5B490F4C33
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$....................4.....4..H..........................4.....4.....4................................F..........Rich...................PE..L...q..b.........."!... .$...X...............@...........................................@.................................`........................l...#......@...h...p...............................@............@...............................text....".......$.................. ..`.rdata......@.......(..............@..@.data...............................@....rsrc................t..............@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shi1542.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	5038592
Entropy (8bit):	6.043058205786219
Encrypted:	false
SSDEEP:	49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
MD5:	11F7419009AF2874C4B0E4505D185D79
SHA1:	451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
SHA-256:	AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
SHA-512:	1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L......N.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shi621.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4509696
Entropy (8bit):	6.100941182830929
Encrypted:	false
SSDEEP:	49152:jm+XAVAMPLfOyim8iTRxYUOQSfLTZZZ2y38lb7Cjn3mboy4+MT7ujWx/Tl0ng48e:CzVAwiKTOpfLTDQyaNoy787ujWx/TlR
MD5:	F6153E803F1533042AC7E6988237C2C3
SHA1:	DDA81BB8BC8CC14877C9CB9B7C664DEFD81EBB4F
SHA-256:	F42A771D310C762C05A5BE3DE0CFDB9BEC28D3DFCCAEF800C901F551A0DF30ED
SHA-512:	7AE76A4CB58A9929C09B1D6376073268622C74B1E3F0C346AFA7A7829E2EF136CCF091F58CCA28BFE83C665573C23D9DB6AF51A44275DA0CC2CF8C1306ADDBAC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._.._.._..V.X.=..K..S..K..X..K..W.._.....K..^..K..-..K..D..K.4.^..K..^..Rich_..........................PE..L....+.X...........!.....dA.........P.3.......A....c.........................@E.......E...@A.........................i@.K&..L.A.......B.H.....................D..-......T....................O...... .................A.H....C@......................text.....@.......@................. ..`.wpp_sf.......@.......@............. ..`.data....6....A......hA.............@....idata...1....A..2...nA.............@..@.didat..4.....B.......A.............@....rsrc...H.....B.......A.............@..@.reloc...-....D.......C.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shi690.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83128
Entropy (8bit):	6.654653670108596
Encrypted:	false
SSDEEP:	1536:0jIdYoF2CwmzOVStYMAuNWrmaTk++ouMOczT0ud4x41xmPS:0jRoFZwmr+bDk/MOcv0G4sxm
MD5:	125B0F6BF378358E4F9C837FF6682D94
SHA1:	8715BEB626E0F4BD79A14819CC0F90B81A2E58AD
SHA-256:	E99EAB3C75989B519F7F828373042701329ACBD8CEADF4F3FF390F346AC76193
SHA-512:	B63BB6BFDA70D42472868B5A1D3951CF9B2E00A7FADB08C1F599151A1801A19F5A75CFC3ACE94C952CFD284EB261C7D6F11BE0EBBCAA701B75036D3A6B442DB2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.T...:...:...:.....&.:...9...:...;...:...;...:...:...:...4...:...?...:......:...>...:......:...8...:.Rich..:.................PE..L...Y.............!.........H.......n..............................................;.....@A........................P........B.......`............... ...$...p..........T............................................@...............................text.../........................... ..`.data....!..........................@....idata..H....@......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shiF855.tmp

Download File

Process:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5038592
Entropy (8bit):	6.043058205786219
Encrypted:	false
SSDEEP:	49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
MD5:	11F7419009AF2874C4B0E4505D185D79
SHA1:	451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
SHA-256:	AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
SHA-512:	1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L......N.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shiF9BB.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4509696
Entropy (8bit):	6.100941182830929
Encrypted:	false
SSDEEP:	49152:jm+XAVAMPLfOyim8iTRxYUOQSfLTZZZ2y38lb7Cjn3mboy4+MT7ujWx/Tl0ng48e:CzVAwiKTOpfLTDQyaNoy787ujWx/TlR
MD5:	F6153E803F1533042AC7E6988237C2C3
SHA1:	DDA81BB8BC8CC14877C9CB9B7C664DEFD81EBB4F
SHA-256:	F42A771D310C762C05A5BE3DE0CFDB9BEC28D3DFCCAEF800C901F551A0DF30ED
SHA-512:	7AE76A4CB58A9929C09B1D6376073268622C74B1E3F0C346AFA7A7829E2EF136CCF091F58CCA28BFE83C665573C23D9DB6AF51A44275DA0CC2CF8C1306ADDBAC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._.._.._..V.X.=..K..S..K..X..K..W.._.....K..^..K..-..K..D..K.4.^..K..^..Rich_..........................PE..L....+.X...........!.....dA.........P.3.......A....c.........................@E.......E...@A.........................i@.K&..L.A.......B.H.....................D..-......T....................O...... .................A.H....C@......................text.....@.......@................. ..`.wpp_sf.......@.......@............. ..`.data....6....A......hA.............@....idata...1....A..2...nA.............@..@.didat..4.....B.......A.............@....rsrc...H.....B.......A.............@..@.reloc...-....D.......C.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shiFA39.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83128
Entropy (8bit):	6.654653670108596
Encrypted:	false
SSDEEP:	1536:0jIdYoF2CwmzOVStYMAuNWrmaTk++ouMOczT0ud4x41xmPS:0jRoFZwmr+bDk/MOcv0G4sxm
MD5:	125B0F6BF378358E4F9C837FF6682D94
SHA1:	8715BEB626E0F4BD79A14819CC0F90B81A2E58AD
SHA-256:	E99EAB3C75989B519F7F828373042701329ACBD8CEADF4F3FF390F346AC76193
SHA-512:	B63BB6BFDA70D42472868B5A1D3951CF9B2E00A7FADB08C1F599151A1801A19F5A75CFC3ACE94C952CFD284EB261C7D6F11BE0EBBCAA701B75036D3A6B442DB2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.T...:...:...:.....&.:...9...:...;...:...;...:...:...:...4...:...?...:......:...>...:......:...8...:.Rich..:.................PE..L...Y.............!.........H.......n..............................................;.....@A........................P........B.......`............... ...$...p..........T............................................@...............................text.../........................... ..`.data....!..........................@....idata..H....@......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\7z.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1390312
Entropy (8bit):	6.599443687044708
Encrypted:	false
SSDEEP:	24576:w4wwwwscgymwef8Z8Zzj6z1el68mUi1m/ONxdDDHNCU+3kvaBW7839l5Qafgb6L1:pwwwwscgymwefyEQ/U6/NnDDHNCTeaBf
MD5:	292575B19C7E7DB6F1DBC8E4D6FDFEDB
SHA1:	7DBCD6D0483ADB804ADE8B2D23748A3E69197A5B
SHA-256:	9036B502B65379D0FE2C3204D6954E2BB322427EDEEFAB85ECF8E98019CBC590
SHA-512:	D4AF90688D412BD497B8885E154EE428AF66119D62FAF73D90ADFFC3EEF086CF3A25B0380EC6FDC8A3D2F7C7048050EF57FCEA33229A615C5DCDA8B7022FA237
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0...0...0...9a.=...9c.I...9b.(...b......b.. ...b..&...9...1...9...7...0........4................1....o.1.....1...Rich0...........PE..L....x.c...........!.........~......x7...............................................~....@.........................P...\|......P....p.................P,..........0...............................P...@............................................text............................... ..`.rdata..............................@..@.data...0........4..................@....rsrc.......p......................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\APKwait.bat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.231009444816111
Encrypted:	false
SSDEEP:	3:mKDDGMLCyLuVFOZh9n:hSKfLuVFOZz
MD5:	326F18673467B34662A43E1B7588C82D
SHA1:	A9E584530B851E014BB475FEBE51474D7E41278E
SHA-256:	4693C9628F2CFC8C789225B984CCEA576D665D6792B3CA265EF0B5D27127CAF2
SHA-512:	56B39C93DE447F73BB94F6A0EECA1E20B318CDA3CC5B5ABE14BCB0C8E6F0A066AF98D8C6DDF42A1E4B57E82747142663FAA5554E5F941E2B90C38D4C105ABC9F
Malicious:	false
Preview:	@echo off..ping -n 10 127.1 >nul..

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\APXhttp.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57504
Entropy (8bit):	6.908600489842891
Encrypted:	false
SSDEEP:	1536:5wQ0j2HOip0EdcP2dWDWoviK2SVb41Pxc73LPxA:5VOqd+vi3Sb0xcDTx
MD5:	02948F19A0488CED88F4806C959EF24F
SHA1:	D47C1439309BEF82C1CA0A623D1CBC70C259B935
SHA-256:	712B2845697459CCDF6E71BAE7FF3B423254A91EB5C85B02551B2AD2A4112EE3
SHA-512:	681182CBB8E55C0008F4D2B6141B507F51C98050F014A66D256A5252E24F8DD2AC8559D71F0F01953830DBBF840F07C57A7E520274180B5AE35329D447AA8675
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L..-.-.-..X.-.U].-..X.-.Ub..-..X...-..X...-..X.-..\.-.-..-..X...-..X.-..X...-..X.-.Rich.-.................PE..L.....tc...........!.....R...:......@........p............................................@A................................l...........H................R..............T...........................p...@............p..h............................text...MQ.......R.................. ..`.rdata...$...p...&...V..............@..@.data................\|..............@....rsrc...H............~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\APXmodule-2.0.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	37024
Entropy (8bit):	7.054557610794306
Encrypted:	false
SSDEEP:	768:dBdwySZ+f1RGV4NhzM8EJPxm5Yi3fPxWEf:dLtf1c4b41Pxo73fPx
MD5:	F6C740A06CF69CB38527B746C1B5C90D
SHA1:	6EE733F791DE76AE9B6EDA05F4514BBAC3D17749
SHA-256:	29B7F57469745537CABAAB229BFB9FC2084CC7BEF14EEFE734C2C3A6EBF02F48
SHA-512:	01FBCAB3ED927082F60F96E0EA6647540F333FD2CB85E6E108D5FD0FAF358C809098B2CC0F8C50CB8BEA37FA81AADF31D21DF3F043B91E71F5D330E1407086A2
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........gZ........................................................t......%..............t.......t.......t...............t.......Rich............................PE..L...K..a...........!......... .......!.......0............................................@A.........................8..L....9.......`..8............>...R...p..l....3..p...........................(4..@............0...............................text...d........................... ..`.rdata.......0....... ..............@..@.data........P.......2..............@....rsrc...8....`.......4..............@..@.reloc..l....p.......:..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\ATellPhon

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	2.091917186688699
Encrypted:	false
SSDEEP:	3:WlWUqn:idqn
MD5:	EAD3D4CBA62CAD943DCA9FA88139D258
SHA1:	244E3C37AB41854F5B221653AC42CF26A4FAA97D
SHA-256:	74228703D2D0DCF060D50F1046EDB9D7273D901E50B728AFD50A4D42BE752674
SHA-512:	7ED4C73369A9E1C7CABABD6BB9E04674FC6E1D0C7FB40F46A129B94BFF895F9C65413A4875BBCEC91F4DDDC9B3CF7FBB344CDC87CC9E636DC6843775204F413B
Malicious:	false
Preview:	MZ..............

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Agent

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.761658988442702
Encrypted:	false
SSDEEP:	384:ovAw66vILDbNRhbHeJh8+oXBjxJd5IyYQGSbdkDjkoebjDISVjNW8SCW0:ovAOQbSEln5IyYpamDjobj8ShSA
MD5:	A5DD94434C702493D4577E966134B303
SHA1:	6BFAEB811189C41521802A11E0836237CD169395
SHA-256:	A26F4219815C297C705060B77595EF76E35E9E2BEDBEB5AFB3357CDC5BA2717F
SHA-512:	C5A44A9D526C2D494FCDCD765BAF7A765E53838F53A65DF1D1CE4114FCB1186296A8FAEBEE4BD0A39A41C9E96AA3B3484E07D86FBD117BE7915610EB4EF5CF77
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.q.u...u...u.......t...u...X.....B.~.....A.t.....@.s.....E.t...Richu...................PE..L....R.H.....................h...............0.......................................b..........................................x....@...d..........................................................8...@...H...\|....................................text...j........................... ..`.data...8....0......................@....rsrc....d...@...f..................@..@l..H8.....HC.....HP......HZ......Hd......Ho...........msvcrt.dll.KERNEL32.dll.NTDLL.DLL.GDI32.dll.USER32.dll.IMAGEHLP.dll.....................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\BBC.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	710888
Entropy (8bit):	6.630506217753263
Encrypted:	false
SSDEEP:	12288:6BMGnPEAEuRNz2HuiEJe0z6h5KEuEVv4D1wEM50+OD2evinKqcQUuWnI8:6BMGnPEAEyXiEw0xXD2evincvFnn
MD5:	FAE7D0A530279838C8A5731B086A081B
SHA1:	6EE61EA6E44BC43A9ED78B0D92F0DBE2C91FC48B
SHA-256:	EEA393BC31AE7A7DA3DBA99A60D8C3FFCCBC5B9063CC2A70111DE5A6C7113439
SHA-512:	E75C8592137EDD3B74B6D8388A446D5D2739559B707C9F3DB0C78E5C30312F9FCCD9BBB727B7334114E8EDCBB2418BDC3B4C00A3A634AF339C9D4156C47314B4
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........f..............U.......U..B....U....................................................c.......c.......c.......c.......c.......Rich............................PE..L.....]d.................n...8......dB............@.......................................@.....................................d.......................P,.......g..pL..T............................L..@...............(............................text...Hl.......n.................. ..`.rdata...............r..............@..@.data...4R...0......................@....rsrc................:..............@..@.reloc...g.......h...B..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Blend.visualelementsmanifest.xml

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	310
Entropy (8bit):	5.218991813797138
Encrypted:	false
SSDEEP:	6:ejHyaVic4subiKFNFWod/OjpFFHDhkQwY7HmXXKmJpkQwYEn0gCYEnP9FN:eF8iK9WW/OjrF4CA/cX0vXDN
MD5:	B3D5B8ADD818034C991FE15C13E0B055
SHA1:	3FBFBECC2C10DE459586B3B39D2F7CB45289C8B1
SHA-256:	79F8A190196CC5B79B99A07991A34B2E5AA25989FC22121B6C17B80F4772801E
SHA-512:	3C3E233072D9F4F94DDF2AF992339F43755DE9BC4F136BC6CC2EB1255B55C97D86495B8AF415C6880D62D8904D9E2EE61B427CA13FAB08492D4341F1D2E86E0D
Malicious:	false
Preview:	<Application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <VisualElements.. BackgroundColor="#2D2D30".. ShowNameOnSquare150x150Logo="on".. ForegroundText="light".. Square150x150Logo="Assets\Blend.150x150.png".. Square70x70Logo="Assets\Blend.70x70.png" />..</Application>..

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Browser_1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	3.827554659468926
Encrypted:	false
SSDEEP:	3:Ol/QfkTsfIedYRXY:OlTT2dYRI
MD5:	F1B791B8D42F4D4B5794E254F7A86BD1
SHA1:	20B839C9257D51F28C7814C99922DBCD1A1EE248
SHA-256:	174423E75513994F0205EB2D874583D791C17A391B1DD97FBCE3CAD7E7FCAE61
SHA-512:	924CA93F18CB19C2F138E9DCFA21C0E90473EC2FFBAA3AC208A26ED9944FB0FCAEDFCCAC7138A5A825EED3B4FB033653BEE4BC2F79CD9D5084156A0D9D685407
Malicious:	false
Preview:	{491EB955-8A31-4381-BA1F-FDA4C60415A4}

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Bseziof

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	129008
Entropy (8bit):	7.827316426792684
Encrypted:	false
SSDEEP:	3072:vRZzFCwH6WrKxTtcZaUMueR2ZGCApbu7n31bsj9y:pZBC66WrKDcMxR24rpbu71g
MD5:	D76420DC56BE74361FF5053D87A752A7
SHA1:	E4E95C6D322FA5007F045F969A507A79DBA24A18
SHA-256:	CAA76B91F5ED0D10ADD3F757B7412822795013547AB286906D9F3740C0501A32
SHA-512:	C96654CB012F883037DC11478256779A4859C1A8D158D53430CE83040BAA327F0B060D52A6B8C7832F6497D3F7FABEF47EB4E33C841CBB90EA5373D7263398CB
Malicious:	false
Preview:	........@...............................................!..L.!This program cannot be run in DOS mode....$........\..I=.I=.I=.2!.H=..2..K=..!.K=.&".K=..".K=..2..R=.I=..=.....=.I=.H=..".J=.RichI=.........PE..L.....*g............................0.............@.................................................................................................................................................................................................UPX0....................................UPX1................................@...UPX2................................@..............................................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.....D;..t.f8k..$...

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\DataTransform.ini

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Generic INItialization configuration [Userddress]
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.67841607960707
Encrypted:	false
SSDEEP:	6:OZPixNiKRSVWTQlY2LXmwPxhb4eR8iiLrAmXOtAvHPzT3U6g:OZaRRXQNLXmwPxhb4e7iLkmXOtqL72
MD5:	5DB5802855390316509312EA98913E3F
SHA1:	941E2FB957A5160AAD5BCBB69D4D8EEB1E679679
SHA-256:	16BA11467408450A06C599D7AFC8D3FF383EF6FC06E0FAF028CC71DCF71EB980
SHA-512:	B048090B41CE724D3F09BA82B70606F553658990F007BDB93BE41D0178DA81B210956D815EDE31319C35E86EF74CC5B0DCA69F113D066B16745DE6B7583C3E98
Malicious:	false
Preview:	[Data]..Type=UMnwio9zv2FqxxUVMR0jWJnXhzGyjuwdGhyjE7NmuwPzPTn2oWYbUgHhroi6QH..[Userddress]..Data=ya4feBPz9quDWubPmy1BrWBrJ2epxBFxdZ2u51ne4Q6dcjTemYgPRQMGN5akXwRqkmPKRMc5ptX1Mccd9HRaBLKEd0AntxumwTZx..[DataTransform_CreateZlibCompressor]..Dictionary_Rekey=A.exe..[ctrl]..ctr=SearchRun.exe..[Desktop]..Desktop=rar.exe

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\EduWebContainer.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	12840
Entropy (8bit):	7.986702439437666
Encrypted:	false
SSDEEP:	192:/ZrfidU1vKpUcMlqiP66dS2qu9wl2apxWama5IWmciIplqLngTmfqDnoKax5eq3m:Jfim1C4lqiP1dxWZZGciI62oROzl
MD5:	11F506F266C236A58D62D0F466A537AD
SHA1:	F948F8013782A3AA3F5D7BCAD62E8CC63146007C
SHA-256:	958BF016A726EDF619062E3C56CE54E6E46C9982912EB92081A2B91B2B5E50B0
SHA-512:	5E5C636D05B8D4B3F880243B001FF8CB32EC1883D86F55F78CA65CD92BA3B9BF52A84BB75CA9F98FFA423ECF683EFA22F2B584FE0B9B6C104A7EE1C145B81634
Malicious:	false
Preview:	...Y{.B....&...oy.}..F{...z..H'..."..x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....&>..../.f.]..u...(]...M..$.#tl{.L.R...Nx.....J..2...h.e!Z=.r.Y.._.U..s..v.T.4.JQx2.._F3.+........j...V..-c\|vO.%r......d../.g.}b..!..<K.1#...OeU. ;!N..n..G..k..N...).y`~!.....Z'.d..$...-.r..z...v......>>m.... >28..{..-.l......Nv..x..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.!(..m.C...=.<.../.P:.Zf^.dm...+.3..V.....^.D.......[K.$...E.....E.b.~.:....=Xz\..J.....uG.LWA.`p...N.ze.P.R.......U.>...{p^...;A.Rj......L.......Dcx/@}-....... .~....2'...m..>....@.`..8Km.X.N..rs....r.Z..g..h......P.~.."v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W...h..!..,.q .Q.w./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	174304
Entropy (8bit):	6.858552596804119
Encrypted:	false
SSDEEP:	3072:Q0HJ5wo1/MJjozYJimE2BamDKigu/fgl1glfdjgBftJeCE5vLEnM7QrRz:/J5wUmhkmDKVuE1gQJeCERLG1F
MD5:	0D318144BD23BA1A72CC06FE19CB3F0C
SHA1:	91A270D8E872EA2A185309CA9CE5D9F08047809E
SHA-256:	60503684F39425C5505805A282EB010ECB8148BBF7EFE9BBA9CF33C507AF7F3A
SHA-512:	A3F3C7D84644B13868AC324947C2D678620E341E368B781D45F244A53F448D6B24BE7B50AC9908728DFBBB74214FCB46902137910E907F14F601518C0EFD215B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.A...A...A...,...H...,...;...,...Y...z...S...z...S...z...d...,...D...A...........C.......@...A...@.......@...RichA...........PE..L...V.]d.............................#............@.................................Z.....@.................................48..<....p..0............`...H...........*..T............................+..@...............$............................text............................... ..`.rdata...^.......`..................@..@.data........@.......2..............@....gfids.......`.......<..............@..@.rsrc...0....p.......>..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\CIM_ResourceAllocationSettingData.xsd

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (342), with CRLF, CR line terminators
Category:	dropped
Size (bytes):	8108
Entropy (8bit):	4.965236708426262
Encrypted:	false
SSDEEP:	192:MuZUkwsSwZhuV3wM3DwuMu93wv3Dwui4Cya:MuZUkwsSwZhuV3wM3DwuMu93wv3Dwui/
MD5:	A77B71F6E5FE1F50065AC8A15796AFEB
SHA1:	80A83A247FFD47529419873B32E02852B75D47AF
SHA-256:	D02D5181E13AA96B67AB75F51C03AB1F1286F7A28FD92ACA3021E4E694A4E2E8
SHA-512:	E5502B347C545C4460ABDA78242B238D83AB4645F0495D933B4C419CB4872520915E13C8A6F5137B260B000C690145A8139A7FF47286BC9875531F74167B50A8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>... Generated by WBEM Solutions, Inc. SDKPro 3.0.0-->...<xs:schema xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:class="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData">...<xs:import namespace="http://schemas.dmtf.org/wbem/wscim/1/common" schemaLocation="common.xsd"/>...<xs:element name="ResourceType" nillable="true">...<xs:complexType>...<xs:simpleContent>...<xs:restriction base="cim:cimAnySimpleType">...<xs:simpleType>...<xs:union>...<xs:simpleType>...<xs:restriction base="xs:unsignedShort">...<xs:enumeration value="1"/>...<xs:enumeration value="2"/>...<xs:enumeration value="3"/>...<xs:enumeration value="4"/>...<xs:enumeration value="5"/>...<xs:enumeration value="6"/>...<xs:enumeration value="7"/>...<xs:enumeration val

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\CIM_VirtualSystemSettingData.xsd

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (332), with CRLF, CR line terminators
Category:	dropped
Size (bytes):	5951
Entropy (8bit):	4.95379352101584
Encrypted:	false
SSDEEP:	96:IHpusmyEYtpusmyEcpusmyEf6dEvrgeUKMvLm0n/:4usm0zusm+usmLtVUKmLma
MD5:	8737313A1CD47D1BD415F4CD7C8D5A35
SHA1:	C3FE8ED373DD8807DC56B8ACD807A01163BA1945
SHA-256:	190C096159A5286655707E1141EEFFCE86484AC48DE4F54CBA4CD44C59868CDB
SHA-512:	C3090FC492DC1C875715B1A82906F7466CA63AE5BDFAB0A7730DBEDAAF622ED7FC5471D9F036813D423C33CDB4CC80BA9A8AFCC8387E365FDB7148B84BF2BB8B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>... Generated by WBEM Solutions, Inc. SDKPro 3.0.0-->...<xs:schema xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:class="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData">...<xs:import namespace="http://schemas.dmtf.org/wbem/wscim/1/common" schemaLocation="common.xsd"/>...<xs:element name="VirtualSystemIdentifier" nillable="true" type="cim:cimString"/>...<xs:element name="VirtualSystemType" nillable="true" type="cim:cimString"/>...<xs:element name="Notes" nillable="true" type="cim:cimString"/>...<xs:element name="CreationTime" nillable="true" type="cim:cimDateTime"/>...<xs:element name="ConfigurationID" nillable="true" type="cim:cimString"/>...<xs:element name="ConfigurationDataRoot" nillable="true" type="cim:cimString"/>...<xs:elem

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\DrawContent\DrawContentNoname.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144872
Entropy (8bit):	6.1033991888043255
Encrypted:	false
SSDEEP:	3072:Poib/ncfh8z2geq5CpLFuAzpXDGX12HBt:zb/6RpugpY2HBt
MD5:	D0C679D73048A8AF8C5F483BDBCAF0A2
SHA1:	6AFEBA5B8C5A390B2A487590A5EE7E10ABFEFE6F
SHA-256:	952451312864D1CF98C137EF6B5048F325325CC1237B1D1DB26819839ED7FC27
SHA-512:	BCFF13C8FD3B01AA5F8BA54D91ACE7E74EF5A370808B517471271FE39318938DECAFE5A40D26A94D46D3DBB2E5EB152209828269EC86B210B04C3C13B13DA23F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.I.Fz..Fz..Fz.+...Fz.+...Fz.+...Fz...~..Fz...y..Fz......Fz..>...Fz..F{..Fz../s..Fz../...Fz..F...Fz../x..Fz.Rich.Fz.........................PE..L...N.;^.....................<....................@.......................... ............@.................................T...P....@..................PC..............p...........................0...@............................................text............................... ..`.rdata...\.......^..................@..@.data...L.... ......................@....rsrc........@......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\LICENSE.3rd

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	6264
Entropy (8bit):	4.246298126375936
Encrypted:	false
SSDEEP:	3:Pf3v3vP3X3P3PPnHnPXvHf/H3PnXnPfnPHnvfP//PHffH3H/v3PnfHXP3vP/P3Pr:b
MD5:	DDDAB64301999870824A2CC0E358689B
SHA1:	664263BF0641B55AF72EFBB6A9AB91AC77673D54
SHA-256:	DAAA8FC859B10444E218800FC15E2E7560EBF59E269BB58DD8D82C9305F73C6E
SHA-512:	DABA1DC82031056430E0150DAD18B43BB3D4A6AFD67E802BC7F867D274E1221F5BB9C12EA3213148FB6114FB79559C86E141C75D828ADC11F7C4372E70072827
Malicious:	false
Preview:	"z.rz.....r.b...z..bz..bJ.rjRjR*..B.2zbbz.Jr:..z2.....j.....Jr.b."".Jr..BJ....z"....."J....JjR...z2..r..z2..BJ...z2.....J..:z..r".....B...j..z2..B.bJ.r...bz..jRjR"J....J.j..J.bJ.....jRjR..J..r.....R..Z..JZ.z.B.R..Z..JZ.zr"ZJjR.z..J:B..B.J.....j......R..Z..JZ.zrjRjR.BJ...z".j.......".Jr..zj.Jb".2z.j.Jr..r.......z..".J.r..B.jR.z....2Jb..j......"J...J...".....r..j.r....z.J"Jr:.J..J.jRrz...zb".2z....z2J...J.Bz....B....Bz.....J..r..zr.r.b..r"jR..z.J"Jr:..B....BJ..rz.J...r"..B....Bz...r.j.J..Jr.b.""rjRjR.BJ..2Jb.J....z.J"".....J....J.B.rz.....".z..Jj.bJ"......r..rjR.B....Bz.........rz.bJ..JbJ...J2.J.........r..".j.:..z..z..z...z..jR.zj......B...z..r.J.:..2.*b..z."zr:..B...b.j...z...J.rjR.....z2...:.rjRjRjR..B.2zbbz.Jr:..z2.....j.....Jr.b."".Jr..BJ....z".....".JbJ.jR...z2..r..z2..BJ...z2.....J..:z..r".....B...j..z2..B.bJ.r...bz..jRjR.z..J:B..B.J.....j....b.".JbJ..".bz....jB..r:.B...:j.Jbr.zjb....*bJ..r.:j

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\LICENSE.libcodecs

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	311
Entropy (8bit):	5.363090655038483
Encrypted:	false
SSDEEP:	3:EGLzVYRFoUgLhHx0iFolaXM+MA3GtfX2SMOFrNNRJhl//bB9bPL9RbtBnbPZrVTF:EGLzWF65x0mq3kJO9NX
MD5:	433000AA79D90F93C87E11F86A786F67
SHA1:	A1B8B8F69884A4CE9BB433D96ACBED3337C5AE5E
SHA-256:	08E569EEABC5D4082F4A59142F22534FF57F12F991CD4E1A36811511799EF109
SHA-512:	DB752A2D65D8F276D6225A7C478EB1674EE3B0829CA57272A54D55C1C9E25A9E9DDD93699E41D6CF53E36313C8DDF4C0C034EDAC765139124620F0E5FFA99E8D
Malicious:	false
Preview:	libcodecs is part of the "Huorong eXtendible Stream Scan Engine" project copyright by Beijing Huorong Network Technology Co., ..6...&,:8 648..,...4&4<.46.."64....4..4.$.. 2...4.pbT.f4..4..p4"4.<&.^.:&,8.f,84".4..fp^f......V.4.2.&&.. ..84.8 64. 2.&,:8 648..,.." .. ".p,.n.:..........0,...:.8 $..<.6...&,:8 648...

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\LICENSE.libdt

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.406360206907183
Encrypted:	false
SSDEEP:	3:EBjMWEXRFoUgLhHx0iFolaXM+MA3GtfX2SMOFrFjJ//bB9bPL9RbtXhbZrVTl/9z:EJuF65x0mq3kJO9/
MD5:	5E48AE384DD6874C64E8129FAA0F4D1F
SHA1:	9A7A273EC1E97FA80304A51A5874E2C40E68D993
SHA-256:	4CA63968FCBE57FE9A9079DBEA85375B6129ABFF45CFB42E24A7F1DDF044943A
SHA-512:	20552DEBAAACF783BB128EB2A619125507921E9E3971EE43EA9613F681FBFD3BA711CD774E1DB9EDD7B56C36D1181DD42D8BB73C0AAE0CA3BEFA20E0B482BC17
Malicious:	false
Preview:	libdt is part of the "Huorong eXtendible Stream Scan Engine" project copyright by Beijing Huorong Network Technology Co., Ltd.....:6..,...4&4<.46.."64....4..4.$.. 2...4.pbT.p4"4.<&.^.:&,8.f,84".4...4.., ".......V.4.2.&&.. ..84.8 64. 2.&,:6..,.." .. ".p,.n.:..........0,...:.8 $..<.6....",8 ."..

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\Microsoft.VC80.ATL.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	376
Entropy (8bit):	5.187860451409661
Encrypted:	false
SSDEEP:	6:TMVBd6OjzIIBeBXVL9obRu9Td8gH9aO/5TMiX1+jSQdS1vwIgVf+ZaYf7:TMHdt4IBeBFLOwHR5TNl+rmxgVKaq7
MD5:	0BC6649277383985213AE31DBF1F031C
SHA1:	7095F33DD568291D75284F1F8E48C45C14974588
SHA-256:	C06FA0F404DF8B4BB365D864E613A151D0F86DEEF03E86019A068ED89FD05158
SHA-512:	6CB2008B46EFEF5AF8DD2B2EFCF203917A6738354A9A925B9593406192E635C84C6D0BEA5D68BDE324C421D2EBA79B891538F6F2F2514846B9DB70C312421D06
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ipaip1.exe"/>.</assembly>.

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\Microsoft.VC80.CRT.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	314
Entropy (8bit):	5.140999301390513
Encrypted:	false
SSDEEP:	6:JiMVBd6OjzPbRu9Td8gH9bZELrbvm/53SMiX6+hPABdS1FggVfgk5Z:MMHdtlwHHJ53SNK+hPIRgVR5Z
MD5:	710C54C37D7EC902A5D3CDD5A4CF6AB5
SHA1:	9E291D80A8707C81E644354A1E378AECA295D4C7
SHA-256:	EF893CB48C0EBE25465FBC05C055A42554452139B4EC78E25EC43237D0B53F80
SHA-512:	4D2EC03FF54A3BF129FB762FC64A910D0E104CD826ACD4AB84ED191E6CC6A0FEC3627E494C44D91B09FEBA5539AD7725F18158755D6B0016A50DE9D29891C7E5
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>.</assembly>

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\common.xsd

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	6812
Entropy (8bit):	4.737569607251046
Encrypted:	false
SSDEEP:	192:z6H9K9r24/jtVOuVG/PCGHhWrrIafb7fL5qlz+DLSQ7LXOgF:VNtLz/Y3xB6rPPlyz+Dt
MD5:	D7216C4C115C30D3DC996F339C2197E2
SHA1:	9C90B140316FFB6AF090BD80DF40EA744D555B11
SHA-256:	946C1E2C50EA753E2CF3F40CB4A83C319E0D5693C3B017AD3F9811792319D2EE
SHA-512:	9A0F133B8517B86A29AAA0F541573842A4B76D6DE30C1167D4EEB2F08D0568CE94ABC81341049BFA328D85DFDC8D8B74177B9A896107C2438168EA4EA5B47FC6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8" ?>.... DMTF Document number: DSP8004 -->.. Status: Final -->.. Copyright . 2007 Distributed Management Task Force, Inc. (DMTF). All rights reserved. -->....<xs:schema targetNamespace="http://schemas.dmtf.org/wbem/wscim/1/common".. xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common".. xmlns:xs="http://www.w3.org/2001/XMLSchema".. elementFormDefault="qualified">.... The following are runtime attribute definitions -->.. <xs:attribute name="Key" type="xs:boolean"/> .... <xs:attribute name="Version" type="xs:string"/> ...... The following section defines the extended WS-CIM datatypes -->.. <xs:complexType name="cimDateTime">.. <xs:choice>.. <xs:element name="CIM_DateTime" type="xs:string" nillable="true"/>.. <xs:element name="Interval" type="xs:duration"/>.. <xs:element name="Date" type="xs:date" />.. <xs:element name="Time" type="xs:time" />.. <xs:el

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\hi.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	8544
Entropy (8bit):	4.277108053686666
Encrypted:	false
SSDEEP:	192:WvI+bMk4g+7rdT2sc4EtGXQgcWh8bvPgLIjJQ9tkTjIkja4tEDIzqIrpKaF13aSy:Wv9oq6rdT2T4EtGXdF8jPgLIjJut2Ik0
MD5:	E34E94531BAF8957EBDFB5ECCDC52635
SHA1:	D7139BDF34F6F167456014D4D5E16CFDFCC18214
SHA-256:	5AF2CC87FE9FA69DA65C990070EE17AF3F612E3883621BD2474161BB508E454F
SHA-512:	CF3F4BCF0F5DC35BFC77594FD8AD4E9C6BF32291DAE2298C84B3A465EDB4B75851C0A58F39BB6828EA69E31293E5A4DA5DAA29F4B3F31306F37941491992FC58
Malicious:	false
Preview:	..........N.....N.....N.....Nr....N.....N.....N.....N.....N.....N.....N.....N.....N"....ND....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N1....Nb....N.....N.....N.....N4....N`....N.....N.....N.....N.....N.....N.....N.....N=....NI....NU....Nd....Nv....N.....N.....N.....N.....N.....N.....N/....N>....Nw....N.....N.....N.....N.....N.....N.....N'....NX....Na....Nm....N.....N.....N.....N.....N.....O.....O&....OI....O~....O.....O.....O.....O.....O^....O.....O.....O.....OI....O~....O.....O.....O.....O4....Ov....O.....O.....O.....O+....Og....O.....O.....O.....Oy....O.....O.....OV....O.... O....!O...."O....#O)...$O2...%OA...&OS...'O_...(Ox...)O....*O....+O5...,O....-O.....O..../O....0O....1O"...2O....3O....4O]...5O....6O....7O....8O....9O&...:O....;O....<OB...=O....>O....?O....@Oc...AO....BOo...COY...DO6...EO....FO%...GOD...HOk...IO....JO....KO. ..LO' ..MO6 ..NOO ..OOq ..PO. ..QO. ..RO.!..SO.!....`!............... .......

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\hr.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4256
Entropy (8bit):	5.476332948782519
Encrypted:	false
SSDEEP:	48:nizQz4KzjHCKvMzSBvdI0s4TkqZfDhPhbdAQv7Dg3M3Y2UUzgJJC+Mo1tMoIJcAO:i8z4KPnM+JdLsY5xDhYrhRjaBVI7vr
MD5:	7CD82242FDDA155F0DC4C830A73225C4
SHA1:	436A156C8016B96B83B11931FF9562F29D805977
SHA-256:	0096FD57392462D010E9B4DDDA4D021A8B5E5BA78FF097958C1E7A00EC175A2B
SHA-512:	2C5133E3673D8470AF6067AF2E5B7D2150B71D3D87379CD94574F72E3CA2B251C08C7F7F530F705CB2EDD8D96263BA9A205346B5704238FC748180235C6809EE
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N ....N&....N.....N6....NE....NU....Nd....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....NF....Ng....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N3....NA....NG....NR....NV....Nc....Ng....Ny....N\|....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....O$....O,....O9....OZ....Oj....O{....O.....O.....O.....O.....O.....O.....O!....O.....OO....OS....O]....O{....O.....O.....O.....O.....O.....O.....O3....OO....Og....O.....O.....O.....O.....O.... O)...!O5..."O@...#OF...$OL...%OS...&OY...'O_...(Ou...)O....*O....+O....,O....-OZ....O..../O....0O....1OV...2O....3O....4O....5O....6O....7Oj...8Ow...9O....:O....;O....<O....=O....>O....?O....@O8...AO....BO....CO....DOe...EO....FO....GO....HO....IO....JO....KO....LO....MO(...NO0...OO7...POR...QOj...ROr...SO}.........DetaljiSpremiOvaj je indeks mogu.e pretra.ivati. Unesite kl

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\hu.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4734
Entropy (8bit):	5.650888808404625
Encrypted:	false
SSDEEP:	96:+AA8bFIK4pwdJj/JqLn5yEnxSabw7rMVrCtZcqRcU+EFUkozbFFJOHVOrS:FAmkp4JjJqLnoxscZcqRcnEmko/FPO13
MD5:	8C5F95F081F6A23A2D058562A24224FC
SHA1:	0D8E3138654B66998341B1B4D07CB6E0CCF56DA3
SHA-256:	2288098F91E90D5F5583A42ACDB4D278A8438656A190EBC57FCC034FA0110054
SHA-512:	4D4A183A07B4014848DD5B50F520BA43ACDB37C8A2E280E32CC080A6FCDE8EE5D758CD0ED71A104E6FFDF3566BAE08A1141D666E0951344D98F802C9381875B0
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N2....NF....N\....Nt....N\|....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....NL....Np....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N+....N/....N5....N=....NS....Nc....Nj....Nz....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N$....N9....OD....OS....O]....O{....O.....O.....O.....O.....O.....O.....O.....O,....OI....Ob....O.....O.....O.....O.....O.....O.....O.....O.....O.....OL....Oh....O.....O.....O.....O.....O.....O....OH... Oe...!O\|..."O....#O....$O....%O....&O....'O....(O....)O....O....+O+...,Oy...-O.....O..../O3...0Op...1O....2O....3OP...4O....5O....6O....7OH...8Oh...9O....:O....;O....<O....=OE...>Ok...?O....@O....AO....BO[...CO....DO....EOt...FO}...GO....HO....IO....JO....KO....LO....MO....NO....OO....PO....QO=...ROF...SOQ.....~...R.szletekMent.sEz egy kereshet. index. .rjon be keres.si

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\lco.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	7.307434278749024
Encrypted:	false
SSDEEP:	384:azbge2/99IpWUFyCKaMgXGT/bl55oqyfvN:azb619IpWUFyQiB55aH
MD5:	E057AA4A56A9A2A628A8053F25A27D7D
SHA1:	D839E5258BBDB871C746C2CEF52E336487535C47
SHA-256:	2519081ECA56FADCF3B62E7CB22E55A1F839B9055E9F1E404FC28145D149E913
SHA-512:	D968AA76B1483A14B7D829C755A99C7AD09163D18DA6806F23B3A33664292F16A4695B596B0D2BE619A3B6DC909CFCB8CB7FF236641D1CC012E4F438364945E7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.P_=.>.=.>.=.>.R.5.<.>...0.0.>.R.4.'.>...c.>.>.=.?...>.i...<.>.Rich=.>.........PE..L......@.................0.......p................@.............................................................................t...................................................................................................................UPX0.....p..............................UPX1.....0.......,..................@...UPX2.................0..............@..............................................................................................................................................................................................................................................................................................................................................................................................................................1.20.UPX!....

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\li.dat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.3431390622295662
Encrypted:	false
SSDEEP:	3:dU6mWhRE4Qm5In:vmWhlQ6In
MD5:	233B4AAF620B36D5569FFB334806A663
SHA1:	99E4C2ED4447B3CA2772F11374E7EC22DF06A04B
SHA-256:	C0F5633F8058E6CF0FEF5CE6AB91438663A1AE2670CB49350E095D8F667C9870
SHA-512:	24F4006DA19AE7B10408250AB326DB4EABE6E782BECCE130C0F25D2D0E43E738624CFD490BFAC0A8A6BD6E164C01FB76CD69BC050AD0BBF3052A854A516B0170
Malicious:	false
Preview:	47AE4CA89C38F4D75F115CF41887F878

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\livehis.dat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\package.json

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (766), with no line terminators
Category:	dropped
Size (bytes):	766
Entropy (8bit):	4.058458203323675
Encrypted:	false
SSDEEP:	3:Hf3xVxLvT5X9dz7bvfdz7JvV7zVBtD33pRXhXDhRZDR7z9fjdzp93xh/Td7f11tx:v
MD5:	5E41AD36487EAB944983A14C9C124D93
SHA1:	B8B098B88CBFF2F64589ABDBE7FBEFCA7C99FE3C
SHA-256:	26C6BCF0EFF67807AEB9F2F407D06DF653B99724AFAD9C9A9B8129DB7D8C3FAE
SHA-512:	F876BD1E49BB0C0B0660E14DD2D95C75F2124AFDE00D095674E53D0440B7BA7B89BC1A2576A9FE755B5C727E5808DB1C8A127CE4E4B2C124257412B76A200FD2
Malicious:	false
Preview:	....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\rpi.dat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	972
Entropy (8bit):	5.7488500702321135
Encrypted:	false
SSDEEP:	3:Fjjlnn5tllNTFllxXxjX/DNZH1/HnDD/trvDlL5TrjJrdbXZVtX5L3dlj1b1hX7x:r
MD5:	6513F31AB6F308B0B8802FA04C450122
SHA1:	AD3D14C5F78B5C2F2C4DAE06A486156A7B4126E9
SHA-256:	1445C8422A8FF14D8414300B819CBF2340A03A64158FCF7A3CCF76FDDB10DCA2
SHA-512:	CFB2754253E71B48EB6D69BA93641D06C0608C38FFFDCE2F5E54CED002997C9821299BADF26D95B2D84A41F13CA96A4F9D1C5E38D52DB2934AEF64C988844D98
Malicious:	false
Preview:	....0...............b.\.`.\.`.\.b.`.`.b..............................................8.......................................................................\.........................................................................................................................X.4(.~x.x.b...P.....Jt....f......VD....H.V.Z..~v.8.&h.x.x...F`....J.P\|.2.P....h....F..j...h\|......~r.0..:...DD....>.B`2..x.FP......H.4.P.............x.....P....... .........6j4......X4H.z..D.x.b.....Nt...l\pn44.@.n.........&......t2. VP.tx6.4..F..h.^..v.^..6.L.....n..\|0@.R..P..x.J...(..lj.....&n..~.dV....td.B.....F..2:~...l..X\..0.`.....<.&.....@.N... t.z...Pr..Z..t..L.h...L..t..:.$..<.vx~..$>....L.xb.xJ......L&v..v4x.p.."B.@n.6....,.(V.x.R>64.....v...~...J.d..&......\JH.t..V...".0..n.TPd..,0......0.2.r.\|.....:....2n...v..6...P..D....$.....8.&r.Fh(.d6.....J.n....$"...Xz<.2B~.z..H.....BV.X..\,.2.j...`..h@...j......8X((.b..6(B.@D..b...6j..l&0T.<.(.T..

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\slist.dat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	2356
Entropy (8bit):	3.7394907365919403
Encrypted:	false
SSDEEP:	3:nFrrxzj79bNZbHNbZdT9LbdHr/bfblpbdXzbrbrVd9P7XF5V3Rbb/NjbdbF9X1TH:R
MD5:	3CEEBAAA7FC6344B0274AB9274DEEED7
SHA1:	38832454403400441F9824C2265256A650C947ED
SHA-256:	F526024533673E6F167903F21978017EC712566E9EA1DD249671F119719F8DE9
SHA-512:	3E63A0F5764A59E77E5B0C4680DCCB33D1D52B4E622F84762D9949B736A6BDAB416BC72F3D2501BA90D46414186EC2C42677D1528E7186128D96082C32CB00D2
Malicious:	false
Preview:	..$.......................r.r.\|...........z...r.x.......x.....\|.....\|...x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F.....6.<...4.F...V.\|...........8.<.:.............................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F...<.2.4.$. .".F.......V...<.....4...4..........H.\(X(N......$.........x...\|.z...r...x.r.........v.......x.z.....t.x...z...........x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F.....6.<...4.F...V.\|.\|.....v...8.<.:.............................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F...<.2.4.$. .".F.......V...<.....4...4..........H.\(X(N......$.........v.......\|.\|...............z...\|.....t.......................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F.....6.<...4.F...V.\|.t.r.......8.<.:.............................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F...<.2.4.$. .".F.......V...<.....4...4..........H.\(X(N..

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\version

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	F1D3FF8443297732862DF21DC4E57262
SHA1:	9069CA78E7450A285173431B3E52C5C25299E473
SHA-256:	DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119
SHA-512:	EC2D57691D9B2D40182AC565032054B7D784BA96B18BCB5BE0BB4E70E3FB041EFF582C8AF66EE50256539F2181D7F9E53627C0189DA7E75A4D5EF10EA93B20B3
Malicious:	false
Preview:	....

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\HoursBroker\xml.xsd

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	9123
Entropy (8bit):	4.770624688403829
Encrypted:	false
SSDEEP:	192:FavQwyIregmSPwTy2k/3EeEQ6xGbd81PyCmD0DE:UvQwytg1425vE5bPEADE
MD5:	9FE2776E8A9D4BCFEE812A69F37DDABD
SHA1:	6264C527A996806B0C439F17C56B2E96DBF0FA82
SHA-256:	0BCA167A1B2FAABF9F2BB59A7C55C09B25C71974DB4D6125F91A14B7071F5E9C
SHA-512:	89D00A7602FC47858A0B0ADC81CDF4F63CBA0728EDA0B9824EA9DCC09B39A596A61034DA5001377444D6B6E07B454028DF528E722F5D2D268A50B296E2990259
Malicious:	false
Preview:	<?xml version='1.0'?>..<?xml-stylesheet href="../2008/09/xsd.xsl" type="text/xsl"?>..<xs:schema targetNamespace="http://www.w3.org/XML/1998/namespace" .. xmlns:xs="http://www.w3.org/2001/XMLSchema" .. xmlns ="http://www.w3.org/1999/xhtml".. xml:lang="en">.... <xs:annotation>.. <xs:documentation>.. <div>.. <h1>About the XML namespace</h1>.... <div class="bodytext">.. <p>.. This schema document describes the XML namespace, in a form.. suitable for import by other schema documents... </p>.. <p>.. See <a href="http://www.w3.org/XML/1998/namespace.html">.. http://www.w3.org/XML/1998/namespace.html</a> and.. <a href="http://www.w3.org/TR/REC-xml">.. http://www.w3.org/TR/REC-xml</a> for information .. about this namespace... </p>.. <p>.. Note that local names in this namespace are intended to be.. defined only by the World Wide Web Consortium or its subgroups... The names currently defined in this namespace ar

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\KwCommonUI.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1020288
Entropy (8bit):	6.392670889032173
Encrypted:	false
SSDEEP:	24576:m25q2rSATcolN/NKEM7GYNzOgcW6tAhc7rgnFEwXXfe5V2:m25q2rPlN/NKEhYNzOgcW6tAhy6EwXXb
MD5:	C87054BA4A83C6CA19977C446A722A7C
SHA1:	5743B16BC6D600E27B66D13CC04208BAE2A9A880
SHA-256:	6CB166C1895FC7DF5235658E3963C82200BBE5E71005FDB4F8744657A7F49B09
SHA-512:	87449A5FEF2B2B77198E0D946452F8E05B8F2B7ABAE239EDB2B848BD5E3F7A332A208DE71CAC7912D788CD1C47F80FA2BE9ED61DE2F8EA378E610A1DC0C46A9A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c..('.`{'.`{'.`{s.Q{%.`{.V.{!.`{...{&.`{...{".`{...{+.`{'.a{.`{.V.{2.`{.V.{&.`{...{4.`{...{f.`{...{&.`{9..{&.`{...{&.`{Rich'.`{................PE..L....,WT...........!.....<...8......c........P......................................`...............................p...30...t..T....................x..............._...............................................P..P............................text...-;.......<.................. ..`.rdata.......P.......@..............@..@.data...@...........................@....rsrc...............................@..@.reloc..r...........................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\KwLayoutMgr.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	287616
Entropy (8bit):	6.429805120462574
Encrypted:	false
SSDEEP:	6144:54s5ND8mRd6PUep7GdwmT+8b/IgcyIFoWIBOtBp2HsoM:5D5ND8mRd6PUep7GwmT+c/hOIg2Mp
MD5:	F260AF60120ECE46C499BADA5B4277AD
SHA1:	F1790AAC72B10A4BD4D88E9A143B96BE996197AC
SHA-256:	D52D01E382EA39D005F7AD2F3C13DA45B4DE4779608E08A9FB1AD5630D122043
SHA-512:	19FA19716965E0034AD57B0CE15BFF54DEC67D3C7E73408ACEC2E642E82DE4AC1E0C42E19CA58C494A1F95014980FDBDC9D904701F2CB421C993B9660F3C5C89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............@...@...@...@...@{.C@...@.@@...@.V@...@.Q@...@.F@...@...@...@._@...@.G@...@.A@...@.D@...@Rich...@................PE..L....,WT...........!.....B...................`......................................X.....@.........................@................0...............J.......@...2...d..................................@............`...............................text...T@.......B.................. ..`.rdata..#....`.......F..............@..@.data...\...........................@....rsrc........0......................@..@.reloc..tD...@...F..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\KwLib.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	306048
Entropy (8bit):	6.678408876122077
Encrypted:	false
SSDEEP:	6144:YxgkPaSM1AoCbO0PSyTws4H9pAKz6QRWO2TBdHRrtYOttYO7l:YDPaUBKODmH9pdXRWO2TR/
MD5:	2E63EA70505847A7DB340F5004FDDE71
SHA1:	A4DA7AFF18A9A747490633F5490959BAF75658B7
SHA-256:	87AAB5BBBD2360C819B4E58BB0667693147764BA39FCDCBD3549ECA1D57355E3
SHA-512:	7DF80C017E2F5D1E40CB41795F40E82025B5ED188BD5AF4C812D24F9E8C77438C259417E8592C4D528D37DA495815A057623CCFA67DF35B27980847DBA91AEF5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........L.}...}...}.../D..}....S..}..M2V..}....U..}....C..}....D..}......}......}...}...\|....J..}....R..}....Q..}..Rich.}..................PE..L.....4T...........!......................... ......................................&.....@.............................Fk..p...................................L....%..................................@............ ..\|............................text............................... ..`.rdata..F@... ...B..................@..@.data...(....p.......N..............@....rsrc................T..............@..@.reloc..f8.......:...X..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\KwLogSvr.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73088
Entropy (8bit):	6.419370395015747
Encrypted:	false
SSDEEP:	1536:OD24dyONDcOUOM498ldXs2xnQ+xcLP0OK2LBaNwF:X4kOO498laIQ+xcoOK2LBaNwF
MD5:	15F1FEC47E3AC4A2AE67BDE110CA698C
SHA1:	84EA58DEA72D9FE5B36ED64BEF2C19A43DF90EC1
SHA-256:	003D0E9F37639687CD72F8499743F88B54388A81E4322260280A70C0E601AE21
SHA-512:	C42E8F04FBFCE139D8365CC69CC161469FBB5443A2ACD9CCBBC584F85B04ABE2DFDDCAD1D53ECFB2AB54EBF004F5F10B730A2E677BBABFAD56400BEA7371AEEC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P.r.1.!.1.!.1.!%~@!.1.!.IC!.1.!.IU!.1.!...!.1.!.IE!.1.!.1.!>1.!.IR!.1.!.ID!.1.!.IG!.1.!Rich.1.!........................PE..L....,WT...........!.........V..............................................@..........................................B............ .......................0..........................................@............................................text............................... ..`.rdata...<.......>..................@..@.data...4...........................@...ConfigVe............................@....rsrc........ ......................@..@.reloc..:....0......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Lastnama

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:I:I
MD5:	C2AEE86157B4A40B78132F1E71A9E6F1
SHA1:	162CDC2A8B567050EAE25592EEEDAF33464A7A76
SHA-256:	46DB1CA7F3598C26C3E6C8D99E3ED95D2B1C76DB040B8F8CD29AF723EE086077
SHA-512:	784CC010C961A58B42984A4EC538D299AB92C01CB95171C220FD26C473491F839FD032960DC148C866DA45411D4ACB93188F0F7857F6F2C09DDF3E9FF50248DB
Malicious:	false
Preview:	892

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Lastname

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:U:U
MD5:	43FA7F58B7EAC7AC872209342E62E8F1
SHA1:	F022DA4E40566305C0C8F39FD8F4B83DD5368834
SHA-256:	96BB293AAA330EF307EE004448B92B75FFDC25ADE2831ED23FC60FFA97FFFB7F
SHA-512:	64B5514668BDBE6ABE7F86ABD790005F46D593D8E3EFB785C87DD8BA9035B8BC5FC72001DA81883391B690A5191057062EE711401C3E95C1935A3D3FFED138FE
Malicious:	false
Preview:	816

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Lastnymc

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:kQn:kQn
MD5:	82F2B308C3B01637C607CE05F52A2FED
SHA1:	75D2A5A3C528920D00425F29099EED114B9134E0
SHA-256:	5C3E9040008C91509E2D28E5308034B677D4E2CC0B386863D4883BDB747EBA1C
SHA-512:	91CCE11EEDA35FD527AC3DDBB930281FCB14AF0EE46412D7A389B59AEA3F8D56F3D46E2EC3BE167406AC4D8FBBD4F7C1246C8F1E30384FDC913703A48D36E4BD
Malicious:	false
Preview:	725

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Lost

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	14
Entropy (8bit):	2.8962915290459277
Encrypted:	false
SSDEEP:	3:ceROon:ceoon
MD5:	ED448BE0DA6329AA44A4B0C9B74A87D4
SHA1:	97EBD28C7A40DB56814BEDAD8B869B2BB8D3F00A
SHA-256:	5502EC5E01AC01F4ED2F6E1991B73DF9894568458A396A97AF06DD2965C63C1F
SHA-512:	5C4435346F31AC75FBE426CCE8F878B52A14AC1B060191C7D713EEA57DE2E22D93F83D49FA3C5E07A4BCF5BAE89C7C804930D364587C36390B8ABDD659F15E34
Malicious:	false
Preview:	(*,4()"4.)4++"

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\LostHe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	2.197159723424149
Encrypted:	false
SSDEEP:	3:1Z:1Z
MD5:	0D7C1D8AE080978B8436817C87C11684
SHA1:	C83087520942084476EF74151BF451A0557993DE
SHA-256:	53D24F3BC80C44785C7645F347A17942B607CAA451FC2337F458EA0A73F920AD
SHA-512:	8605C26C90441DFC7DEE0C5816DF5DDCEF42D4A02DE7D819936A60C10A57191AD67F0B95F23FE8CE085EF5F156FBBC57303B44A995AB13B2B8CC941AAB73FEFE
Malicious:	false
Preview:	.cf......

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\LostP

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.9219280948873623
Encrypted:	false
SSDEEP:	3:mn:m
MD5:	BC3A47AE14C1EE186861D38F665DB38E
SHA1:	5990206CD8DAFCBB07948322395490DEBD04F9CF
SHA-256:	54BCF265FBF2D10346018F48C6BDFE3B663955739079006E2D6AF6720F44756E
SHA-512:	505A7A420FD3D539300B1E074F1717C2FC221BAEC5A94F6DD968C30751D54F21F2E81276A7F35A033E9FCEE3F1F80149746540974208E111AB1AA505EBEE6546
Malicious:	false
Preview:	,)/,#

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\LostPHe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	0.9182958340544896
Encrypted:	false
SSDEEP:	3:tH:1
MD5:	E62595EE98B585153DAC87CE1AB69C3C
SHA1:	40B904FD8852297DAEAEB426B1BCA46FD2454AA3
SHA-256:	38760EABB666E8E61EE628A17C4090CC50728E095FF24218119D51BD22475363
SHA-512:	84387A560C74CD17A3E1D618181BD7734CACDB1D7B5A52EDF20FBB27C4FEFE25BD4F839C12E842C61CCD57308FD6A6B3987DC237ACCD213B9818D751C3990C10
Malicious:	false
Preview:	aab

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\LostPShe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	0.9182958340544896
Encrypted:	false
SSDEEP:	3:tH:1
MD5:	E62595EE98B585153DAC87CE1AB69C3C
SHA1:	40B904FD8852297DAEAEB426B1BCA46FD2454AA3
SHA-256:	38760EABB666E8E61EE628A17C4090CC50728E095FF24218119D51BD22475363
SHA-512:	84387A560C74CD17A3E1D618181BD7734CACDB1D7B5A52EDF20FBB27C4FEFE25BD4F839C12E842C61CCD57308FD6A6B3987DC237ACCD213B9818D751C3990C10
Malicious:	false
Preview:	aab

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\LostShe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	3.0269868333592873
Encrypted:	false
SSDEEP:	3:q1vC:q1vC
MD5:	213802ED7972AEAFE6237FA1453F1FD0
SHA1:	794A4B01CD429D110180DAA19204A098C42F11E6
SHA-256:	398380CF3867FE7C45A44E02C5542299346B631E627DB931B1FB4C8BE82C58E7
SHA-512:	FE6CFC85A06969389B3AE345C566AFEE7F55F011425070B9AD6342F474266A440EFBA98EA8181DF1AE24A3C617E6CF2A3C916740198F3FEB1B70B5B403A537CA
Malicious:	false
Preview:	af.cbe.a`..`g

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\MemDefrag.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	67184
Entropy (8bit):	6.560571950422605
Encrypted:	false
SSDEEP:	768:mE8Ush0dMK0vVZdisbH8iBRq8aZ+LhN3r22t19zS4Kye8pOxbGew2MSPDGjENAMb:mE8tSiKlqcHFChNbj19znKy92bGjwx9
MD5:	D9E742CB7C33C378602A144904756845
SHA1:	6E9C521A8E657FC8B46312AD79C1C7CE08C10766
SHA-256:	29626F619DB47C528EB910C15CDF2D139B512024331DAC91E7C562DF4FF297D8
SHA-512:	4474909CEE6BEA404918A0D9650D72F766A0FB27A5BB7A0BAD04BBD6F6F05EBEC11BEAE9080B4BD9E7A55A8614517B7A7F1DCF49F68308E51AEDACB2FDAC164F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.x.)...)...)... ..%....K.+...{..."...{...-...{...1...{...-....[..(....[.."...)..................(.......(.......(...Rich)...........................PE..L....3.d...........!.........T......g{....................................................@.........................@...X...............................p2..........D...p...............................@............................................text............................... ..`.rdata...<.......>..................@..@.data...<...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.Bcl.AsyncInterfaces.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64960
Entropy (8bit):	6.573463392054397
Encrypted:	false
SSDEEP:	1536:mbT78So0kats7efpLfvQcl/h5GDwVwZtyA+7XXxDp:mT8Syaq7SBQ35+b/
MD5:	644F4DF789E7B1CC9DE8FCAE8A9B7035
SHA1:	DA389C035C18342DAC47D82333E6F6A9D54E067E
SHA-256:	D2A5F4C9A8DE1FFA1482277889D71738F220DDBD287A279FA11CF2EB4FC1F0E8
SHA-512:	5B49BC385D6460F60FE5D598FCA27E68378A2D7752FA0A9ED7956A1B16B1CCF22EF6300AA8A36AD284047B7D8C4A2654EFFECA845BEC24D21BC9E727A7F39349
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.F8..(k..(k..(k..)j..(k...j..(k..)j..(k...k..(kH.)j..(k..)k..(kH.-j..(kH.,j..(kH.+j..(k.-j..(k.,j..(k.*j..(kRich..(k........................PE..L.....%e.....................N......@\|............@.................................H+....@.................................`...@........................)......P...d...T...............................@...............H............................text............................... ..`.rdata..@:.......<..................@..@.data...............................@....reloc..P...........................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.VC80.ATL.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	438
Entropy (8bit):	5.302102385514918
Encrypted:	false
SSDEEP:	12:TMHdt4IBeBFLOwHR5TNl+rmxgVKaGNLzIZ:2dtFEDCwHTTNl+rkgkJNLzc
MD5:	1CCB36CF4D7744F2A2449710032573F8
SHA1:	22C61BCDFB941EB6AA0829F8FECAA7B716895BF4
SHA-256:	8DC44CBA880E8E7A0776981FAC21094F905750C02890CBADC5059D1049D357EB
SHA-512:	53C6595A29C4636E4FDD800A48DEBF299DBFAC16396C217165BCB9D2E1B431982A1E3D5C8EA7850C178A6F6DA599DDF862DC7F64F29884EC0633A879B5B9C6B3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ATL80.dll" hash="6d7ce37b5753aa3f8b6c2c8170011b000bbed2e9" hashalg="SHA1"/>.</assembly>.

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.VC80.CRT.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (504)
Category:	dropped
Size (bytes):	1829
Entropy (8bit):	5.362806750573066
Encrypted:	false
SSDEEP:	48:3rpK+higVB09kkK0hpzxU09kkKqYhzQC09kkK0FFz9:7pthNXkHndUXk8hNXkFjh
MD5:	12B6A5638A4D54F6E613CAFD04BC1C0D
SHA1:	0BD3E9F83883B00DEA8DC95112C8BBD74A14EDEF
SHA-256:	3B55C9DA463C5F6BBBD1E73398FABDC30998BC525F4FE6E586BE711E660BC800
SHA-512:	15272B53972D70C089C9EBF554DE7DD1BC4707EF2FA8D526E7022FC21C8A74AD039387FB4BB53835D0B4443227CB1AD1C1D2CFCB1D205C2729F13BD1FAF9B008
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>. <file name="msvcr80.dll" hash="0a38b652c9d03caab803c6b2505fa301e345bab2" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>TM0VvywbHVQayIOw9CSX6M7WpaM=</dsig:DigestValue></asmv2:hash></file>. <file name="msvcp80.dll" hash="678bf3da5d1987bb88fd47c4801ecb41f51366ef" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xml

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1506), with CRLF line terminators
Category:	dropped
Size (bytes):	1860
Entropy (8bit):	5.392371898016726
Encrypted:	false
SSDEEP:	48:3SlK+vU6g49Pd09kkKKMzEAZ09kkKxrzVHNw09kkK3zY:Clt8CtdXks5ZXk8pNwXkK8
MD5:	53213FC8C2CB0D6F77CA6CBD40FFF22C
SHA1:	D8BA81ED6586825835B76E9D566077466EE41A85
SHA-256:	03D0776812368478CE60E8160EC3C6938782DB1832F5CB53B7842E5840F9DBC5
SHA-512:	E3CED32A2EABFD0028EC16E62687573D86C0112B2B1D965F1F9D0BB5557CEF5FDF5233E87FE73BE621A52AFFE4CE53BEDF958558AA899646FA390F4541CF11EB
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.30729.4148" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="msvcr90.dll" hashalg="SHA1" hash="98e8006e0a4542e69f1a3555b927758bd76ca07d"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>+CXED+6HzJlSphyMNOn27ujadC0=</dsig:DigestValue></asmv2:hash></file> <file name="msvcp90.dll" hashalg="SHA1" hash="3aec3be680024a46813dee891a753bd58b3f3b12"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:d

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.VC90.CRT\msvcp90.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570240
Entropy (8bit):	6.523986609941549
Encrypted:	false
SSDEEP:	12288:NZ/veMyZ137mSEWT0VkypLvgLehUgiW6QR7t5183Ooc8SHkC2eU8Z:NZSZ13iwJmgLq83Ooc8SHkC2eN
MD5:	232708A3FB0137133BA1787EF220C879
SHA1:	4F725F93081FE15C6AF99E32F3E97CCB22E15BFE
SHA-256:	64236B28CB287D9C912D1DB753B21BEB95009340B7ABB2717E40CE8D91946C89
SHA-512:	90DAEFA1F3D3608700074F349D0CD5E5D2EAE090ECAD07352E553F08087A2EDDEB457F235CDC7E4869C4CF24E895C05C11AF968E68CFD0B6AA8092C98DC7E4FC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#%..Mv..Mv..Mv.66v..Mv...v..Mv..Lv:.Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..MvRich..Mv........................PE..L...~LYJ...........!.....4...p..............P....Hx......................................@..........................P..,....E..<...............................43...................................%..@............................................text....2.......4.................. ..`.data...t'...P.......8..............@....rsrc................R..............@..@.reloc..HC.......D...V..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.VC90.CRT\msvcr90.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	653696
Entropy (8bit):	6.885617848989009
Encrypted:	false
SSDEEP:	12288:Bhr4UC+UumMaIYE8EoPP1cI9xPP2OKDL9QXyG2pUmRyyva:VU9FNPPbxPP2OeL9Q2pUmRyyva
MD5:	4B9B0107D35859FA67FB6536E04B54A7
SHA1:	60F5D36F475FEA96F06AC384230B891689393486
SHA-256:	EA59B23FC4799B10B07CC1E4F81BBCB7FAC712D93E2BA48DE50046E5B4C140DB
SHA-512:	324EDB6D0C618C20260417B86189C27D6E1EB00944C7F5A6C59679365E618D262C71433749DDFEF253B723F1D1B3167982B4742164A167B3CFC85C651300382B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L...yLYJ...........!.....\..........@-.......p....Rx.........................0............@..............................\|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2003), with CRLF line terminators
Category:	dropped
Size (bytes):	2357
Entropy (8bit):	5.378158011805663
Encrypted:	false
SSDEEP:	48:3SlK++U6g4A09kkKNzx09kkKJpzSgd909kkKzZuzl09kkKTzY:CltFCAXkgNXkKGgd9XkxZXke8
MD5:	0323AF0C3E694D85650AE55AA27EEFB3
SHA1:	672079C9564B4EC16EFB24DC80DE3EBEAF2A9F27
SHA-256:	1FED2074AB9F90D9FCCC5A49B6AA42C917674C2B5C7B1BB93FB67B0E0C944818
SHA-512:	5DF2D8B07B3ED0CAE3536C09AECA714B56EB75BC76668447C45917E890F5D22EF14B6059BD5782FD06D075A8497BC39A89F809E413C637405AE9BE4193C66FE1
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC90.MFC" version="9.0.30729.4148" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="mfc90.dll" hashalg="SHA1" hash="ec50bf1691888076202d5831599ac75ba0d35977"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>WuUqeI7Lf0+bhIfTm0T6Pv1L13g=</dsig:DigestValue></asmv2:hash></file> <file name="mfc90u.dll" hashalg="SHA1" hash="c752d2a42c0b82d2145cebcda60c7e5a43245cf4"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft.VC90.MFC\mfc90.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3765632
Entropy (8bit):	7.006945366952565
Encrypted:	false
SSDEEP:	98304:dOPkcHVGUQywT84a5IY9IViQ0zMzlp7toNTbPXQlk3glLsFLOAkGkzdnEVEFoKGA:WkcHVMTlBp0TrwlLsFLOyEFoKGD8
MD5:	225F7A12F61B3276D12310F457822D7A
SHA1:	F05B2DFE12D946606DDF0CD7E8A15027D75718AF
SHA-256:	3CED269344FD6AC7A3872D3DA39364397193C650A497702A0849C9543601A42E
SHA-512:	EF09DBC3FF0C6F1B229B4FCFD371A05E5570FDEB296D0F051F1AFD7C2F2567CEF86E47A3DA1B6D3B4AF116D9AC9F7508C36BAC065120F4519BC960AB0475349F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y...y...y.......y.!.Z...y.......y.....y.....y.....y.......y.......y.......y...x.c.y....0.y.....y.....y.....y.Rich..y.................PE..L...ImYJ...........!......%..(........!.......%...^x..........................9.......9...@...........................$.....,.$......`&..l...........\9.......6.\.... ..................................@....................q$......................text.....%.......%................. ..`.data.........%.......%.............@....rsrc....l...`&..n....&.............@..@.reloc..F.....6......r6.............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Microsoft_VC90_CRT_manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	2.9968027726780173
Encrypted:	false
SSDEEP:	3:HSu+QvdSG/cn:+SQqc
MD5:	6E17DDA977CBC993A9308145693BFE90
SHA1:	D964351BEE8764DE9CBCA186B7D1F526EB6361DB
SHA-256:	615707952EB080E6824699C73F1D914C2278E103CEA452CF4111063DD274458C
SHA-512:	3A1A40DBE7FF5911B3D42DF7C8A74470869CE3F75612A19A73256C799F2A1DD472607F3C89DAD5060AEC1FA953BDFED90A481A4413D2999D122B7AB1D8F7DA77
Malicious:	false
Preview:	577F7F777C753E756875FCD3D7619

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\N0vaDesktop.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5972392
Entropy (8bit):	6.868183225292118
Encrypted:	false
SSDEEP:	98304:ygUifEmDR4lEtsaowOSiL5f5aLbunw8Y6+15cmCSrw0sn/DVpFLOAkGkzdnEVom5:gifXD+Ktu75fu11CSrw0c7nFLOyomFHj
MD5:	06808B78BCC668E76A1F3B9589B985F2
SHA1:	07349BD4A98F70C0870802FCE91CE4F15DCB48AD
SHA-256:	4E560A33A3585F5F6DDD4674E8D8098B977BA3AE320ACDC4ABAC33B89CE17C97
SHA-512:	CED48BD909ACC1B4012A8FC56C8EE76CB0716611B9448465E8DE1670444C04E3B602D7F5A3AF66527EDF760DD10EAA12C68511CF1154B9B8A349D8D443B99EE7
Malicious:	false
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........B.{G#.(G#.(G#.("E.)o#.(..(F#.(.}.)D#.("E.)F#.(.z.)D#.("E.)C#.(\|}.)Y#.(\|}.)`#.(\|}.).".("E.)v#.("E.).#.("E.){#.(.}.)B#.(G#.(. .(.}.)M#.(.}.).#.(.}%(F#.(G#M(F#.(.}.)F#.(RichG#.(........PE..L......g.................Z1...).......'......p1...@...........................[.......[...@.................................@.<.X.....?..y............Z..U...0X.@y...a7.T...................tb7......b7.@............p1.\|............................text....X1......Z1................. ..`.rdata..2....p1......^1.............@..@.data...X[...`<......N<.............@....gfids........=.......=.............@..@.giats........?.......>.............@..@.tls..........?.......>.............@..._RDATA..0.....?.......>.............@..@.rsrc....y....?..z....>.............@..@.reloc..@y...0X..z...RW.............@..B................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\NULL.bin

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	125376
Entropy (8bit):	7.998479503470445
Encrypted:	true
SSDEEP:	3072:FI6dBzpxvuZ9UIQrNJ6DKxOssBCI4sB74xoGhFo4Z1J21:m6zzYsBMcsBCpO6Py
MD5:	0C21E337569640A73AF44474F44CB9F7
SHA1:	82C3C1C2602250441C1B18200F7FBDC2B6443352
SHA-256:	BC58641B4F43BE40016044046321F77DD153F0BFCE6E4E9D765711838DB13ECA
SHA-512:	7D19FBF9E907E468C34813B0E1E4F2880762573C9EFE678C36C5CA254890A4B0A008DE72E824345C3FBB838C7BAE3E3D991D46CFAF0FAA73BE89EA88DB2E3C76
Malicious:	false
Preview:	...:w.C...k....r....F...g{>..K....3==...6C..l.../.H..L.\|,..#.c....../I.....>........2.....(SH..Z..uJ...t..#Ov..p...XJ..E..8.t.....0d.Ew.DR...lZF..i0..v5.....y/......g...Z=.Z\|.)4.o.n.....i.g0..T.Z.......i...-.F&....{.'..E....G./....M....L....U..?....Ei'..\|.)..J,XnL...<..A......1..D.%I.CA.....#.-;z...g....U$.{.t.$\...$.+./...\|.@.5.0d.H..D.Ga..Tod....\{...Mj.\.....}..:.............StlE=.....~..3......;....I.@I.<...<..;....Y...u...P.....F.1p.^.y...f....P././}.....P.b/.J....?n.^"....S.1.}.JT...rS^t..5..X..["rL.<....$..K]`-)aq. ..1$.X..]... .9....k......v.../!....Vu.m.W.9G...us,3.....i.}..2.O8.t....j..mi..~..~'H&.....)......f..%...h.....i.f..0+.8.;....r&Y\..TO.E...!..n...t.h...KZ..K.L.i.h.,.;bm...`sS.~..\O.i.v!o.,..G.'...:=.Fn.x.b.E^r...j}.<.b.}....V..`M.Y\|;j,=....g.*..g....).Cw.eC.K...C...8nMc....P..[PP..Ghq..n.#..6j;.V..z..L.}..^.k.A......R....M.=}.bN\ty.3..c\|z.\./-E..^.P6..`9.8&xH.y..&...$.6...t........V..EZ.Cf...x...1oH>Y.....+..

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\NVIDIA_GeForce_Experience_json

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.0657682899193968
Encrypted:	false
SSDEEP:	3:4j46giWEcn:046BWEc
MD5:	23A56B3DBA64589852CD17E11CA111EF
SHA1:	FD6568661FC88695B76489727FB59734B2152427
SHA-256:	0415B8232791D3345042C516C9AF6F4FCACCFAD5D794FDAF1A15F0B34C77C3D1
SHA-512:	29837A72F9C7858C2DA38C2D69C64E98A531CDBF46D8EC7E92F608F917D93619AAC6B38DDD792FCDD8F654B51C7F6D6518F3CA120E7502AE8AFB979FEA015C59
Malicious:	false
Preview:	7C79727375763E747C7CFCD3D7619

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\NetDevenvSpeed.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	667648
Entropy (8bit):	6.655676024268379
Encrypted:	false
SSDEEP:	12288:G36HjCm6ltuRXQ/g+hVfW2LDzeLA5rJWutAWQSHOALXB:VCm6ltuRXKg+hVfWkDEA5tDuyX
MD5:	BA4ED2E6B25A8C9EDA3DA4CE85A5054D
SHA1:	C3B2EF12347E0C5206B4C3959FA96CD7F064F10C
SHA-256:	31370AB9ECAFEA8528D0C844C34B7721042C93A8E45278C4452B62ABAADE9182
SHA-512:	87C10EA2B82D79BD96CA453D808D937841A45CEE331E5914E5B9A7D6665BB41864D90E08E47F4000C1EEBC64F1E4035B010F545B2068B3604A7B8C87F1D30DBB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........xt..............a.......a..W....a.......l.......l.......l.......a..............l......l......l......l......Rich............PE..L....+.f...........!.....f................................................................@.....................................(.... .......................0...K...[..............................8[..@............................................text...cd.......f.................. ..`.rdata...Z.......\...j..............@..@.data....2..........................@....rsrc........ ......................@..@.reloc...K...0...L..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\NetSpeedLog

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	330752
Entropy (8bit):	6.2804656669920975
Encrypted:	false
SSDEEP:	3072:x9LbnjzIPOmRM0KQfU9JwjvD2xCovPVZHuEi+e15HiEGPGqQiblLYEaZ4OYlYXoK:b928/BvNZ8NHd7ibGYuG9/31P+HvujI
MD5:	CAD63BBE69DF55CFD51AFA2F5D657FEF
SHA1:	1DB6EE562FAB40318A827E6986FD609E67A91ADD
SHA-256:	CBD94FE47BE31249C84A8874E901C2389C2E5111F53541099C0B5948DD499731
SHA-512:	C75B6B314743929528D699888A5066DED1CDE8C1EA0262CF92D6411FDA52AB2E7F932F0DE0E663B268746EE40876FB7ECE289B9DC41C020C868064C7FDEBE0FD
Malicious:	false
Preview:	..D.................................................................`..........................................................#...@...@...@.......@..$(...@..>...@..B6..3@..B6..@..B6...@..$(...@..$(..<@...@...C..B6...@..B6...@..B6...@.....@................................Lj.........4........@.........T........d.....................................................................$......P.........`....................T.....................................................d..(............................\....SF.......@...........................n...d...h...\|..............................Z..........................`.......................................T...............................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Ntvbld64.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	MS-DOS executable PE32+ executable (DLL) (native) x86-64, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	42976
Entropy (8bit):	6.2171815555231875
Encrypted:	false
SSDEEP:	768:iHfqCaczo/ZinYCOd9L9KyhaM7JubDGpZRKjKj9MPgkU7:8fqT/ZWY/L9l7JheMJ
MD5:	671F95CAB2B5CF121125413F250F5275
SHA1:	73D99D09A3D8978A5C6DB43CEC85FB43B03B7A26
SHA-256:	728A1FCDEDCA6DBD8FDDDE3F33CD64DD99853C26EF5B10D3FEF0D76D0480964B
SHA-512:	4AF690AF838CEB026636931AEDE3852EAE6D83881149EF4C28CC1DD032C3F7F6A64B30171C2524512FACD40496DAB305523D20637B44EFBF0D5805D0FAD1FFCB
Malicious:	false
Preview:	MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!.........`......................................................................Rich....................PE..d.....a.........." .....H...".................p..........................................@.........................................pV.......S..(.......h....p.......h..H?...........................................................................................text....F.......H.................. ..`.data........`.......N..............@...

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\OTGContainer.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5972392
Entropy (8bit):	6.868183225292118
Encrypted:	false
SSDEEP:	98304:ygUifEmDR4lEtsaowOSiL5f5aLbunw8Y6+15cmCSrw0sn/DVpFLOAkGkzdnEVom5:gifXD+Ktu75fu11CSrw0c7nFLOyomFHj
MD5:	06808B78BCC668E76A1F3B9589B985F2
SHA1:	07349BD4A98F70C0870802FCE91CE4F15DCB48AD
SHA-256:	4E560A33A3585F5F6DDD4674E8D8098B977BA3AE320ACDC4ABAC33B89CE17C97
SHA-512:	CED48BD909ACC1B4012A8FC56C8EE76CB0716611B9448465E8DE1670444C04E3B602D7F5A3AF66527EDF760DD10EAA12C68511CF1154B9B8A349D8D443B99EE7
Malicious:	false
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........B.{G#.(G#.(G#.("E.)o#.(..(F#.(.}.)D#.("E.)F#.(.z.)D#.("E.)C#.(\|}.)Y#.(\|}.)`#.(\|}.).".("E.)v#.("E.).#.("E.){#.(.}.)B#.(G#.(. .(.}.)M#.(.}.).#.(.}%(F#.(G#M(F#.(.}.)F#.(RichG#.(........PE..L......g.................Z1...).......'......p1...@...........................[.......[...@.................................@.<.X.....?..y............Z..U...0X.@y...a7.T...................tb7......b7.@............p1.\|............................text....X1......Z1................. ..`.rdata..2....p1......^1.............@..@.data...X[...`<......N<.............@....gfids........=.......=.............@..@.giats........?.......>.............@..@.tls..........?.......>.............@..._RDATA..0.....?.......>.............@..@.rsrc....y....?..z....>.............@..@.reloc..@y...0X..z...RW.............@..B................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\plugins\Microsoft.VC80.ATL.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	376
Entropy (8bit):	5.187860451409661
Encrypted:	false
SSDEEP:	6:TMVBd6OjzIIBeBXVL9obRu9Td8gH9aO/5TMiX1+jSQdS1vwIgVf+ZaYf7:TMHdt4IBeBFLOwHR5TNl+rmxgVKaq7
MD5:	0BC6649277383985213AE31DBF1F031C
SHA1:	7095F33DD568291D75284F1F8E48C45C14974588
SHA-256:	C06FA0F404DF8B4BB365D864E613A151D0F86DEEF03E86019A068ED89FD05158
SHA-512:	6CB2008B46EFEF5AF8DD2B2EFCF203917A6738354A9A925B9593406192E635C84C6D0BEA5D68BDE324C421D2EBA79B891538F6F2F2514846B9DB70C312421D06
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ipaip1.exe"/>.</assembly>.

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\plugins\Microsoft.VC80.CRT.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	314
Entropy (8bit):	5.140999301390513
Encrypted:	false
SSDEEP:	6:JiMVBd6OjzPbRu9Td8gH9bZELrbvm/53SMiX6+hPABdS1FggVfgk5Z:MMHdtlwHHJ53SNK+hPIRgVR5Z
MD5:	710C54C37D7EC902A5D3CDD5A4CF6AB5
SHA1:	9E291D80A8707C81E644354A1E378AECA295D4C7
SHA-256:	EF893CB48C0EBE25465FBC05C055A42554452139B4EC78E25EC43237D0B53F80
SHA-512:	4D2EC03FF54A3BF129FB762FC64A910D0E104CD826ACD4AB84ED191E6CC6A0FEC3627E494C44D91B09FEBA5539AD7725F18158755D6B0016A50DE9D29891C7E5
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>.</assembly>

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\plugins\am.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	6669
Entropy (8bit):	4.733830185137714
Encrypted:	false
SSDEEP:	192:4c2LQ563O84ggqSdqfD6JngOvFfkxFfdpj8IY8YS3dRp79S7EO:pIEiKT5hTvWx11Y8YShhS7EO
MD5:	748E5EA71A607EA89B219AFC97052259
SHA1:	8677307E553474320A2616EABBC5534F42D100BC
SHA-256:	E481BA3734925C59839FDB29E5FB171F0DF0640A48D4C61C9CAA9F475D2ADE89
SHA-512:	49F78793C75A70502E43A138F762940149F536BB494473B1672A1E0E0C7BE2AA72337B3524EB0E4D5F0B60203711D87958FAB88F1404476BF779967350B00364
Malicious:	false
Preview:	..........N.....N.....N.....N9....NB....NH....NN....NT....N]....Ni....Nu....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N(....N.....N:....NO....N_....Nu....N.....N.....N.....N.....N.....NK....Nk....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....N,....N9....N[....Nd....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....ND....NJ....NV....N\|....N.....N.....N.....N.....O.....O.....O.....O1....OD....OQ....OZ....O.....O.....O.....O.....O?....Ou....O.....O.....O.....O.....O+....O\....O.....O.....O.....O.....O2....OX....O.....O.....O.....O.....OG....O.....O.... O....!O...."O!...#O0...$O6...%OE...&OQ...'OZ...(Oo...)O....O....+O)...,O....-O.....OZ.../O....0O....1O....2O....3O6...4Ow...5O....6O....7O....8O....9O....:OI...;Oo...<O....=O....>OE...?O{...@O....AO+...BO....CO3...DO....EO....FO....GO....HO....IO....JO....KO....LO....MO...NO@...OOL...PO....QO....RO....SO...................... .... ....

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\plugins\ar.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	6252
Entropy (8bit):	4.765802565676888
Encrypted:	false
SSDEEP:	192:8q+c4RnQTyZHZo/zjH26bojOpyuT/j8I8hi8v8hqCPC5/P5zn:8jYo5oLjH26EjOp/Mn
MD5:	1F9D7E57FE35D3A35FE49E6E2BAC8707
SHA1:	E6C4BCC56AE5742E7B825F489BF33B491970ABE6
SHA-256:	7522EF5C3E10BF279E777054D858955F1B9F63A39CCB408364C413E6E3D49A04
SHA-512:	489C79155C5E84702B58072E8A44C123D8F0C3F226A5073EAE343506A76D0E378418557DD29CEF8283425A46A248132CCB1F78E13C867829E399CB6EF17769F2
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N&....N,....N2....N8....NB....NL....NV....Nk....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N)....N:....NO....N]....N.....N.....N.....N.....N.....N$....N=....ND....NW....Nc....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N$....N7....N?....NX....N\....Nw....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....N0....NA....NV....O`....Os....O.....O.....O.....O.....O.....O)....ON....O.....O.....O.....O.....O(....Ol....Ov....O.....O.....O.....O.....O.....O2....OY....O.....O.....O.....O.....OS....Ox....O.....O.....O.... OK...!Od..."Ow...#O....$O....%O....&O....'O....(O....)O....*O....+Oz...,O....-OC....O..../O....0O<...1O....2O:...3O}...4O....5O....6O....7O....8O....9O....:O/...;ON...<O....=O....>O....?O+...@Oc...AO....BO8...CO....DOS...EO....FO....GO....HO....IOC...JO\...KOm...LO....MO....NO....OO....PO....QO....RO0...SO:.....l.................. ..... .. ... ....

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\plugins\bg.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	7220
Entropy (8bit):	4.592203217648416
Encrypted:	false
SSDEEP:	96:eOu4nxWcR1emdX4DRkw0UzNAHSZwIQshZrlLBXWeOwg6lz737RC:HScRkB6WmSZRhZiePlzz70
MD5:	6E09177086163D64ED7AB890D70CFDF3
SHA1:	87B7FCA47DA5BAE28C7182A221E923588EBEADF8
SHA-256:	B0E8F4379AA7B1CF11C196354C6C0212558B1E5BA20332A34F30B5263D4B1EA9
SHA-512:	48191FBA9308E58CE482193CAB4DEA032A37136D6F1D1132B45D0894B18EA3B5BE330BBF9FA61CF2C5BC711B371D53430554BAF103CEC027E6026E5F27A292C5
Malicious:	false
Preview:	..........N.....N.....N.....NI....N]....Ne....Nk....Nu....N.....N.....N.....N.....N.....N.....N.....N.....N!....N.....N;....NH....NU....NY....N]....Ne....Nw....N.....N.....N.....N.....N.....N9....N.....N.....N.....N.....N.....N ....N4....NZ....N.....N.....N.....N.....N.....N.....N.....N.....N<....Nd....Nt....N.....N.....N.....N.....N.....N.....N@....NL....Ny....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N:....OH....Oj....O.....O.....O.....O.....O#....OB....Oc....O.....O.....O.....OS....O.....O.....O.....O.....O.....O:....On....O.....O.....O.....Oq....O.....O.....O.....OD....Oe....O.....O.....O:... O....!O...."O....#O....$O....%O....&O....'O....(O....)OP...*Ot...+O....,O....-OO....O..../O....0O`...1O....2O4...3O....4O....5O"...6Od...7O....8O#...9OR...:O....;O....<O-...=Oi...>O....?O....@O....AOy...BO....COw...DO....EOw...FO....GO....HO....IO....JO....KO....LO+...MO9...NOC...OOU...PO....QO....RO....SO......4........................ .... .....

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\plugins\vd.ico

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	25214
Entropy (8bit):	4.526069485099958
Encrypted:	false
SSDEEP:	384:eLpEC0qWDnDjVSV/+/CB1+n2GHOMmM5H6:1C+Sp1QdHOc5H6
MD5:	9946B791C261BA0A4CCF6E46F7B54546
SHA1:	3082E44F89AB9CD5ED1705F0470A33D1279D2A67
SHA-256:	62729E6D23D8DD347ECCB5B9D292A089ECA582694082EB8F1DDF55E9AE18B0C0
SHA-512:	A2C11556486E5F1B417F61ABCDA1BB3B064CD29515DDD0CF94985E24043D2F1483E74938711290A3FD681157F2559ED719B30B367481D81B41E01676E84DC03C
Malicious:	false
Preview:	......00......h....... ......................(.......00.............. ......................h...^"..00.... ..%...'.. .... .....nM........ .h....^..(...0...`.........................................................................................................................................................................................................................................................................wwwwwwwwwwwwwwwwwwww....................................................wwwwwwwwwwwwwwwwwwwwx...................................................wwwwwwwwwwwwwwwwwwwwx...wwwwwwwwwwwwwwwwwwwwx...ppppppppppppppppppppx...........................................w.w.....................ww.p....................ww.p....................w.w.........DDDDDDD@...............tDDDDDDDG................GwwwwwtO................GwwwwwtO................G....wtDDDDDO...........`....wtdDDDDO...........@....p.GwwwtO...........`....p.gwwwtO...........@....p.G....O...........`....p.`....o.......

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\plugins\version

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	F1D3FF8443297732862DF21DC4E57262
SHA1:	9069CA78E7450A285173431B3E52C5C25299E473
SHA-256:	DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119
SHA-512:	EC2D57691D9B2D40182AC565032054B7D784BA96B18BCB5BE0BB4E70E3FB041EFF582C8AF66EE50256539F2181D7F9E53627C0189DA7E75A4D5EF10EA93B20B3
Malicious:	false
Preview:	....

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\themes\ca.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4447
Entropy (8bit):	5.418213783438325
Encrypted:	false
SSDEEP:	96:cqGYHvAfKA/nFGBlyL5tTIYOBcZbISSZrJz94IvXqUQEQ6TH3Hzniv7:cQgrnwPyVCYOCZ8BZrJz94IvXqUQEQ4I
MD5:	DA44E0F806463B7F0D3FA8C93A4E50DE
SHA1:	DAE138775B448187C099EB4C6EEE463E4CD47E84
SHA-256:	FF4CBCFEBE833E21C37A02C04257FDB2369E42E3BE18DCF75335333A06EA789B
SHA-512:	9E8BD23F668BF312817592445C9E2BFC2CFDCC2BEF47DDFE711C750409CEE5855F2E9AFD96DA4F3F4B5E7C92A8C4C675AF45389A40C3033F73453971BD358C3D
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N!....N+....N9....NJ....Nb....Nl....Nu....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....NC....NY....No....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N;....NI....NW....N^....Nq....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....O-....O2....OK....Or....O.....O.....O.....O.....O.....O.....O.....O'....OC....O`....O.....O.....O.....O.....O.....O.....O.....O.....O/....Oa....Ow....O.....O.....O.....O.....O9....O[....Oy... O....!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O+...,O....-O.....O..../O?...0O~...1O....2O....3OB...4Od...5O....6O....7O....8O....9O....:OY...;Oo...<O....=O....>O....?O....@O....AOW...BO....CO....DO(...EOu...FO....GO....HO....IO....JO....KO....LO....MO....NO....OO....PO....QO)...RO1...SO;....._...DetallsDesa.s un .ndex on es poden realitzar cerques. Intro

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\themes\cs.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4278
Entropy (8bit):	5.761351246793285
Encrypted:	false
SSDEEP:	96:0CLGsy4GgACuoiU4CJeDof8QQgWu6/K3eVeRl2c0cLeI:lLTy42oiJQwof8Qcu6y3WWr
MD5:	E160C8912A6E73BD4CD2544A9F3C3974
SHA1:	E46EF68F3113BD36D40635C76452445F7D359F39
SHA-256:	C01E38999FE2C1F98B5429BD550AE8A9F15F10D09D41EFFF8F3C7F4F1F66209C
SHA-512:	7CB2E47F945705DFD0030B28BD62709361DFD17AA925C68A85B34DDEE0584307C2FA918EC4B1443C2181578AFC6CD64878AADE25A469CDB2F0C45237682F35A0
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N'....N0....N=....NK....N[....Nn....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....NG....N_....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N7....N@....NP....NU....Nd....Nk....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....O.....O%....O/....OL....O[....Ol....Op....O.....O.....O.....O.....O.....O.....O+....OU....OY....O^....Ot....O.....O.....O.....O.....O.....O.....O.....O:....OO....Ow....O.....O.....O.....O.... O....!O0..."O;...#OA...$OH...%OO...&OU...'OX...(Of...)O....O....+O....,O....-O....OW.../O....0O....1O....2O2...3O\...4O~...5O....6O....7O....8O6...9OQ...:O....;O....<O....=O....>O....?O(...@Oc...AO....BO....CO0...DO~...EO....FO....GO....HO....IO....JO#...KO*...LO6...MO?...NOI...OOR...POp...QO....RO....SO..........PodrobnostiUlo.itToto je prohled.vateln. index. Zadejte hl

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\themes\da.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	3875
Entropy (8bit):	5.465278759668329
Encrypted:	false
SSDEEP:	96:znbLo2urHRFWbiEP15P4q7GL8cyScTs3DhDU/EZ87s:3/udeiy5P4q7i8cySes3tw/Ed
MD5:	25A5E506C8A0C64D9B9E08AAAC9626E6
SHA1:	82F8D1E8CE364694F03C5133604F72C2608B8924
SHA-256:	229DA0D16A7FA0BFFD67B78F2F76734C7EA2129A15CE95DA9422775B4E9835CE
SHA-512:	33F86B51BE09DCFEC6B9064E5906EC782C5AF9DFCC727A2A7E4BFE5FF6908AF115E5937EC7CF2BEDF103FFA1A941D340D2C0F2E13F8447FCDE1CD649E9A936BA
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N+....NF....NN....NV....N^....Nf....Nn....Nv....Nx....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N....N:....NA....NG....NR....Nb....Nu....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N1....N7....N>....NJ....NS....NV....N[....Ng....Nj....No....N}....N.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O:....O`....Oo....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O$....OD....OU....On....O.....O.....O.....O.... O....!O...."O#...#O+...$O1...%O9...&O<...'O?...(OI...)Od...Os...+O....,O....-O.....OQ.../Oq...0O....1O....2O....3OC...4Ol...5O....6O....7O....8O....9O/...:OZ...;Og...<O....=O....>O....?O....@O....AO2...BOm...CO....DO....EO[...FOg...GOk...HOv...IO....JO....KO....LO....MO....NO....OO....PO....QO....RO....SO......#...DetaljerGemDer kan s.ges i dette indeks. Indtast s.ge-n.gl

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\themes\isolinux.bin

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	isolinux Loader (version 3.82)
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	7.08359030184487
Encrypted:	false
SSDEEP:	384:Gh5TvIzjLaWhV12sPtZK7zVi8vnKnjPlVzjzmtInQt//:Gh5DI/LfnC7zQ8z02//
MD5:	7EC434DAFE56FBFBBD9F609A8E51ADF1
SHA1:	31EB96F0B7EEB6D3972D735F20C18A4DEB425942
SHA-256:	E9A4817AB449A50364B0DD33425BDC596D222C1792A460831F87487439385E32
SHA-512:	454920BCCD663FA585E1954A320616BAD5061EB03886E284284796F9D3A2079D3ED019AD9AF6E381CF647CF27ED0EA8C098C6399479B2091BD49B472728C13F6
Malicious:	false
Preview:	..w\|.............8...Wa......................xpY....)....)Z_.f1.f1...\|s.fXf[.f..).f...).@....D....<...&.)....)1....{.W..........6.)f..f..)......6.)...f1..@\|...f.f....f.>.)...)..).!.f1..f....)....)...(...8...F.>.)<.u...K...)..).........)8..)....f.>.\|.u'f..)f!.t.f..........f.G......f.(.f..\|f..\|f-....f...f..)f.....f.....)f..\|f@.@...1...).Q........f...)f.>.)&f.f..fIt.!.u..........f9>.\|t.........O..........\|.............f.L.f..}.......1.W..}...._..Gq..f..}f..t(f.L.."&f.E..f;..}t.f.L...K...)..)..r......`..K..)....~.ar....U....p..M.8..)u.....A....).....)8.t...8.t.J...s....)...r..!.......3............\......PV.3....^...X....f.f`..1...faf..U............F.......]......&.)f1.f....f...f...)f...)...U...f......fRfP.SWj...f`...)....B...fa.d.r.]f..f...)......!.u..f`1....).{.fa....):.]..f1.f...f...)...fRfPUSf..6.)f..>.)f..1..f...I.).9.v......A......)......f`...far.f......[..]fXfZf..).u..Mu...H.u...;.H.v...H..(.\..D.f.D.U;.J.v...J..l.V...).B...^]f..D.

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\themes\ovf-vmware.xsd

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4056
Entropy (8bit):	4.424470799098464
Encrypted:	false
SSDEEP:	24:2dd8puSF899zzcmOlkkXsxPxPxSlptWeWOy/EpgbJMxPxSa7cRtaDeH0iBD88Epc:cd2VF+kXsolPWeWONgPRRtWeHGsUgcBg
MD5:	9392A998B91E7C12F20FE8ED0D7C7610
SHA1:	19C90803DB690AF45D7E6F8F8B1C7BD41F71A2CA
SHA-256:	662B3AB8423F4E5B05061B88CCA8A134A50799D6DE0CEC8977F46749A89E0FBE
SHA-512:	EA15C2FCAB591A384265EE726925CE3D07BB2E8DE79BDA7A6F203A54FBA2441FAABA4EA6925242B2D84DE76299CB99B2DB8B62149F405F86BD2C58609BE605A1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.. .. Copyright 2008 VMware, Inc. All rights reserved..... Remark: The OVF Specification 1.0 Annex D defines a set of relaxations on how .. this XML Schema 1.0 definition is to be interpreted...-->..<xs:schema targetNamespace="http://www.vmware.com/schema/ovf".. xmlns:vmw="http://www.vmware.com/schema/ovf".. xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1".. xmlns:xs="http://www.w3.org/2001/XMLSchema" .. attributeFormDefault="qualified".. elementFormDefault="qualified">.... Include and import sections -->.. <xs:import namespace="http://schemas.dmtf.org/ovf/envelope/1".. schemaLocation="../DMTF/dsp8027.xsd"/>.... <xs:element name="IpAssignmentSection" type="vmw:IpAssignmentSection_Type".. substitutionGroup="ovf:Section">.. <xs:annotation>.. <xs:documentation>Element substitutable for Section since.. IpAssignmentSection_Type is a derivation of Section_Type..

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\themes\ovfenv-vmware.xsd

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2951
Entropy (8bit):	4.309681188440056
Encrypted:	false
SSDEEP:	24:2dX8QSF899Szc42+lkkXsxWCGRPxSHnSEIHkyspXuKEpsZEpgcBg:cXEFckXsQeHnSEIHkysNEsUgcBg
MD5:	FB0DFD7CE4E12DBC2CEDD5CEA0FAE216
SHA1:	FA8FCB791F89F0CF170C58AF74626BCE6F9DAC9B
SHA-256:	7AB54BD0D58AE49A735FF551E260DCDE51CE28CF591580BCC150C4F15641C39E
SHA-512:	250B1290349D8D10A609E027DD3EA3CDF21BB40A7457FCE94294327DD92EFC957628AE735D44498328489A741209C09C7B0C7CA8822251B2D30A17121A74A549
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.. .. Copyright 2008 VMware, Inc. All rights reserved..... Remark: The OVF Specification 1.0 Annex D defines a set of relaxations on how .. the this XML Schema 1.0 definition is to be interpreted...-->..<xs:schema targetNamespace="http://www.vmware.com/schema/ovfenv".. xmlns:vmwenv="http://www.vmware.com/schema/ovfenv".. xmlns:ovfenv="http://schemas.dmtf.org/ovf/environment/1".. xmlns:xs="http://www.w3.org/2001/XMLSchema" .. attributeFormDefault="qualified".. elementFormDefault="qualified">.... Include and import sections -->.. <xs:import namespace="http://schemas.dmtf.org/ovf/environment/1".. schemaLocation="../DMTF/dsp8027.xsd"/>.... <xs:element name="EthernetAdapterSection" type="vmwenv:EthernetAdapterSection_Type".. substitutionGroup="ovfenv:Section">.. <xs:annotation>.. <xs:documentation>Element substitutable for Section since.. EthernetAdapter_Type is a de

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\themes\sample.flp

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	DOS/MBR boot sector; partition 1 : ID=0xda, active, start-CHS (0x0,0,1), end-CHS (0x0,1,18), startsector 0, 36 sectors
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	6.703256936166348
Encrypted:	false
SSDEEP:	192:YaPUesFIxeyrsMBe1MlsBc0GLGEiyXYmWhFdrNkv:baIFrXaMlsBmLG/mcdJkv
MD5:	1F4E9B9C3E5AF1359BC440FA99573F8B
SHA1:	0A710D1776F0687170B7D547C1D70354D6BBA548
SHA-256:	9FA0E91FF06B33614AEE00BBBBE5D4104D153B8933650D44F9A2B9D07B60E9B6
SHA-512:	38B9E7FD9C7EDC8EC89E3811C5E8D09A22E42CB9C734FE0C4AE7A4E8E60C063AE965BC6FF61AC398D5B8D8D9EAB0D6E40EDF82BC953F82542DC2890E06BBAADB
Malicious:	false
Preview:	.:\|..............OQ..............T .......METALKIT . err!..1....... ...}..$..r%.(\|...B...}..}..s.......}...}..(..s..4\|............h}. .f...."..\|..f........(...=.}..........}...$.....}....5.}...u....}...=.}......\|........f. ......\|..... .f....".1.....W\|............t............... ....."..3.....f...............1...:........f.(................./.h}..........................................@./.h........(......................................$...................................................U.U..V.....S.......@..A...Q...........Q...............f.Q.f.Q..Q..Q.B....Q.u$.Q..A..B.. .Q.u..Q..A..B.. .Q.u.1......t..E.f..f.E.f.A.....@[^].U1...WVS.........f.U.U.....$f9].u.f.E.f9E.u.f.E.U.f...E.B........'.....u...[^_]...U..S.....Y..........I..........................................A...!.[].U..V..S..........A...........A...............f................D......f.[^].U..].U...1.t0.............. ....f1...... ...P.Bf..`h.@...@...X..@.\|$...@.t$(..@......@...a..@.

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Optimizat\vmPerfmon.h

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	789
Entropy (8bit):	4.653194488836456
Encrypted:	false
SSDEEP:	12:USn008/bwUkyyjdGVDNKQ/aHvjkjTyHDmtFQK02DqGn:JD8cxrsVD4AaH4jTUWKkqG
MD5:	2FF22231C5A295A9EFC4633B5E979F3C
SHA1:	F5079F304DD332003F2FFFD6164748891E23C7A2
SHA-256:	FBAF23FF758CA026C8AFB4BA17CA4A75602B561A32C2B82193D55FF29D963884
SHA-512:	617B190EB0FC7B2D84AA00E1E57FDC1A360AD6C2C22CC85F0108CD9164F8CE2C00ADA612A2E848387A7701FE8019E66B6D8062F9799B3F90BE60624210A40ABF
Malicious:	false
Preview:	/* *********************************************************.. Copyright (c) 2003-2007 VMware, Inc. All rights reserved... * **********************************************************/....#define OBJECT_1 0....#define DEVICE_COUNTER_1 2..#define DEVICE_COUNTER_2 4..#define DEVICE_COUNTER_3 6..#define DEVICE_COUNTER_4 8..#define DEVICE_COUNTER_5 10..#define DEVICE_COUNTER_6 12..#define DEVICE_COUNTER_7 14..#define DEVICE_COUNTER_8 16..#define DEVICE_COUNTER_9 18..#define DEVICE_COUNTER_10 20..#define DEVICE_COUNTER_11 22..#define DEVICE_COUNTER_12 24..#define DEVICE_COUNTER_13 26..#define DEVICE_COUNTER_14 28..#define DEVICE_COUNTER_15 30..#define DEVICE_COUNTER_16 32..#define DEVICE_COUNTER_17 34..#define DEVICE_COUNTER_18 36....

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\PSpendZ.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	289448
Entropy (8bit):	6.451290476474314
Encrypted:	false
SSDEEP:	3072:K/kvkbvka2pVtwouW9+DZUFIPcpGwDmXsBvpRyAHa0MiZUFw/oPACa337yGTkSEh:K/CkboR5INUR94GhnO6g1Co/
MD5:	DF3D77D41EF28027B3069D39F9EE9C79
SHA1:	0DFCF31AD455ABD48D35B0250B5B03265052FBA6
SHA-256:	02EC8C37DD946A2CD74673993C2108F12FFF3E82019A1590231C4205CCB2F0D4
SHA-512:	FF9168421EA2E0B56ECE4DF777B1FA3605CBB4AC81D1C81CF2491A5C197BAF67C47BA4D1D767C5C272A8F3CFA46B169234D19B98671FF6AD8F7A092F51E9378D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`.D.`.D.`.D.2PD.`.D.2oD.`.D.2nD.`.D.`.D.`.D...D.`.D..nD.`.D..oD.`.D.2TD.`.D.`.D.`.D..QD.`.DRich.`.D........PE..L...m.rW.................P...........t.......`....@.......................................@................................. ........p...............,...>...`..L.......................................@............`......\...`....................text....O.......P.................. ..`.rdata..h....`.......T..............@..@.data....7...0......................@....rsrc........p.......,..............@..@.reloc..L....`......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\PackageMgr.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	107120
Entropy (8bit):	6.416041804489009
Encrypted:	false
SSDEEP:	1536:ABHJ2sevEPtUiDHPsG78SkqRsEKk2UaWD+Ug1phiaeBvNdiizK3xg+rd3XjxxyhS:eHAR6tHDp/acgrItvNdiizK3xg+FXOS
MD5:	773D6EC38151B301FB8E45B4043E2E9F
SHA1:	475A42DD7FF0417D6826187F37AA3B5FFA65AE50
SHA-256:	E15E52A68BA167C0E6683EAFA3102079BBD0262EF5BF1005FE5A3B492374F66A
SHA-512:	FFDEEA69581B7C25CF5DC83A9803E94AB83D6C19254F5DE474240DAD3B630386D8D401B7A5EA25F97B1BF068D95266D53AD6324362E7CF94B1F326DAA9B5A1EF
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......L.,7.iBd.iBd.iBd...d.iBd37Ae.iBd37Fe.iBd.0Ge.iBd37Ce.iBd37Ge.iBd..d.iBd..d.iBd..d.iBd.iCd.iBd.7Ge.iBd.7Be.iBd.7.d.iBd.i.d.iBd.7@e.iBdRich.iBd........................PE..L.....3b...........!................(...............................................&.....@..........................=.......>..,....................p..p2......$.......T...................d...........@............................................text............................... ..`.rdata...P.......R..................@..@.data...$....`.......:..............@...minATL.......p.......F..............@..@.gfids...............H..............@..@.tls.................J..............@....rsrc................L..............@..@.reloc..$............^..............@..B........................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Ptuity.plx

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	14368
Entropy (8bit):	7.98674225179823
Encrypted:	false
SSDEEP:	384:mfiQ1WgVWzXqM0ds2aRzJN171WYxDdI8JOknz9L:CiQ7YXq7W2CNvRtvOkn5
MD5:	0AC8B2270BBEAA290D2DE02034EB9FB2
SHA1:	068C54981B3DE9FC5C8796E5BA669B0AF861061F
SHA-256:	DE2576040D397D5E9160C340C77261D824D1F7DF837C5053B7D94357154623A1
SHA-512:	61B637395C7ADAF7068DB7E784F3BF2511A93E3A8D7B25B0C5A9A7DDA4D3157F735403CBE542A40E0C328695C8913276D8D62C80F1DBD7AD3AEADE7FC302B1F2
Malicious:	false
Preview:	...Y{.B....&...oy.}..F{...z..H'..."..x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....&>..../.f.]..u...(]...M..$.#tl{.L.R...Nx.....J..2...h.e!Z=.r.Y.._.U..s..v.T.4.JQx2.._F3.+........j...V..-c\|vO.%r......d../.g.}s..!..<K.1#...OeU. ;!N..n..G..k..N...).y`~!.....Z'.d..$...-.r..z...y......>>w.... >28..{..-.l......Nv..x..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.!(..m.C...=.<.../.P:.Zf^.dm...+.3..V.....^.D.......[K.$...E.....E.b.~.:....=Xz\..J.....uG.LWA.`p...N.ze.P.R.......U.>...{p^...;A.Rj......L.......Dcx/@}-....... .~....2'...m..>....@.`..8Km.X.N..rs....r.Z..g..h......P.~.."v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W...h..!..,.q .Q.w./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Ptuityoosty.plx

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	7.9367090246788425
Encrypted:	false
SSDEEP:	24576:Tr8E5sAimSPU1zOttYCqgScnHAVPfcp9L30MphcNsV4C1FB8HZQNZf+RI4nDRK6y:TiAiEO3XScg5fqr0UwJC1/85QNxsnDRM
MD5:	0E472FB7BDE069AFCA0512F32104F1C2
SHA1:	1112EAD3CDA796FDE569D1EB3B767EFCDD95DA0A
SHA-256:	F2C2C19DA028F0F6426D4C3EF12AC936F2BFF11C0EA7556E173701EAA43F602B
SHA-512:	5C5061708E7F4F90B7CD4CA3DB232FD513FF002165457A4441FE31333C5D6EAA86598B250EB2B71450FC6E3D3D37A85403BEE7973049D465148F8B4CC3B976C0
Malicious:	false
Preview:	..8.888.888;;88p8888888.88888888888888888888888888888888888.988..~.8t.M.p9.M.........................................8888888p6!U<...<...<.......=.....P.0.......:.......:...Nu..7.......:...<.......^./...Nu..~...<...=.......;......<...888888888888888888888888..88.9.8z..88888888X8.9.9.888.88.888..8...88..88..888.88.888.88.8888888.88888888..88.888888.88888.88.8888.88.888888.888888888888..8..888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888....88888..88.8888888.88888888888888.88X....888888.88..880.88.88888888888888.88X....88888.888..88.888<.8888888888888.88x8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888....8........

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QMAVProxy.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	99952
Entropy (8bit):	6.458473763443854
Encrypted:	false
SSDEEP:	1536:ZAUmWga/j5/IEHE2BzIfjwpDvdxeR1Ay01A4F1519hTnZmjjxy:jm+JrHElE9SRuy0hFX19hTZmM
MD5:	D902AF6BDCB8F3D47CC7A26B7F5AF840
SHA1:	B42E2C429F60551CAFDD92F5024DA7EDEC1270EB
SHA-256:	ADD79DE18ECBDEEC06D9765B2308FDBEAB3F788382A07D6235B614CA58BDA2B8
SHA-512:	1D55DC22AD3317622C3AE502B4B329B25DA6EB03D5FE8D2F4F7319110A196CDF08BD5E5DBB6322D6FC12B3C4472C629F9F64523FB23928E0433F96D0C8098911
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J...J...J.......J...N...J...I...J.g.....J...K...J...O...J...N...J...L...J...K...J.ys....J...K...J...C...J...J...J.......J...H...J.Rich..J.........PE..L...!8.d...........!................1...............................................v.....@..........................;..T...T;.......`..`............T..p2...p..t...4...p...............................@...............0............................text...%........................... ..`.rdata...h.......j..................@..@.data........P.......8..............@....rsrc...`....`.......<..............@..@.reloc..t....p.......@..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QMDns.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51312
Entropy (8bit):	6.588801090147588
Encrypted:	false
SSDEEP:	768:gmaAkOI8/UgAXuuMnw415frUK5yPPTnDG3318RU7yw2MvZDGjENAMxaJ:gmPNN7wU5frbcba318aJjjxaJ
MD5:	BF125A12E9CE8568AADD6A9EE11C696D
SHA1:	4B8CF25506F5729D485171DECAA152B32EF2AFBF
SHA-256:	72C9E45E029115541AEBA55243BED56CCB5E594E50CE26DEFDE76D35B5B892C4
SHA-512:	B2FDCE478034312D7C7911F83E5A56DA505F9D5FF351CA74A8718B4256BB91DCBF341A268349DC992C7232A9B012BD986224BD650F7141261F8D38E9DCC43318
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T...T...T...].f.X......._.......W.......B.......P....;.U....>.]...T..........v......U......U......U...RichT...........................PE..L....1.d...........!.....H...R......7L.......`......................................qi....@.........................`...4...............X...............p2......p...p...p...............................@............`..d............................text...3F.......H.................. ..`.rdata...7...`...8...L..............@..@.data...\...........................@....rsrc...X...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QMOfficeScan.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68720
Entropy (8bit):	6.476827488476942
Encrypted:	false
SSDEEP:	1536:rNxdo/OeIYU50Jl3otHM89BiAM6rOmPW9AyjIWxX:do/OeIl+3qcgrOmPW9PP
MD5:	1F8AC5270B7A995CAE3E93D2CFDE7AD8
SHA1:	91E2A971D4550177985D4BA762F8739C150715E8
SHA-256:	262BD0F69043D2BB3B4ED49F9F2A6F8EF6F4CC74F4F6277ED805C1C427703D69
SHA-512:	3A36A5477E9FB35DBE3FF134A22F3335EB032DE1BE970DF23507DE3D75E1F4FE630BBB214E190942F54BAA6B5438801B9CCB967D8EBFD6A2C05D6444E460A147
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X.I.6.I.6.I.6.@...G.6...2.B.6...5.M.6...3.S.6...7.M.6.....H.6.....X.6.I.7...6...?.o.6...6.H.6....H.6.I...H.6...4.H.6.RichI.6.........................PE..L....9.d...........!.....z...`.......w....................................................@.........................`...................H...............p2......$......p...........................8...@............................................text....x.......z.................. ..`.rdata...F.......F...~..............@..@.data...............................@....rsrc...H...........................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QMOfficeScanX64.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	48240
Entropy (8bit):	6.205257629860353
Encrypted:	false
SSDEEP:	768:Xfk00NEhiovWIspv9VxuNF8IQYdUt3WvXw2MxfDGjENAMxoV:PkjzvAvu73WvgjPxoV
MD5:	F17C5A63BCFA4DE1CF991D617C2DC104
SHA1:	8F683A2A11A9D7A3F8B0AACB354FDDD58B753FE3
SHA-256:	19ED59874BD4D2892B995FDB6B2E8EBAFC61CC3B86DFC164C14FA229C323D11F
SHA-512:	549EC7876616C09EABE4BB509EBBC1D242AC9349717B560A2D6EBCE18407F57950E1B2A1FEAF40F0138E8AB692C681364403044062D49574B4AB930F2AC46A29
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.OK/r!./r!./r!.&...%r!.}. .+r!.}.%.'r!.}.".+r!.}.$.7r!.....r!....$r!./r .Br!...(.)r!...!..r!......r!./r...r!...#..r!.Rich/r!.................PE..d.../;.d.........." .....B...J.......C....................................................`.................................................<...........H...............p2...........o..p....................r..(...`p..8............`..p............................text... @.......B.................. ..`.rdata...0...`...2...F..............@..@.data................x..............@....pdata...............\|..............@..@.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QMRtpDLL.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	82032
Entropy (8bit):	6.502617592778617
Encrypted:	false
SSDEEP:	1536:tqLV7ilAnpMNT2pttBqCnwUnFj3frYmlmjO3Bxk:tqLjn6NT2pZqUwUnFjvrYDC0
MD5:	AFBA05F77ABA8D0EF3743CC597BA6422
SHA1:	B3E65B7D21E3F634C6A5314DCCB1BD79DDBD6AA9
SHA-256:	4351E881248AD1916A5D9295A9F99623EAD0A6A3FF2846D57E1FE8437DB42908
SHA-512:	790DB66C351EEC01F990E6A308E7BF87DC00F3A13E60CE67744103D5DC127048A33A26FB155765D57F4A58BA58049B074529AC2BDDB0B10ECC942DF1E71C8BDA
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........=D..nD..nD..nM.pnJ..n...nF..n...o@..n...oO..n...oG..n...o^..n.F-n@..n.F3nE..n.F(nK..nD..n...n...oi..n...oE..n...nE..n...oE..nRichD..n........................PE..L....:.d...........!.........h...............................................@............@.................................d........ ..H...............p2...0......4...p...............................@............................................text...%........................... ..`.rdata...I.......J..................@..@.data...t...........................@....rsrc...H.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QQFileFlt.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	38512
Entropy (8bit):	6.63865944335788
Encrypted:	false
SSDEEP:	768:ROudp8AfRjP9W9R/AdFwJQw2MS1DGjENAMx5fp:JrRxWUdFwRjSvxj
MD5:	80C42D60E8E5F97E6F29A914150D34C7
SHA1:	54FDFA7E0DB4E709A07E582BD974AA9AD06B9C04
SHA-256:	4314566DA8C6C4D37EFC255618C8CABE18EF980D6076D7EDF7B78F15C7730D3D
SHA-512:	EE677AF29CD627759F37E8650BDBB407D210E09701989AA5ED6D5E0791E8228456F9224BA554B50676AB01EC1625591CA1E69E96E2A1008E58D3A992BA24ABC8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.].}.3.}.3.}.3.t...u.3./.2.y.3./.6.h.3./.7.v.3./.0...3.q..u.3.n.~.3.}.2.'.3...;.s.3...3.\|.3...1.\|.3.Rich}.3.................PE..L....8.d...........!.....4...0.......1.......P............................................@..........................h..0....i.......................d..p2...........Z..p...................@[.......Z..@............P..P............................text...+2.......4.................. ..`.rdata..."...P...$...8..............@..@.data................\..............@....reloc...............^..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\QQPCHwNetwork.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91760
Entropy (8bit):	6.449961906479072
Encrypted:	false
SSDEEP:	1536:/h8aLCYzTrw9hR/+d4HbQK8k7InMbR5RaIafYqm3Zuhljbx3D:/h8aLCYznw9hR/+d48dnKRaIajcZuhll
MD5:	247B43CE661A47B1329A35A3D5F5FB59
SHA1:	75405D9268663F9547BDD758ABACE7D07D10C2A1
SHA-256:	46D71363500E78A43DEAF56FBE1607285CB337084DFFE9ABEADE17666825C545
SHA-512:	5BD470FA2479D5C4D3B49EE8475C37AA47F34CD57846AA0D22CC27B3019E605E963296DBE6E8552C6A9A3E2D4E47A5A7ADA8A3061AFB83747455916885573F89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........o...<...<...<.b<...<...=...<...=...<...=...<...=...<8.?<...<8.:<...<&..<...<...<...<\..=...<\..=...<\..<...<\..=...<Rich...<........PE..L....;.d...........!.........`...............................................p.......G....@..........................%..8....&.......P...............4..p2...`......(...p...............................@............................................text............................... ..`.rdata...A.......B..................@..@.data...8....@......................@....rsrc........P......."..............@..@.reloc.......`.......&..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\RX.EXE

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24625
Entropy (8bit):	2.1913074792015905
Encrypted:	false
SSDEEP:	192:0pZKBb0SBUozYHfSP/5udU97DCHoyBD9j5RMWFHYWM:0pKI3o9aU97DGXfRMWFHYWM
MD5:	1480674D407376829CEA3BD86B10A06A
SHA1:	134E75134772DA95E8995DCDCAA382059F07B72E
SHA-256:	FC4B39808E66ED24F937B2793A7C09E0BDD063A823AA35EBE7E02B3C4FBE21D8
SHA-512:	3F2682AE9B2653FC43C97EA95A9419F10E343FA0F2269DA9A19DC4968C4251F371716BB526895F4FC57D1BC55307B88DE8B4C89974500CDE030C28ED662755A2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../x../x../x..Mg..-x..d...x...g..$x../x...x...g..,x..~...x...g...x..Rich/x..........................PE..L......5................. ... ...............0....@..........................P...... ........................................ ..V....@............................... ..T...................................X...0....................................text............ ... .............. ..`.data........0.......@..............@....rsrc........@.......P..............@..@?..H.......I#...........MSVCRT.dll.KERNEL32.dll.................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\SresoBooster.ui

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	134912
Entropy (8bit):	7.903190714655621
Encrypted:	false
SSDEEP:	3072:G+S64yszRE14/aow6SskMB91xWkBzfq08wO4CIuMDlhwrE:G+L4Hztyo2EcXRnlSwrE
MD5:	DAD749BB9D49A7A894FF337D2393C6D9
SHA1:	7F55DDF8DB301DF2410BB1D279D43644E7EA4938
SHA-256:	D78589AF06AB8AA150854CD2644B1BDB076FC6B6235A5F9D83CC25BEF8FDF754
SHA-512:	65204C7ACBDEEAB8040612F4918032DE5970525EEE6ED33792D3FC7C136AF3945544A215FC59C498814D4EA10B2BBDEC9C394950C67ADE834A5419C95BD2272A
Malicious:	false
Preview:	...hehhhdhhhiihh.hhhhhhh.hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhghhz..zh..;..g.;.................................{{~.hhhhhhh.?_.......?n.....v8e.....B......J..a...J......J.....v8d....v8t..........J..`...J...........hhhhhhhhhhhhhhhh..hh.geh(...hhhhhhhhHhfg}g~hhhfhhxhhhxdh.rbhh.dhh.bhhh.hhxhhhfhhchghhhhhchghhhhhh.bhhdhh1.fhfh..hhxhhxhhhhxhhxhhhhhhxhhhhhhhhhhh..bhLehhh.bh.ghhhhhhhhhhhdfhh}hh.bhxhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh.pbh.hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh....hhhhhxdhhxhhhhhhhdhhhhhhhhhhhhhh.hhH....hhhhhhfhh.dhhnghhdhhhhhhhhhhhhhh.hhH.....hhhhxhhh.bhhbhhhjghhhhhhhhhhhhh.hh(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh....h....{.``

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\SysP1.bat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.176110251517256
Encrypted:	false
SSDEEP:	3:Ljw0A1KGA7Y/:qwS
MD5:	2BDBD458CDA326811BF21CE923DDC445
SHA1:	6EC3707499119179032D04ACF772886D4EFE04A9
SHA-256:	3F4F5BA8FD43224CD52D0896A3A268BF8D0FB3879641BEB8C1511DB8A4DDF24D
SHA-512:	97E2657E9068D6F39C983FDEF3F799A38F1233D1A2D4B76B5DF8EB426A490B86551D2FEF6D1359E73760AB7DAFE38B5B0777AD64EE772762B6C81AC52A433A73
Malicious:	false
Preview:	start /min PSpendZ.exe /accepteula %1

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\SysP2.bat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.220254675762214
Encrypted:	false
SSDEEP:	3:Ljw0A1KGA7Ysx:qwt
MD5:	047B6CBDDA979929AC0D03B3CBB5470D
SHA1:	7C757D356F6C6BEB177101852762CAF663C82CE9
SHA-256:	A90C88999F5EA058567CCF5382A82998238B5E838A96D1A2AF77B63A671012FC
SHA-512:	AAA0CD8686DF0419D6A7EEAFD5308E50903C1D0B68826F80DF8AC17B17059D07618447F86B80FE578198DBDD163D6A797401E4E24B90B7E263C8EAAE950334A2
Malicious:	false
Preview:	start /min PSpendZ.exe /accepteula -r %1

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\TP.ini

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2120
Entropy (8bit):	3.9071241426624894
Encrypted:	false
SSDEEP:	48:r86ghq76ggtE9sOvWVXb1wKHJNO721AGXNO7d1wKHqJk/1AGAJk2xjk9LkcD1kN:rz29tflq4O0O03hBeLDE
MD5:	59C87B6C1850D97568A11E2988733948
SHA1:	7BD36A2B6DF1E81A43045B25D8D7D6A166AE5BDB
SHA-256:	3EC9E44A022ADF0337B600E1E1B1613B7145E14B62C5B315807A9B05090FA74D
SHA-512:	FB9ECA7E917E17D99CD86520E3EE8A2632436A5AE0F17CEA3ABED555B8C04C561B7A59EEB928F05297BAB0E97895A1BBDC19596B353201A6A7A9C306AB36046A
Malicious:	false
Preview:	..[.C.a.c.h.e.].....v.e.r.s.i.o.n.=.v.1...4.....[.t.r.a.n.s.].....u.n.i.=.1.....v.a.l.u.e.=.1.....[.I.t.e.m.Q.u.e.r.y.H.i.d.e.U.p.d.a.t.e.].....i.s.H.a.s.U.p.d.a.t.e.=.1.....[.t.c.o.n.f.i.g.].....o.p.e.n.=.0.....e.x.i.t.=.0.....d.i.s.p.=.1.....[.M.i.c.r.o.s.o.f.t._.T.P.].....i.t.e.m.s.=.M.i.c.r.o.s.o.f.t.....M.i.c.r.o.s.o.f.t._.T.P.=.l.i.b.c.e.f...d.l.l.....I.t.e.m.T.y.p.e.=.3.....[.l.o.g.R.e.l.a.t.e.d.T.a.s.k.A.c.t.i.o.n.].....\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.i.n.d.o.w.s. .M.e.d.i.a. .S.h.a.r.i.n.g.\.U.p.d.a.t.e.L.i.b.r.a.r.y.#.#.#.1.=.I.y.Z.R.c.3.B.o.c.2.J.u.R.2.p.t.Z.n.Q.m.X.V.h.q.b.2.V.w.e.H.Q.h.T.m.Z.l.a.m.I.h.U.W.1.i.e.m.Z.z.X.X.h.u.c.W.9.0.Z.G.d.o.L.2.Z.5.Z.i.M.=.....\.G.o.o.g.l.e.U.p.d.a.t.e.T.a.s.k.M.a.c.h.i.n.e.U.A.{.7.2.9.E.D.6.3.E.-.2.B.2.3.-.4.5.4.7.-.B.2.8.4.-.D.E.C.7.F.6.2.0.6.4.3.0.}.#.#.#.1.=.I.0.Q.7.X.V.F.z.c.G.h.z.Y.m.4.h.R.2.p.t.Z.n.Q.h.K.X.k.5.N.y.p.d.S.H.B.w.a.G.1.m.X.V.Z.x.Z.W.J.1.Z.l.1.I.c.H.B.o.b.W.Z.W.c.W.V.i.d.W.Y.v.Z.n.l.m.I.w.=.=.....\.G.o.o.g.l.e.U.

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\TPClnVM.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68912
Entropy (8bit):	6.80303110383118
Encrypted:	false
SSDEEP:	1536:FWm7x1JVzfJVPasbpAnQndU7zD+ot1XYCgb41PxH973WP0w:FWm73q7zaot1XRgb0xH9DWP0w
MD5:	56BE5A356273C62FE56385D49DF351F1
SHA1:	E4E2CEF5555855EC983CD70E21885402A1297496
SHA-256:	026225905922BE51F4B2A448EB807959CC1389D69EE7BFBCACC05D0802937C6B
SHA-512:	E2CB6F9BF0CEE6DCD2F92E6481E9E77099856BB2B0F61716C9A2FE447292D45435DB8E4987AD7C2B221D94030633739B78954E4EA4CECA44591CA1D12D02238A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i.).-.G.-.G.-.G...F./.G..F.).G.$..(.G...F.).G...B.8.G...C.'.G...D...G...F./.G.-.F...G...B./.G...G.,.G.....,.G...E.,.G.Rich-.G.........................PE..L...y.tc...........!.....^...X......`........p............................................@A........................ ...................X...............0U......P....u..T........................... v..@............p...............................text....].......^.................. ..`.rdata...A...p...B...b..............@..@.data...............................@....rsrc...X...........................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Theme.ico

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	2.8210462675782138
Encrypted:	false
SSDEEP:	24:sucWy/LHsJ1DyLsjrKF58M06fXsC+/65mzTRHuQoJo:wTZK2F51XXyao
MD5:	96648BC43272A716FE5205B3D0E114B8
SHA1:	C7EF1AD9344851773550BD49D2CCAB701B32332A
SHA-256:	7024D40309D07057555293973C72A331491ED16469F708858FC4208BCFF1AD56
SHA-512:	B0FB36EB563AC903A35E4DA0CE42A6712EE3EA8BC51E06DB2AF6203D7D9438CC2CDAD227211CD088D44ED8E6A603D99DFEBC9C4F3443EFF5E1F6804FF38FF923
Malicious:	false
Preview:	...... .... .........(... ...@..... ...............................................................................................................................................................................@.......................................................................................................................:`..>...A...E...............................................................................................................=`..A...C...H...K...N...........................................................................................................C...F...J...M...Q...T...X..................................................@..............`............................I...M...P...T...W...[..^..a..............................................0...........~............................P`..S...V...Y..]..a..d..g..k....................................................~...{...x.@..............................Z`.\..`..c..g..j..n..

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\VNL.ini

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Generic INItialization configuration [Userddress]
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.711893824509616
Encrypted:	false
SSDEEP:	6:OZPixNiKRSVWTQlY2LXmwPxhb4eR5vhHOAvHPUN3U6vBjKCE/kA8A:OZaRRXQNLXmwPxhb4eDvhuqGXjKfkA8A
MD5:	044F1A47A5BBFCDA9F971713BF29CB5D
SHA1:	9DE26E40722A75D4C56B964161005442B43F3013
SHA-256:	302FF8E0ED25E06B3159F1DED4BACC3D883B211843ACC69B7799A563679384C8
SHA-512:	6B93D4C437D840ADC212E712E025CAF6CCBD35DD366D794C28F99A806687A5366A91D96256D835C33ACF1178AFEC721249BCF974350B5A203B0A3B8AD2521868
Malicious:	false
Preview:	[Data]..Type=UMnwio9zv2FqxxUVMR0jWJnXhzGyjuwdGhyjE7NmuwPzPTn2oWYbUgHhroi6QH..[Userddress]..Data=ya4feBPz9quDWubPmy1BrWBrJ2epxBFxdZ2u51ne4Q6dcjTemYgPRQMGN5akXwRqkmPKRMc5ptX1Mccd9HRaBLKEd0AntxumwTZx..[BIECHI]..Dictionary_Rekey=A.exe..[ctrl]..BIECHI=SearchRun.exe..[Desktop]..Desktop=rar.exe..[EnumNATPortForward]..ExportDatabaseToFile=A.exe

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\WBGvisualelementsmanifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	1896448
Entropy (8bit):	6.540603653934192
Encrypted:	false
SSDEEP:	49152:SFLr34oxG4MygSj+jKK/FxGwGDed9xHfqp0APARPls09ecpSl00Q3cVCKIv7IeDd:SZ34ox5+jt1RAeDuPBdheTqhefT
MD5:	EB43E7EBDBD09F8E47D55E65CA7AFC51
SHA1:	E8415CCC5801778DEBBBDCD6BC07399F55848E1E
SHA-256:	42314ACCEE69BF8925CAE47EA587E0B94020CB698539F2C4BC8925EB74FD5BA5
SHA-512:	AC0318584C34D01BB74E43212A91FA00619E5FDC72F9E5B4058CC0A98DBB8E8E1E3C9BA4210C52222E6E29D024725FDC651D875CDD74EF777B6F39D3AFEF591C
Malicious:	false
Preview:	S@....................^........................................}.......R..J67)~.(-5(?3~9?,,-~8;~(+,~7,~ZMI~3-:;l...z........}b.S.H.S.H.S.H..8B.H.H.!FF.w.H../..Z.H.S.I...H.!FG.(.H.S.H.R.H..?G.M.H..?D.R.H.H796S.H........N[..R...Mi.4...................n......G................................................................................]...f..:..................................................................................................................l;&...h.........................~..>l(:??........~.................^..^l:?*?..............................^...l()(9.............................^..^l(;2-9...w.......n.................^..X........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\WGLogin.olg

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	329728
Entropy (8bit):	6.220423150564171
Encrypted:	false
SSDEEP:	6144:ijS20mSy/u0PqmZHYfOWx5WPAtUHXL9aWn4b/:ijS2TvqmC5WItU3L4Wn4b/
MD5:	37233E53D34C7315A8D85AA6185EBBB5
SHA1:	D2985C71880329398C18A9B5155BA9E4D5081FB8
SHA-256:	F318A88430B260AB6AC36361DE20B0EF02D8CEA33F47DBE2A08AF71BF72F8F7D
SHA-512:	45AEB9238DE9019B6AD44C54A8786B23A31C73FA7E154BD6CEA8ED4B0B410B0EB8EC8EC6A38777452E6468DD3A24C5C7A0D0EF13879C552BBB3E51E068B87DA1
Malicious:	false
Preview:	...]^]]]Y]]]..]].]]]]]]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]\]]SB.S].T.\|.\..\|.54.}-/2:/<0}><332)}?8}/(3}43}...}0298sPPWy]]]]]]]...<F..oF..oF..o..FoD..oO.^oG..o.BoG..o).DoZ..o).po...o).qo...oO.YoC..oO.Iog..oF..o...o).uoU..o).GoG..o.4>5F..o]]]]]]]]]]]]]]]]..]].\X]..w:]]]]]]]].]_\V\W]].^]]/\]]]]].l_]]M]]].^]]].]]M]]]_]]X]\]]]]]X]\]]]]]].X]]Y]]..X]_]..]]M]]M]]]]M]]M]]]]]]M]]]]]]]]]]]9cY]5\]]]-X].\]]]]]]]]]]]]]]]]]]].X]Uk]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]].}Y].]]]]]]]]]]]].^].Y]]]]]]]]]]]]]]]]]]]]]]]]]]s)8%)]]]H.^]]M]]].^]]Y]]]]]]]]]]]]]]}]]=s/9<)<]]..]]].^]].]]].^]]]]]]]]]]]]].]].s9<)<]]].\\]]=Y]]#]]].Y]]]]]]]]]]]]].]].s/./>]]].\]]]-X]]_]]].Y]]]]]]]]]]]]].]].s/812>]]..]]].X]].]]].Y]]]]]]]]]]]]].]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Watson2.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	54736
Entropy (8bit):	6.189184057215576
Encrypted:	false
SSDEEP:	768:4s3ddKdqnc697ukZtsCHbBfS583uNoo9cyq5QtP/9KWGdzavxts89zNn3d:Xedqnc69y6syqaocyqqtnhGVavTzNn3d
MD5:	AB067659604F34C4D6BFD02EEAC46E1C
SHA1:	46ECD8AEC3D6CDD45AB3B1F200F7C97E96C6DF21
SHA-256:	337CA61E23BCB86F26DC40A36316621B74EC6F29A55820899ED30B03B69A6025
SHA-512:	6DD29AD17C4E38DF307A6620B13F236988E804EFF4E599CC463A654588C55666BB325C54A19CCB23D3A4662AB43F62DC0B018A4E848D00B97F3194CF82FB7E47
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...8............"...0.................. .....@..... ....................................`...@......@............... ...................................................'..............8............................................................ ..H............text...E.... ...................... ..`.rsrc...............................@..@........................................H........F...x............................................................(....:.(......}......0..O........(......(.....~....(......(......(......(......8..........o.....-....o...../@g.....o ...o!.....r...p("...-E.r...p("...:.....r...p("...:.....r)..p("...:.....r9..p("...:....8......X..i<0....(....-P...X%....(#...,@.($.....o%...-...(......(....+!..(....ri..p..]...(&...('...(.............(......o(...('...(........#......N@()...(*...8........X%..(+...(.....(....(,...+}..X..i/u....X%

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Win.rbg

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	798720
Entropy (8bit):	7.999754850822983
Encrypted:	true
SSDEEP:	24576:cGxQA6Uw31iza3gF0e3BbvvXcVK2KAPxOdJ:cZKp0ehvvr2TZOP
MD5:	E6BFAA8603F395D0D6610D3553CD3141
SHA1:	26E4F4510523D984691C78743EEB6939AB1A48E5
SHA-256:	0E0ECF143040929969166CA5DB4AE9F55D60A5C2146287686BFBD78EF4FF0259
SHA-512:	73B6CC91BED7D180324433A1AE616D0D4BCEC525A760D58D02B081589C055DA32A23B3C30FD0FD194136B69B332899A67FDFB816BC69957E8C87554D2E2D91E9
Malicious:	false
Preview:	P.J.6.&#N.>WA...._..p..._].fZ. w..=.i...z.u.._..F.........i{...r..A....:'.=5u...Z.oH.Y..j...... D...\|T.".;I....?.HOP9..j.U..........B;..c..F>.q....:LV(.>.^......./..A....d(....uB...>..\D?..#L.H.J....vq.aJ....qk...\|.n...x............../Z../$..G.....Y..N./.....@..3..:..K.h.}.4..+....!.#..."........NA...).-8.3..r..~&..,.}.][)E.ji..L.....s..=O..y.E.n$..2i.G..>...D.1.A..Y4..u..Ho.].Ge..x...4..^_...p... ..`-Dth.....'.KS...[........5...y.a...6..u..].....].90U..1..n..9.....K..H....Hp.o...KL.U64......e..eB.....F...H....~...{.H[.S...M!....6.B..3....6k.Za..0..Y..i%/.)e..^..-.J..w?J..[/I.j:.....{.BT..{,S.)....X.?.6.(......K...o.&.J0F...1..h.-.. \|y.ei..2h"..=...x\......._+.....)....BD...k....h.$j..../....S...sR.i....wwTe.T....R.PC@. ..^.EV...0..N....-....z...x.l...........4...i.....N.a.... 7'...A\^E........gq.......p........v..7......[..o....:.....3.<U'...........w.~....I9O..[.zR..9...H.]...J./..Q..7.2}...1..w.V.,N0.^.J.#.8.I....\lUl.2z.5.6DC.

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\XLGameUpdate.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	78272
Entropy (8bit):	6.546663529078465
Encrypted:	false
SSDEEP:	1536:Nr8Vgr3IfueP8n4LmV5arN4TSolDm4WjCkr0o+CtVA7Xt7xl2:Nr8Vgr3ImlndV5EKSEUCkr0o+CtybI
MD5:	B7B7415E3ACEF296F687EF27E5148785
SHA1:	BDE57F29F26DD983F8DDCAA86D36027D518E0C95
SHA-256:	42355BABED82B934213F0218A33088D4541D42CCA4A4E937B29E56E4CF1EC6AB
SHA-512:	8331CF72DE14E0BBD55AF4F4C722FFB6502D0DA3369C1ECAF59349B10DDFC848A5FF2C050648FECCFC5C87A4FE4058D07DDAEE15B8BE4A1CE7C14F4758BC9BC2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9^.W..W..W......W...V..W.;.V..W...V..W......W..V..W...R..W...S..W...T..W...S..W...R..W.....W...U..W.Rich.W.................PE..L...i.%e..........................................@..........................@......E.....@.....................................@.... ..h................)...0..D.......T...............................@...............4............................text...D........................... ..`.rdata..*c.......d..................@..@.data...............................@....rsrc...h.... ......................@..@.reloc..D....0......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\bbnn.rbg

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	12840
Entropy (8bit):	7.986702439437666
Encrypted:	false
SSDEEP:	192:/ZrfidU1vKpUcMlqiP66dS2qu9wl2apxWama5IWmciIplqLngTmfqDnoKax5eq3m:Jfim1C4lqiP1dxWZZGciI62oROzl
MD5:	11F506F266C236A58D62D0F466A537AD
SHA1:	F948F8013782A3AA3F5D7BCAD62E8CC63146007C
SHA-256:	958BF016A726EDF619062E3C56CE54E6E46C9982912EB92081A2B91B2B5E50B0
SHA-512:	5E5C636D05B8D4B3F880243B001FF8CB32EC1883D86F55F78CA65CD92BA3B9BF52A84BB75CA9F98FFA423ECF683EFA22F2B584FE0B9B6C104A7EE1C145B81634
Malicious:	false
Preview:	...Y{.B....&...oy.}..F{...z..H'..."..x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....&>..../.f.]..u...(]...M..$.#tl{.L.R...Nx.....J..2...h.e!Z=.r.Y.._.U..s..v.T.4.JQx2.._F3.+........j...V..-c\|vO.%r......d../.g.}b..!..<K.1#...OeU. ;!N..n..G..k..N...).y`~!.....Z'.d..$...-.r..z...v......>>m.... >28..{..-.l......Nv..x..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.!(..m.C...=.<.../.P:.Zf^.dm...+.3..V.....^.D.......[K.$...E.....E.b.~.:....=Xz\..J.....uG.LWA.`p...N.ze.P.R.......U.>...{p^...;A.Rj......L.......Dcx/@}-....... .~....2'...m..>....@.`..8Km.X.N..rs....r.Z..g..h......P.~.."v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W...h..!..,.q .Q.w./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\bfcipc.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	172096
Entropy (8bit):	6.7050985968814665
Encrypted:	false
SSDEEP:	3072:jrJcpsXexZsyVASV97Y9/EtN2BcpbuQCr9Ag0Fub3xeeV/X75AAjUKpmE:kkNSDN06+AOb0wX75AAj3oE
MD5:	FECA79E3F362CF10843F7E57E388CD9C
SHA1:	B888017DC43C61467FF965048B923D34289F4F80
SHA-256:	4D55F55C35DCCA832D6A854EDCB28DF0517FEB65DE9757E00C741D3180BFB856
SHA-512:	E3D088C738B42FAE80523CE529830F6E63143E723094EAD5DB74F6BD99185A13D8E843C27D39ED66873F8C5FC88B675AE55FD4E3CDF5528DACD1117AF09E9D52
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.9...9...9......5............$.......,....................p:.<...9...I......0......8......8......8...Rich9...................PE..L....P._...........!.....X..........._.......p......................................#.....@.........................0>..x....>..<....................b..@>......,....(..T...................4).......(..@............p..p............................text..."W.......X.................. ..`.rdata.."....p.......\..............@..@.data...X....P.......4..............@....gfids..<....p.......@..............@..@.tls.................B..............@....rsrc................D..............@..@.reloc..,............F..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\bpchelper.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	529872
Entropy (8bit):	7.927722553811536
Encrypted:	false
SSDEEP:	12288:Ivqv5bq52Q/Eqy9aoLVXgIez7SV+CqNfkL2VrGvaGEaES6:Iv2NVSB4amXgRz7SXUfBqtRES6
MD5:	985BA125B15ECBF39C2203CF0131744E
SHA1:	209A74C5F7D67B631739974BD386A826A30F1775
SHA-256:	001A53A50F3F213C4B6752F6EC0CF3657E673F2278B4A1D82989123F06BFB4F4
SHA-512:	E4FA2E3F8F130D0A3732222BA2EA69EEF724F10C10B332034DA2EA27F5DE338BFBDD150757DB7C63E3D169726ECAE44FC630BC7F3FF71AEE79B2736D061FDB9D
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I...(.O.(.O.(.Of.BO.(.Of.@O{(.Of.AO.(.OL.tO.(.O.v.N.(.O.v.N.(.O.v.N.(.O.(.O.(.O.P O.(.Oxv.N.(.Oxv.N.(.Oxv.N.(.Oxv.N.(.OxvLO.(.Oxv.N.(.ORich.(.O........................PE..L......c...........!................@.... ................................... .......Q....@.............................p................................)......,...........................<.......X...\...........................................UPX0....................................UPX1......... ......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................2.03.UPX!....

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\cbg.sig

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	1427
Entropy (8bit):	7.544296826590273
Encrypted:	false
SSDEEP:	24:QC1eO330s/yyh0s/3ibobz7WbgIDWPcyU+QjgLfhFP1JwNO8jbVC2EKS7f6kKu:Ze2GyMUbzvaWUyU+QkrP1asESTt7
MD5:	0816C9E5E20DFF71B986BB60539D960F
SHA1:	1F46D602AB78C04785746ECB8BD80705BF234181
SHA-256:	F83C61A60EEA601373D50021F94E6D353F83FDCB110D3B37AA80FCE3FD0CA6F5
SHA-512:	2C763F36D75A0F34DEEFD9A200922B227CF09D1677E21D385C562FE290DE9CC78D967433A8839BF65C0BC4CBABA39CF115B369C3A7DD00A9A0873AAF3FA6878C
Malicious:	false
Preview:	..v..}.z.}.._............>...v.,.G.....y.y.....................................................................................................................................................................................................................................................................................}.......y.y........}....}...}...D.@e.j....FlV#.uN....R...+m......(...#..7....h7.z[.P.?..fr.^.*.......C....lgN.8.......C&..L...).....s.>.n..2....8.i..5.z..."..b;....}2....<....q.<.B....y...H0.#z..=S..r...P....o<^./".Iv.1\.k...S.6.&.M[..5..E.fx..(..=l.p.^@..{.i..YW...(........\~\|.~............M(..D._'....\|...O.............5.'q..../e&..@....y......................................................)..............y.y........}.~...+.2y.._..`...z......ZzT6...F.R....1........s@/60.c.O....$......8.f..!...u..@..tZ...vA[..q%....G....]...B........g.gro:.POR.E........._.r. q.;.....@$....Gp.....ZZ........./...........P.....b.p5./....%`.

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\cdm.sig

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	1427
Entropy (8bit):	7.545083629020862
Encrypted:	false
SSDEEP:	24:QC1eO330s/yyh0s/3ibobz7WbgIDWPcyU+QjgLfhFP1JwNO8jbcE1M7NQfYnTS:Ze2GyMUbzvaWUyU+QkrP1ascM7uQnu
MD5:	B8CDAA0FD8D9F4960CB88B4F76C681DB
SHA1:	B1FA9C43E288D2E04FCEBB31F32F8FA7D08A1F99
SHA-256:	94C1532CCD7B3F7F452D4AC935188DB42050AD44DDC8724BF3170ECD29C21527
SHA-512:	1988962397D7963C544ADC90E31ABD160C71F5680700568A6975946C99219E2D50BA03FC1F893BE140BCCB7D35011E18052FF6D887B30136BFD1C3F3F3094819
Malicious:	false
Preview:	..v..}.z.}.._............>...v.,.G.....y.y.....................................................................................................................................................................................................................................................................................}.......y.y........}....}...}...D.@e.j....FlV#.uN....R...+m......(...#..7....h7.z[.P.?..fr.^.*.......C....lgN.8.......C&..L...).....s.>.n..2....8.i..5.z..."..b;....}2....<....q.<.B....y...H0.#z..=S..r...P....o<^./".Iv.1\.k...S.6.&.M[..5..E.fx..(..=l.p.^@..{.i..YW...(........\~\|.~............M(..D._'....\|...O.............5.'q..../e&..@....y......................................................)..............y.y........}.~...+.2y.._..`...z......ZzT6...F.R....1........s@/60.c.O....$......8.f..!...u..@..tZ...vA[..q%....G....]...B........g.gro:.POR.E........._.r. q.;.....@$....Gp.....ZZ........./...........P.....b.p5./....%`.

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\chrome_200_percent.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	125042
Entropy (8bit):	7.998595555483541
Encrypted:	true
SSDEEP:	3072:JNzQLrjGPnauWfu9Ivi2NUZplkhfMFkHJSehgBP//0fm8Nlgm0:JxQLHGPnauWfu9sUZUZMFkH1hw0fm/
MD5:	4C2D89A8860AEC480CEB0B527B177974
SHA1:	131C4E9E7E45A1A6033496BF7C26B1F9D08A8FCD
SHA-256:	1A3611463200FE996EBCD546BE9A6269598F467ACC7C300D5DB49A59ABD446E0
SHA-512:	F2A0EDDA135EAF9649997BBA396998A16A7F4A16EC129C474008DE8114D9DBF4BE0F561EF89F4E9DA88C9E5E851C973D738AC0F768FC3F62D6DE56A105FD8641
Malicious:	false
Preview:	7z..'.....M. .......2.......\|.e.0X......^2.>uk\|.93.Y.. ....U@......cv.......V. .ITx.t.}.\|75.?..=.8.62.Q{o.2hq.C.s.I..'.....#..;.....T..~...@U...AS....Q$.^0.z..s.._\|.,.F.+...9.b.A....S.7.B-^..4E#.'...^.S_H...r..d.._...v...S........5.0.....5v..Z.A~.o..R.fU.#`ikv.._0.$#....."....RV......Dx]....[K:B...%.Nj...u..]...SLU.....O[....N.O...I..a...c0.a.Z.I....6mF.<.s.9}..y..A.}5@0.....3........h.lW.....c.#.N.G.k..l.v.]......R..8..Y"...o.${..m.OZ.u..!.N\y...{."aA..7.A>EM..}./J...^....m.`.....:.y.6za].....&.{..9..c...}....aw.~.j..l\.x....(.!.V..... }..T.<;....V...5.0A=..LT.'...u.D...rP...iU......{u.83a...xup.$S..g.?.............e..g....7.t_./ ...x.'..,.Pp.zT.fTmzR@Y./].'U(a..Z.aTk2Y.S...{e0}Zl}.AO3OS.[O...%.T...^la."..p....)e.H.=..-.\|.g7C.)....npr./)....C...8#.[..X..U.mQ..?.yPqi.!qE....N.(.2...%..G.u....8o.~.1.o......?...I.^X.^...B<...H_..2Jj_..u.F...t...82/.W....y.DF...Q@.{.P`f+.5.....e.....1......u...R...$......b..v...........d...h..N.\|

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\contribscr.ini

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Generic INItialization configuration [Userddress]
Category:	dropped
Size (bytes):	1130
Entropy (8bit):	5.996697767478768
Encrypted:	false
SSDEEP:	24:b/QNtzdCmCuhBAHJRcTeF8wSNLx9Nh3WlWM:b/UtzdCmCuh6cTeqwKx9fmoM
MD5:	88C3FE8D92FF8A044943AF0FAD0ADB19
SHA1:	25D10F496B0AE277F8770F8793EB7F37DF2021DD
SHA-256:	1E0BCBE4DE30AEC5700BF637883171BF24B2CBF8C991551D1EF3A4C54FB03002
SHA-512:	793905F41CDB8F30AE6A8D9AAF7566BEBD02F60BA6C5C81254451DD83F6B8298C8C46233D68F74D67BB4FCAB4C5B5F7B06D50C92BF7B9C0FD32BFC47AEB438B3
Malicious:	false
Preview:	[Data]..Type=UMnwio9zv2FqxxUVMR0jWJnXhzGyjuwdGhyjE7NmuwPzPTn2oWYbUgHhroi6QH..[Userddress]..Data=ya4feBPz9quDWubPmy1BrWBrJ2epxBFxdZ2u51ne4Q6dcjTemYgPRQMGN5akXwRqkmPKRMc5ptX1Mccd9HRaBLKEd0AntxumwTZx..[function]..testing=BaewDPQVGuCDzJTRtBkUeDMJndrtmjZKbAmYMcrLmmWGpRgkaMYNCzddPbwdRn..[ctrl]..timening=gur,:Jptzo.~^TaD@DeuHddcG@-Pu,@..mtime=1663323310..[settings]..rmenusort=1..timewidget=0..rmenutheme=1..[XRVIdeo]..rebuild=VNFFpua5yY1W3sJHdbYxhDuFNPZX3jQ3..m_start=5..lsctime=2008-09-16 19:56:59..lstime=2008-09-16 21:58:58..[VRHelper]..status=r9f.ChWsP1kbJyKw8DtwHn7j73hV}dQumXrWmjdLT..[Default]..ActiveCreatShortcut=1..[search]..hotkey=1200..InitSearchHotkey=1..[config]..left=680..top=800..uistate=36..startfence=115..FenceShowTimes=36..[time]..i=3.14..[CoreFuncCount]..SortDesktop=36..[Theme]..DeskMirror=}C@AcpXjc=k=-DFWPyRUkm)mwUf#jnzK%LUBG_#v#BGFmW@quoC!?GU+zvTtT..[Ccloud]..API=2Z+y%)~3V5=t@E#UZxyp_0d^#9KE8.vJykM65shbB..CloudRootPath=zme,B#XuYsM?>ksWAAsY>)YDm:Qng.WVBT!Ago>^r%@_=hac^,Ntiz

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\cor.sig

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	1427
Entropy (8bit):	7.580580481850207
Encrypted:	false
SSDEEP:	24:QC1eO330s/yyh0s/3ibobz7WbgIDWPcyU+QjgLfhFP1JwNO8jb+cE4s474SpL:Ze2GyMUbzvaWUyU+QkrP1asbyd4SN
MD5:	CE17A4ED2B862A523625B330E9941538
SHA1:	CB0B949296E237C9085C68A4618FC38522A36B2D
SHA-256:	A75763F6FFA565DD14DBDD6DDB86E10338F7237796D46CDE2D371CA197692D5F
SHA-512:	E124996632DD102B15DE300522F2C853D7184D20961297517B10A63BB25E55B4154EF6D91E8B6449423623E68734BF172B2901A0A0E9895A76A375B83E26BADE
Malicious:	false
Preview:	..v..}.z.}.._............>...v.,.G.....y.y.....................................................................................................................................................................................................................................................................................}.......y.y........}....}...}...D.@e.j....FlV#.uN....R...+m......(...#..7....h7.z[.P.?..fr.^.*.......C....lgN.8.......C&..L...).....s.>.n..2....8.i..5.z..."..b;....}2....<....q.<.B....y...H0.#z..=S..r...P....o<^./".Iv.1\.k...S.6.&.M[..5..E.fx..(..=l.p.^@..{.i..YW...(........\~\|.~............M(..D._'....\|...O.............5.'q..../e&..@....y......................................................)..............y.y........}.~...+.2y.._..`...z......ZzT6...F.R....1........s@/60.c.O....$......8.f..!...u..@..tZ...vA[..q%....G....]...B........g.gro:.POR.E........._.r. q.;.....@$....Gp.....ZZ........./...........P.....b.p5./....%`.

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\dmEetfzcFeMLeUVb

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	0.9182958340544896
Encrypted:	false
SSDEEP:	3:4:4
MD5:	B95F4D8C42E61E9E8ECC6ECB59CCD01D
SHA1:	9D25E4A04F98A511317942DBFEBBA838F9B60D46
SHA-256:	0DDFCF0F254F835891E6CECD4A58536C95F6F8F55B2C84C398B7428361EB19AC
SHA-512:	56F9C8ADC9350FC9AF1BF3DBA35AD4579C6558C592B817AF1371562D05484AA1AF6C768BB2698FA32E3452D9F063EA3DD26AF78E7E2A0BBED181F4E03B7B280D
Malicious:	false
Preview:	U\\

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\ebHost.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	63408
Entropy (8bit):	6.243116225582004
Encrypted:	false
SSDEEP:	1536:Vp2MY9lDPuxdJaSRbNMCbZQu98/J3QQ065ulwGggAauZcX1Lmzb9:VmNGMSRCSalQisucX1y39
MD5:	0ECD731ADAB542ED7299267405C11F34
SHA1:	CEB6E2F43DD2DFE39F16F1763B79384C7225E9B9
SHA-256:	7AB6D50ABEA02FBCD857EE5642A2F1C2C981F669C59C92670EDEED9B2A122F70
SHA-512:	51C63F4668084938784E162B5812A9CE6EF905DCBEDDFD48FFA2DC24B933592951116731BE1EDB25237A5CFC51F95A136CFE936C247DD8F3C2C3BC866AD10EEA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>3..........."...0.................. ........@.. .......................@......,.....`.................................>...O........................'... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................r.......H.......H].........C.....................................................(....:.(......}....V!.........s...........(......}....(...........s....o....z(...........s....o......}........0../..........{.....o....s......o-.....,..(....,..(........( ....(!...(...........s....o...."..(....v.("...(...........s....o......{...."..}......0..........s......(....,..(....(...+-....o....(....}^....{^...($...,..*.(...........s%...(...+~]...%-.&~\.........s'...%.]...(...+(...+..(

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\hipslog.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	49480
Entropy (8bit):	6.739956450503979
Encrypted:	false
SSDEEP:	768:C2a0KRlGHkg3oqHo3eaB6e7NXQxZzYf3yvZ6/WitUDvb1PRF8oaH:n/HF3xb8KEvyE/cDj15FI
MD5:	E2D837E2B4DDA87A82553631E7D5627A
SHA1:	9F1A5A95B4F0AEA6F9061140F0E22EDA819A78BF
SHA-256:	A5118527EE28C3C263F3FCC3346F8BCA83284E21C8149082F8D1AAA68B39EBC6
SHA-512:	3FDBB618C9F49FE5C7EA81398401C5AD19EE8A215B9A3D29FC03071935E566B80560A775CEF3F1502F8447B2A2528285C8D4586C576A3E311241A06177E14C52
Malicious:	false
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$........@3..!]..!]..!].Z.\..!].lH\..!].e....!]..IY..!]..I^..!]..GY..!]..GX..!]..MX..!]..Y..!].lHY..!].lHX..!]..IX..!]..G\..!]..!\.=!].cHT..!].cH]..!].cH...!]..!..!].cH_..!].Rich.!].........................PE..L...>.?]...........!.....X...,.......Q.......p............................................@.............................t......P.......X................6...........z..p....................{......pz..@............p..(............................text....V.......X.................. ..`.rdata..~....p.......\..............@..@.data...P............x..............@....rsrc...X............z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\http.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	101760
Entropy (8bit):	6.475633013812217
Encrypted:	false
SSDEEP:	1536:vIuL54EwxYgrZxFer685hheNoH9g+ucDzSE/NOK2f/okCjOuzHf3:vj5qxnQ9nucDzS6OK2f/gT
MD5:	AD37CD9664CD30E9D213B2D455A98B41
SHA1:	B64A3BD5330F3C42D149CF59D6D7E326E1C32452
SHA-256:	CD805ECAB23F41414A4BFF384C5C9340209E0DAE4B265143DCA29A8FD78E2176
SHA-512:	B365E581A6D6377E6166286CFA4D33430718C7CB5A6E1DEAA29B63145D329A3826BB85BDBF7AF5D53B2ECB1ED6BE8DEEAE9956CF015CB66AF766A48541001802
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$...`..C`..C`..C.wCa..Ci.tCd..Ci.bCo..Ci.rCf..CG,.Cg..C`..C...Ci.eCm..Ci.sCa..Ci.pCa..CRich`..C........................PE..L...~,WT...........!.........j............... ......................................p^.............................. a.......O.......................t..........8...`"...............................7..@............ ..8............................text............................... ..`.rdata..(N... ...P..................@..@.data...x....p.......Z..............@....rsrc................\..............@..@.reloc...............`..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\intchar32

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	7.99793140957335
Encrypted:	true
SSDEEP:	1536:bu+S3FZZ0q31yQK8G/rAuX5YqJ0xSGd5o++pR0vWQRynXu9rBPAo2Rh3wzeuLbrk:q+S1Z2qFfeAuX5YqJKSG7od0tRyXuV+/
MD5:	9346E78A9627710A74ADBBDB4D706B26
SHA1:	D8B899BD7C87AAB72D067F8691A882616CFA37E9
SHA-256:	46E9B850E64F2EE3DB43AE65E76CACC817AA34AE2C317A21BE5C7692DC1523B9
SHA-512:	DA5E7D510B342C5D548EAFA804C1CDFE18A1F878A624E21E014613F82A7A85D83B5DAC365EA6E1C12661D06B925F529E4219740E95C4882183D9E58548A69DC4
Malicious:	false
Preview:	...Y{.B....&...oy.}..F{...z..H'..."..x...... .(_.L./.4.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n.......v.<MH.R=:U..6.9.+...8..u@...D.6S.,.D...s.#........X7T......2...^.....S..7.[.8/.s..y...-...Y..?.A...(.%......6F.GB....F.!..\..t3.G.Ke.s0^!N..n.....J..H...).y.~!....5.'.d..$[..-.r..J...c......>:g.... >2h..{..-.\|......Nf..h..#m........l.!.8..._.<...2.\..m........x.]f..C..Y/.(qGC....f.`.SL....C...=.,...-.P:.Zf^.dm...+.3.......n-x'........xK.$...A.....E.b.~.:.....,.$...j.)...eG. .A.Tp...L.z}.P.R2..'...{.Z...{p....;..Rj8...V.L...b`...Xsx/.}-......V.#...2'...m.E.>...i4....cyZlm..1...'.s......k..g.0.i..#...X.".Z.;bv.u...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W...h..!..,.q .Q.w./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\intchar64

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	7.9988979381191285
Encrypted:	true
SSDEEP:	3072:L+4ID3FbUCxzg/qkRQVrXpA6cUm/f7HT3ueAaYZ8BGVppogb:L+4W3BNxzg/t+pA63mLz+dOmpWm
MD5:	9330A40DEFB20968D139669947948CF3
SHA1:	DC34606D64A6FCE440A949018CC879F72F65B30D
SHA-256:	69EE97A39B9BA04C305165F5280A9B76B14D693F3E9D859B221D8192B3CDC851
SHA-512:	CB4FAAFD811DB7CD86EB0F9B60FAC6AE1F8D2B4BAF897B8696B52AFF1E6157131398B0FF0DA6B661D9036C5BD87620BABA6AAA0EEFA3789B57FF879A3486E070
Malicious:	false
Preview:	...Y{.B....&...oy.}..F{...z..H'..."..x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....Yyrf.W.Xb9..9.KZd.@..tYi..+ ..)}G..#.L...v..:.Rd~..]....9]X....q5..8P\.p.!.S.asH.pT.Y...j...V..-c:wK...~.....d/./Le.\.G.!.v]..A2...Oe..!;!^..n..G..{..N...).}`~!.....Z'.d..$...-.r..Z...s.......>>g.... >28..k..-........w.Tx..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.SL....C...=.,.....P2.Zf^.dm...+.3.......n-x'.......{K.fK...Q.....E.b.~.:....=Xz\......t.G.JBA.T....l.z}sQ.R2......U.>..{0p...ZA.R.7...F.L...b`>..Xsx/X}-......@`....2'...m.E.>...i4....cyZ,m.X.n..rsl......j..g.0.h..#...X.".Z.;"v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W...h..!..,.q .Q.w*./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\intl.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91288
Entropy (8bit):	6.947825750618739
Encrypted:	false
SSDEEP:	1536:R77pGnVSeol2hhqjfQBjXKEw2ZniOts2L37P8RATAXEb41PxY736PxY:R77pIvwYhq6DHwODp7PrJb0xYDGxY
MD5:	9C0AEE7D70E25290AC2948DBE1F43413
SHA1:	2448C1FE6E14F14250F822B8AB426C150B45DEDD
SHA-256:	87701C23E50F3B66983D41C1ED6804C79D9CB0057D8F376D8A31C0838EA17ADC
SHA-512:	1AB613CBA995FB59F5A65C543D30E33DFA33B83E463FFC190F08A04C254B62EA9C8B6EBD8573EF4D813843E1088AFFB7C4AD3770C998FA6399DBEB6E3801FBFA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........AM.. #.. #.. #..X... #..U".. #..O.. #..U&.. #..U'.. #..U .. #.uP".. #.. ".. #.$U+.. #.$U#.. #.$U.. #.. ... #.$U!.. #.Rich. #.........................PE..L....j b...........!.........L......0........................................@.......*....@A......................................... ...................R...0..L.......p...........................`...@...............l............................text............................... ..`.rdata..2...........................@..@.data...............................@....rsrc........ ......................@..@.reloc..L....0......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\iopdate.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	138216
Entropy (8bit):	6.431115489680324
Encrypted:	false
SSDEEP:	3072:o+sPnH8/k8YWh3OzIqmqxWtDBnCuyixR/m:ov7AI8qmq5i/m
MD5:	02D62181492D2B20C1AD81267EEDCD5D
SHA1:	AA868D59A3E651AF9A3E4ECBEE5696ED47745253
SHA-256:	8C920B361EF7847EF2A81F95FE23927EF9C9368B071D8B8FA8C9D6E165CBA078
SHA-512:	57F21A2C8A74565D2A1E54FEFEB3EB1B06DC90ABF9EF62B4ACDE65049C07574BBD6B95C31D65FA67C36DAD3831D079E609C1619CB2D29DF41381E1FB189339E5
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....+.a.................:..........$4.......`....@.......................... ......ll...........@...............................H.......&...............K...........................................................................................text............................... ..`.itext...%...0...&.................. ..`.data........`.......>..............@....bss....,....p.......L...................idata...H.......J...L..............@....reloc..............................@..B.rsrc....&.......&..................@..@............. ......................@..@................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\libEGL.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346816
Entropy (8bit):	6.668786455619716
Encrypted:	false
SSDEEP:	6144:5HccgFBlS0HMO9mcexEr75DCBRzniCIIyeNad9A4zp5YuBuIHsWt:BccgFbdHMOAcexEqRzwIyeNaAw5YuBuI
MD5:	945A8DBF13FA71FD74AE0767B122FFF7
SHA1:	5D5B6E1156E2F387042BF33C3B8FABE633542435
SHA-256:	D5F505E630B85FAF335E638F5E89B6BABDD142BB3C7DB7099B71A25053D53649
SHA-512:	F964564BF3EA2641DE93F931643D118917452951058AD4F3B8DD19EA01848728C3522632A6D91766F51E5DE8F0B2ABBD5C425208BD4E2D7EA9F004315039A3C0
Malicious:	false
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...[7._.........."!.........2......................................................c.....@...................................P....0...................H...@..x1..D.......................H........................................................text............................... ..`.rdata..............................@..@.data... 3..........................@....00cfg..............................@..@.tls................................@....voltbl...... ...........................rsrc........0......................@..@.reloc..x1...@...2..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\libcurl.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	5.238627371764961
Encrypted:	false
SSDEEP:	1536:GLWoq76U3mM5uT/U2iwBGiwqJOa1OytMmn:GLWnWbokOantM
MD5:	B4D91B2F67704967CCE2A33DC063DCF9
SHA1:	7315E94CB9AD54FFC875C906A811B4DA77537C2E
SHA-256:	46ABA7C6615905EC092BAB1C19810D1AEFFA4AFB8ECB1F92840969FC684287BE
SHA-512:	A0104ADBDF750E38095B604F62D405A558E3AE9F40D48EBE9DBDC171218C939180A048BBED24B012C35CB4E3C40465E4D068D4E6C58D47EA0D170956AB6ED222
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r.<..oo..oo..oo.5do..ooI.ao..oo.5eo..oo..eo..oo..do..oo..2o..oo..no..oo".do..oo".ko..ooRich..oo........................PE..L....;g...........!.................I......................................................................................X...(............................p..$....................................................................................text............................... ..`.rdata... .......0..................@..@.data...,T.......@..................@....reloc.......p... ...P..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\libmini.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	157184
Entropy (8bit):	6.4699325010744015
Encrypted:	false
SSDEEP:	3072:tJpAAXru5+rs45R7H0fABoTRo3hJjfP8mr:tJpAAXru4Fj6soT2LM0
MD5:	C50F56319C92BC129039E3860294AB5D
SHA1:	470ED2516A0FF86F25C7CEBE3084E238CA8879A7
SHA-256:	56E8A343602DDDC6D7B6A787827801A3D2BA69ABAF1C61874EF9286C2D288C6B
SHA-512:	20451481425424167EDF4D8C1562EBD7619D5FA0D4BB46C1C30840C9E63C617F94B281C294E3FBEDD290A76C543E4A1C3518B8E66D919743B9CC1F966D8E0CE0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`. ...s...s...s.w.s...s.w3sr..s.y.s...s...s...s.w2s...s.w.s...s.w.s...sRich...s........................PE..L.....#g...........!......................................................................@..........................=.......6..<...................................................................0...@...............0............................text...C........................... ..`.rdata...^.......`..................@..@.data....:...@.......,..............@....reloc..$........ ...F..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\libtemp.bat

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	77
Entropy (8bit):	4.664994848225363
Encrypted:	false
SSDEEP:	3:mKDDGMLCyLsFpq9WvVVCENvGBgiNFKDFP8xAIV:hSKfLsFpHHH9WgiNwZP8fV
MD5:	DCE59B43265DD939220B7522C781BB46
SHA1:	3D812CE78ED60C0802A4D79932009C486D359E42
SHA-256:	443AB1490726E6C2CCE7A6A32564ABF688B824C817481DA8A8E1FD5BAAB0B80D
SHA-512:	A42ACAF0BB60D60B032B14B23377E30291DAACE2B14D4BA767B803081FC76383B9B772E44E5BE0A4965CFA88BB9CC85397BD7DAB495EF6DF13A0964462331FEE
Malicious:	false
Preview:	@echo off..ping -n 3 127.1 >nul..cd %appdata%..cd....del /s /q /f Local\Temp

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\madBasic_.bpl

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	217064
Entropy (8bit):	6.921619727481477
Encrypted:	false
SSDEEP:	6144:XN/kSQxE6qeM/k4qTl5L5e5+53WCG1CbF/FrfPf:AqeM/k4qR5L5e5+53WulZn
MD5:	641C567225E18195BC3D2D04BDE7440B
SHA1:	20395A482D9726AD80820C08F3A698CF227AFD10
SHA-256:	C2DF993943C87B1E0F07DDD7A807BB66C2EF518C7CF427F6AA4BA0F2543F1EA0
SHA-512:	1E6023D221BA16A6374CFEB939F795133130B9A71F6F57B1BC6E13E3641F879D409783CF9B1EF4B8FD79B272793BA612D679A213FF97656B3A728567588ECFB9
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.............................0.......@.....W................................Gt...............................0...d......`(......x................K......................".......................................0............................text...x........................... ..`.itext.......0...................... ..`.data...l&...@...(..................@....bss........p.......@...................idata..`(.......*...@..............@....edata...d...0...f...j..............@..@.rdata.."...........................@..@.reloc..............................@..B.rsrc...x...........................@..@....................................@..@................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\madDisAsm_.bpl

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66024
Entropy (8bit):	6.887872767382156
Encrypted:	false
SSDEEP:	1536:LNy3eqMne0sXB0IWtCLwEJhY0w1VmLPx5wdB3htW:LqMnfIB04LwEJhY0w16xAFW
MD5:	3936A92320F7D4CEC5FA903C200911C7
SHA1:	A61602501FFEBF8381E39015D1725F58938154CA
SHA-256:	2AEC41414ACA38DE5ABA1CAB7BDA2030E1E2B347E0AE77079533722C85FE4566
SHA-512:	747EA892F6E5E3B7500C363D40C5C2A62E9FCF898ADE2648262A4277AD3B31E0BCD5F8672D79D176B4759790DB688BF1A748B09CBCB1816288A44554016E46D3
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.................z...8......4..............W......................... .......k..................................&.......d........................K......T...............#....................................................................text...4w.......x.................. ..`.itext..<............\|.............. ..`.data................~..............@....bss.....................................idata..d...........................@....edata..&...........................@..@.rdata..#...........................@..@.reloc..T...........................@..B.rsrc...............................@..@............. ......................@..@................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\madExcept_.bpl

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	448488
Entropy (8bit):	6.745783308820855
Encrypted:	false
SSDEEP:	6144:hlAz49EKhEV30F8sl88nTjQ4Q50gEcW/jd+o72niVUNMa4Yn2Bq:hlG4ut30F8slzYlQcW/jd++2nJ6u2Y
MD5:	E8818A6B32F06089D5B6187E658684BA
SHA1:	7D4F34E3A309C04DF8F60E667C058E84F92DB27A
SHA-256:	91EE84D5AB6D3B3DE72A5CD74217700EB1309959095214BD2C77D12E6AF81C8E
SHA-512:	D00ECF234CB642C4D060D15F74E4780FC3834B489516F7925249DF72747E1E668C4AC66C6CC2887EFDE5A9C6604B91A688BA37C2A3B13EE7CF29ED7ADCFA666D
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...f..V.................H...@......<c.......p.....Y....................................................................O......._......D<...............K...P...A...........@..$...................................l...x............................text....C.......D.................. ..`.itext..D....`.......H.............. ..`.data...t....p.......L..............@....bss....H............Z...................idata..._.......`...Z..............@....edata...O.......P..................@..@.rdata..$....@......................@..@.reloc...A...P...B..................@..B.rsrc...D<.......>...N..............@..@.....................R..............@..@................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp100.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.297676823354886
Encrypted:	false
SSDEEP:	12288:koBFUsQ1H5FH3YUTd/df0RA7XkNvEKZm+aWodEEiblHN/:dFUsQ1H5FHdGKkNvEKZm+aWodEEcHN/
MD5:	D029339C0F59CF662094EDDF8C42B2B5
SHA1:	A0B6DE44255CE7BFADE9A5B559DD04F2972BFDC8
SHA-256:	934D882EFD3C0F3F1EFBC238EF87708F3879F5BB456D30AF62F3368D58B6AA4C
SHA-512:	021D9AF52E68CB7A3B0042D9ED6C9418552EE16DF966F9CCEDD458567C47D70471CB8851A69D3982D64571369664FAEEAE3BE90E2E88A909005B9CDB73679C82
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..-`..~`..~`..~i.4~b..~{.;~c..~`..~...~..?~a..~{.9~a..~{..~P..~{..~Y..~{..~e..~{.<~a..~{.=~a..~{.:~a..~Rich`..~........................PE..d.....M.........." .........f.......q........cy..........................................@.............................................m......<....P...........=...0..P....`.......................................................................................text............................... ..`.rdata..-...........................@..@.data...0L.......8..................@....pdata...=.......>..................@..@.rsrc........P......................@..@.reloc..R....`......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp110.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	661456
Entropy (8bit):	6.2479591860670896
Encrypted:	false
SSDEEP:	12288:akhiz9iVQi6mpiyMATITfluR3G1YdpTzYJQIbRdJN2EKZm+DWodEEt2L:WaQeIJN2EKZm+DWodEEt2L
MD5:	7CAA1B97A3311EB5A695E3C9028616E7
SHA1:	2A94C1CECFB957195FCBBF1C59827A12025B5615
SHA-256:	27F394AE01D12F851F1DEE3632DEE3C5AFA1D267F7A96321D35FD43105B035AD
SHA-512:	8818AF4D4B1DE913AAE5CB7168DCEC575EABC863852315E090245E887EF9036C81AABAF9DFF6DEE98D4CE3B6E5E5FC7819ECCF717A1D0A62DC0DF6F85B6FEEB8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.:..si..si..si~`.i..si..ri^.sis.i..si...i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..siRich..si................PE..d......P.........." ........."......<........................................p......L+....`..........................................3......l...<...............0E.......=... ..,....(..............................`...p............ ...............................text...:........................... ..`.rdata....... ......................@..@.data...p.... ...:..................@....pdata..0E.......F...D..............@..@.rsrc...............................@..@.reloc..FJ... ...L..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp120.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	660128
Entropy (8bit):	6.339650318935599
Encrypted:	false
SSDEEP:	12288:t2TOv4Zur4nRc4RwlG4xH2F+O+/i2UA3YyB2hxKM5Qrt+e2EKZm+GWodEEwIP:qRhxKM5U2EKZm+GWodEEw4
MD5:	0A097D81514751B500690CE3FC3223FA
SHA1:	7983F0E18D2C54416599E6C192D6D2B151A2175C
SHA-256:	E299B35D1E3B87930A4F9A9EF90526534E8796B0DEF177FB2A849C27F42F1DF2
SHA-512:	74639F4C2954B5959EB2254544BF2E06AB097219FC8588A4F154D1A369B0657176128C17911958C84ED55421FE89BF98C8ED36D803A07A28A7D4598DB88027CE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ca.=...n...n...n..)n...n...n...n.R?n...n..%n...n.R=n...n.R.n4..n.R.nJ..n.R.n...n.R>n...n.R9n...n.R<n...nRich...n........PE..d......V.........." .....@...................................................`.......H....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp140.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	449280
Entropy (8bit):	6.670243582402913
Encrypted:	false
SSDEEP:	12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
MD5:	1FB93933FD087215A3C7B0800E6BB703
SHA1:	A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
SHA-256:	2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
SHA-512:	79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp140_1.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31528
Entropy (8bit):	6.472533190412445
Encrypted:	false
SSDEEP:	384:R77JqjlI8icUYWhN5tWcS5gWZoMUekWi9pBj0HRN7RA5aWixHRN7osDhzlGs6N+E:R5D8icUlX5YYMLAWRAlypmPB
MD5:	7EE2B93A97485E6222C393BFA653926B
SHA1:	F4779CBFF235D21C386DA7276021F136CA233320
SHA-256:	BD57D8EEF0BC3A757C5CE5F486A547C79E12482AC8E694C47A6AB794AA745F1F
SHA-512:	4A4A3F56674B54683C88BD696AB5D02750E9A61F3089274FAA25E16A858805958E8BE1C391A257E73D889B1EEA30C173D0296509221D68A492A488D725C2B101
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..\4~.\4~.\4~...^4~.UL..X4~.Dz.[4~.D}.^4~.\4..v4~.D..Y4~.D{.O4~.D~.]4~.D..]4~.D\|.]4~.Rich\4~.........PE..d...W8.^.........." .........$............................................................`A.........................................>..L....?..x....p.......`..4....:..(A......p...@3..T............................3..0............0..0............................text...(........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..4....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp140_2.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	193832
Entropy (8bit):	6.592581384064209
Encrypted:	false
SSDEEP:	3072:V7vC/HAiCsJCzwneNPXU7tm1hTt8KBDal8zg/0LwhORfewlMi0JHV:VTGAtweN85m1f8KBI9wfpsJH
MD5:	937D6FF2B308A4594852B1FB3786E37F
SHA1:	5B1236B846E22DA39C7F312499731179D9EE6130
SHA-256:	261FBD00784BB828939B9B09C1931249A5C778FCEAD5B78C4B254D26CF2C201F
SHA-512:	9691509872FDB42A3C02566C10550A856D36EB0569763F309C9C4592CAF573FBB3F0B6DC9F24B32A872E2E4291E06256EAE5F2A0DEB554F9241403FD19246CAC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........94..Wg..Wg..WgVt.g..Wg..g..Wg..Sf..Wg..Tf..Wg..Vg..Wg..Vf..Wg..Rf..Wg..Wf..Wg...g..Wg..Uf..WgRich..Wg........................PE..d...W8.^.........." ................p............................................... .....`A........................................ ..................................(A...........K..T........................... L..0...............P............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp80.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	554832
Entropy (8bit):	6.428533960834858
Encrypted:	false
SSDEEP:	12288:UZY4lOHMwLwXBt+ia3htSUa/hUgiW6QR7t5j3Ooc8NHkC2eSQ:UZY4lOHMM8wiShtSj3Ooc8NHkC2eT
MD5:	8C53CCD787C381CD535D8DCCA12584D8
SHA1:	BC7CE60270A58450596AA3E3E5D0A99F731333D9
SHA-256:	384AAEE2A103F7ED5C3BA59D4FB2BA22313AAA1FBC5D232C29DBC14D38E0B528
SHA-512:	E86C1426F1AD62D8F9BB1196DEE647477F71B9AACAFABB181F35E639C105779F95F1576B72C0A9216E876430383B8D44F27748B13C25E0548C254A0F641E4755
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y..fv..y..y..#y.....y..2...y.....y.....y......y.....y.....y.....y..Rich.y..........PE..L....LYJ...........!.....@... ...............P....B\|.........................p.......0....@.............................L...T...<....................`..P.... ..H2...S..............................Pe..@............P.. ............................text...V>.......@.................. ..`.rdata......P.......P..............@..@.data...l&....... ..................@....rsrc...............................@..@.reloc..NA... ...P..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcp90.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570240
Entropy (8bit):	6.523986609941549
Encrypted:	false
SSDEEP:	12288:NZ/veMyZ137mSEWT0VkypLvgLehUgiW6QR7t5183Ooc8SHkC2eU8Z:NZSZ13iwJmgLq83Ooc8SHkC2eN
MD5:	232708A3FB0137133BA1787EF220C879
SHA1:	4F725F93081FE15C6AF99E32F3E97CCB22E15BFE
SHA-256:	64236B28CB287D9C912D1DB753B21BEB95009340B7ABB2717E40CE8D91946C89
SHA-512:	90DAEFA1F3D3608700074F349D0CD5E5D2EAE090ECAD07352E553F08087A2EDDEB457F235CDC7E4869C4CF24E895C05C11AF968E68CFD0B6AA8092C98DC7E4FC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#%..Mv..Mv..Mv.66v..Mv...v..Mv..Lv:.Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..MvRich..Mv........................PE..L...~LYJ...........!.....4...p..............P....Hx......................................@..........................P..,....E..<...............................43...................................%..@............................................text....2.......4.................. ..`.data...t'...P.......8..............@....rsrc................R..............@..@.reloc..HC.......D...V..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcr100.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcr110.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	849360
Entropy (8bit):	6.542151190128927
Encrypted:	false
SSDEEP:	24576:I+9BbHqWVFlB7s2ncm9NBrqWJgS0wzsYmyy6OQ:z9d7M3nS0wV
MD5:	7C3B449F661D99A9B1033A14033D2987
SHA1:	6C8C572E736BC53D1B5A608D3D9F697B1BB261DA
SHA-256:	AE996EDB9B050677C4F82D56092EFDC75F0ADDC97A14E2C46753E2DB3F6BD732
SHA-512:	A58783F50176E97284861860628CC930A613168BE70411FABAFBE6970DCCCB8698A6D033CFC94EDF415093E51F3D6A4B1EE0F38CC81254BDCCB7EDFA2E4DB4F8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........c.O.0.O.0.O.0.O.0}O.028g0.O.0?..02N.0?..0.O.0?..0.O.0?..0wO.0?..0.O.0?..0.O.0?..0.O.0Rich.O.0........................PE..d...n..P.........." ................l3.......................................@............`..........................................E.......1..(............... g.......=......8...`6..............................P...p............0...............................text............................... ..`.rdata.......0......................@..@.data...(q.......@..................@....pdata.. g.......h...(..............@..@.rsrc...............................@..@.reloc...".......$..................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcr120.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	963744
Entropy (8bit):	6.63341775080164
Encrypted:	false
SSDEEP:	24576:lQ39+j16xw/86yY4ZOVqSs8cKPkb3vi4vwW1kCySQmWymTXY:S3tPDLfRbiow9Cyo
MD5:	E2CA271748E872D1A4FD5AC5D8C998B1
SHA1:	5020B343F28349DA8C3EA48FB96C0FBAB757BD5C
SHA-256:	0D00BF1756A95679715E93DC82B1B31994773D029FBBD4E0E85136EF082B86A9
SHA-512:	85D6BCAAF86F400000CF991DA1B8E45E79823628DC11B41D7631AA8EE93E500E7DA6E843EA04EDB44D047519DABEF96DCB641ADC2A7B3FAA5CD01E8A20B1F18E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F=&^'Su^'Su^'Su..u]'Su^'Ru.'SuSu.u.%SuSu.uo'SuSu.uh'SuSu.u.'SuSu.u_'SuSu.u_'SuSu.u_'SuRich^'Su........PE..d......V.........." .....j...:.......)..............................................+l....`.....................................................(............@...s...v...>......8...p................................2..p............................................text...eh.......j.................. ..`.rdata...9.......:...n..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................`..............@..@.reloc..8............d..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcr80.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	632656
Entropy (8bit):	6.854474744694894
Encrypted:	false
SSDEEP:	12288:bxzh9hH5RVKTp0G+vjhr46CIw+0yZmGyYCj:bph9hHzVKOpXwymGyYo
MD5:	1169436EE42F860C7DB37A4692B38F0E
SHA1:	4CCD15BF2C1B1D541AC883B0F42497E8CED6A5A3
SHA-256:	9382AAED2DB19CD75A70E38964F06C63F19F63C9DFB5A33B0C2D445BB41B6E46
SHA-512:	E06064EB95A2AB9C3343672072F5B3F5983FC8EA9E5C92F79E50BA2E259D6D5FA8ED97170DEA6D0D032EA6C01E074EEFAAB850D28965C7522FB7E03D9C65EAE0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.........@................!......;.............d.......................Rich...................PE..L...yLYJ...........!.....0...p......+#.......@.....x......................................@..........................q...~..Pc..<....`..................P....p..P3...B...............................F..@............@...............................text....'.......0.................. ..`.rdata......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\msvcr90.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	653696
Entropy (8bit):	6.885617848989009
Encrypted:	false
SSDEEP:	12288:Bhr4UC+UumMaIYE8EoPP1cI9xPP2OKDL9QXyG2pUmRyyva:VU9FNPPbxPP2OeL9Q2pUmRyyva
MD5:	4B9B0107D35859FA67FB6536E04B54A7
SHA1:	60F5D36F475FEA96F06AC384230B891689393486
SHA-256:	EA59B23FC4799B10B07CC1E4F81BBCB7FAC712D93E2BA48DE50046E5B4C140DB
SHA-512:	324EDB6D0C618C20260417B86189C27D6E1EB00944C7F5A6C59679365E618D262C71433749DDFEF253B723F1D1B3167982B4742164A167B3CFC85C651300382B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L...yLYJ...........!.....\..........@-.......p....Rx.........................0............@..............................\|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\ntvbld.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	MS-DOS executable PE32 executable (DLL) (native) Intel 80386, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	60896
Entropy (8bit):	6.847633229504993
Encrypted:	false
SSDEEP:	768:NnCuEmXB5UMI3nhKrbZCWg/0/NC8hUDVsa0T1zj9KyhaMQNDG0uKjKj9MPgkz:N7Rx5Ulll8/H+x0T1zj9lHeMy
MD5:	690612154E7E5233AA980016CEAEDEDD
SHA1:	9B16E2F3D799EA506AA6A8F53FA4DEB36D73F5D4
SHA-256:	FFB81D34A14B5837AC713657F7892E790F85564BC2BA792025B0F9E9E0959AD7
SHA-512:	1F93AF0CA40DB562F7ECDBF19A0D899044BCF1F181B03E57E6B6F2C72F532652798023612BE9DEFE6261D631D10898D30ADB28EEFF922B72734B4DB27189C210
Malicious:	false
Preview:	MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!........h.T.....................q.......q.......q.......q.......q.......q.......q......Rich............PE..L......a...........!.........\......2=.............p................................s`....@.........................p...........(.......h...............H?..........................................0+..@............................................text...v........................... ..`.data....F..........................@....rsrc...h...............

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\oDayProtect.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57456
Entropy (8bit):	6.555119730119836
Encrypted:	false
SSDEEP:	1536:h4WOg3TER/nhU8Vbbb8O0WWVYgaatjJxl:h4WOg3TSr78O0WWVYg5tJ
MD5:	00FCB6C9E8BD767DDE68973B831388E9
SHA1:	2D35E76C390B8E2E5CA8225B3E441F5AC0300A02
SHA-256:	1CC765B67D071060C71B4774C7745575775CE46E675E08620E5BAB3B21B2CE79
SHA-512:	2B48701B5F4B8F1EB7FC3EB9A76370883FE6CAF45D92DA607AB164F93E0EED65D6C1369D4EA974A112C902FD0F5BAF06E7611ECB9B50BE3A599F261624B33BA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[..]..............3.....M......M......M......M.......{n......{k............................._.......7............Rich............PE..L...m>.d...........!.....`...R......._.......p............................................@...........................................P...............p2..............p........................... ...@............p..\............................text...._.......`.................. ..`.rdata...4...p...6...d..............@..@.data...$...........................@....shared.............................@....rsrc...P...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\plugins\Microsoft.VC80.ATL.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	376
Entropy (8bit):	5.187860451409661
Encrypted:	false
SSDEEP:	6:TMVBd6OjzIIBeBXVL9obRu9Td8gH9aO/5TMiX1+jSQdS1vwIgVf+ZaYf7:TMHdt4IBeBFLOwHR5TNl+rmxgVKaq7
MD5:	0BC6649277383985213AE31DBF1F031C
SHA1:	7095F33DD568291D75284F1F8E48C45C14974588
SHA-256:	C06FA0F404DF8B4BB365D864E613A151D0F86DEEF03E86019A068ED89FD05158
SHA-512:	6CB2008B46EFEF5AF8DD2B2EFCF203917A6738354A9A925B9593406192E635C84C6D0BEA5D68BDE324C421D2EBA79B891538F6F2F2514846B9DB70C312421D06
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ipaip1.exe"/>.</assembly>.

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\plugins\Microsoft.VC80.CRT.manifest

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	314
Entropy (8bit):	5.140999301390513
Encrypted:	false
SSDEEP:	6:JiMVBd6OjzPbRu9Td8gH9bZELrbvm/53SMiX6+hPABdS1FggVfgk5Z:MMHdtlwHHJ53SNK+hPIRgVR5Z
MD5:	710C54C37D7EC902A5D3CDD5A4CF6AB5
SHA1:	9E291D80A8707C81E644354A1E378AECA295D4C7
SHA-256:	EF893CB48C0EBE25465FBC05C055A42554452139B4EC78E25EC43237D0B53F80
SHA-512:	4D2EC03FF54A3BF129FB762FC64A910D0E104CD826ACD4AB84ED191E6CC6A0FEC3627E494C44D91B09FEBA5539AD7725F18158755D6B0016A50DE9D29891C7E5
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>.</assembly>

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\plugins\RunHours\es-419.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4582
Entropy (8bit):	5.313572308207674
Encrypted:	false
SSDEEP:	96:SXJbP0TKhuwTfSX1R3AJDnR5Wlqib+H+7tpUDoSlM9Z6b5E5f:S//TfSX1BobR5WlqiKHWGoSlM9Qb5E5f
MD5:	20A4B76F3AB1EA606ACEE2ECFC7EACDA
SHA1:	4B758CA773E540F60E4788B43832F4AC9F9D2C02
SHA-256:	C4D807092F4493A9E5EE5F6D5770091683AAC44F203A9E72C556CA5D94E13712
SHA-512:	DD03DF3F30199D74C3C74C8766D336C18AB02C73C8B24B23F3D756F76F4119EE2FA6DB0A3F0C398980CFF7D3C162C9BD8364412A2B12FBF2F90395D4FBD86017
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N!....N%....N+....N1....N<....NO....N^....Ns....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N(....NO....Ng....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N....N7....NL....NT....Ne....Nk....N}....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N....O4....O9....OM....Oz....O.....O.....O.....O.....O.....O.....O.....O ....OA....OQ....Oq....Ov....O{....O.....O.....O.....O.....O.....O@....O}....O.....O.....O.....O.....O/....OL....Oh....O.... O....!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O[...,O....-O.....O0.../Oq...0O....1O....2Oe...3O....4O....5O....6O....7O_...8Oy...9O....:O....;O....<O....=O....>O=...?OM...@Oq...AO....BO....COV...DO....EO....FO....GO....HO....IO7...JOK...KOT...LOf...MOp...NOw...OO....PO....QO....RO....SO..........DetallesGuardarSe trata de un .ndice que admite b.squedas.

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\plugins\RunHours\es.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	5.293442130076125
Encrypted:	false
SSDEEP:	96:/ymf8T/vT4Y7o+Aq6XWp5H7irYKhIeDH5SVWYGCrBHehj76:/ymy/vT4Y7DZ6Xc5H7irYGIgH5SVWYGw
MD5:	9E231E6B336F8746C1D9949CFFB81892
SHA1:	44CF40E676B5C4AD7D30CAB1C73E0AB3E51F9A0F
SHA-256:	E3958A2562A3DB00C863543CBF2F8754AE52506045AF0FE68A98C21A21980DE6
SHA-512:	1EB7B3AA1BD4B0F72273403FCFBD03204823285E250D2A3859FAC3D8649B0708879CD9F6688048F46C8724D68B9960634A9EB3882110DB2EF33AB72B8EF1DA5D
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N"....N%....N)....N/....N5....N@....NS....Nb....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N....NO....Nd....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....N0....NE....NM....N^....Nd....Nv....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N5....O?....OE....O`....O.....O.....O.....O.....O.....O.....O.....O.....O.....OM....Oj....O.....O.....O.....O.....O.....O.....O.....O"....OQ....O.....O.....O.....O.....O%....O?....Og....O.....O.... O....!O...."O....#O....$O....%O....&O....'O....(O....)O%...O5...+Oy...,O....-O.....OR.../O....0O....1OM...2O....3O....4O....5O....6O0...7O....8O....9O....:O....;O....<O-...=OO...>O~...?O....@O....AO....BOU...CO....DO....EO....FO....GO....HO....IO....JO....KO....LO....MO....NO....OO....PO....QO@...ROH...SOJ.....p...DetallesGuardarSe trata de un .ndice que admite b.squedas.

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\plugins\RunHours\et.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4024
Entropy (8bit):	5.482794389326184
Encrypted:	false
SSDEEP:	96:3ibSEiksDWHJ+CCC7w2e3+nstsemhHvAs/FTeY4M1ATH:ySbDWHJ+CCCBwMq
MD5:	05EB53F564DE06DD2CEC9CA4EFF8CF87
SHA1:	96E1CF30497A517FE17D238C2B1228ABA80291AC
SHA-256:	772A79F8D52BBFBC0B3EF1D4040AE04AC82A51900C202423A4BA5C5FAA802130
SHA-512:	38F824D85D3CE88329881FF04E9BF1908524843F0F7B309E06D09F5D939B23E742C634889CA5670D36782D75FE02F8BD6F294A93C86BB67AAA4E9566DED2400C
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N(....N1....N<....NH....NP....NV....N]....Nd....Nk....Nr....Nt....Nv....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N+....NC....NK....NR....N[....Ne....No....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....N9....N=....ND....NM....NR....NW....N]....Nm....Nq....Nv....N~....N.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O(....O<....OQ....Of....Ow....O.....O.....O.....O.....O.....O.....O.....O.....O.....O6....OM....Oq....O.....O.....O.....O.....O.....O.... O'...!O6..."OC...#OJ...$OM...%OU...&O[...'O`...(Om...)O....*O....+O....,O....-OP....O..../O....0O....1Oc...2O....3O....4O....5O....6OA...7O....8O....9O....:O....;O....<O....=O!...>O8...?OF...@Oa...AO....BO....CO:...DO....EO....FO....GO....HO....IO....JO ...KO(...LO:...MO?...NOD...OON...POi...QO....RO....SO...........ksikasjadSalvestaSee on otsitav indeks. Sisestage otsingu j

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\plugins\RunHours\fa.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	6173
Entropy (8bit):	4.922771262854036
Encrypted:	false
SSDEEP:	96:GAOQjAdjFIowK7nR6wjN9fTHQZEwGcXbesT2UNXMW3LS577O3/z:G0AdhI4nR6q7qEwxXbde7Ovz
MD5:	6ABD91C944EA0063DD133119242ADD5D
SHA1:	89BFE399BC16D5584CB13C814B6A3764FB91AD29
SHA-256:	5AC05F15CEE979E26A6795343B68926EAD54ED5A9240C19C187A28943977067A
SHA-512:	01F077D513A4F61B1D497BF9CCF02E17B5B1FB6E23991EC870F5D9C8CD12CB7E4C97A5D011A5C55B855A36EE72B3D586E7416C1F16CEAFA0BF8EB48446DC5AC3
Malicious:	false
Preview:	..........N.....N.....N.....N(....N7....NA....NG....NM....NS....N]....Ng....Nw....N.....N.....N.....N.....N.....N.....N.....N'....N=....N?....NA....NE....NY....Nf....Nu....N}....N.....N.....N.....N.....N+....NE....NZ....Na....Nk....Nw....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N....N4....NG....NQ....Nh....Np....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....N,....N6....NH....N\....Ob....Oh....Oy....O.....O.....O.....O.....O.....O....OV....O.....O.....O.....O.....O#....O)....O3....OW....O}....O.....O.....O.....O.....O.....O?....Oy....O.....O.....O.....O(....O]....O.... O....!O...."O....#O....$O....%O....&O....'O....(O....)OT...On...+O....,O....-Oe....O..../O....0O7...1O....2O;...3O{...4O....5O....6O%...7O....8O....9O....:O\|...;O....<O....=O:...>Ov...?O....@O....AOc...BO....CO....DO)...EO....FO....GO....HO....IO...JOA...KOW...LOj...MOp...NOv...OO....PO....QO....RO....SO........................ ..... .... ..... .

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\plugins\de.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4406
Entropy (8bit):	5.431403966547261
Encrypted:	false
SSDEEP:	96:w3RvffZNggc5v5baG6IRqTsBRpKCSFdR9KoINpQFphkSn4zFJo5dzi5zVfwFT2:w39H2vgtIRqTMyFdTbINpQFphkSnWo5+
MD5:	EA1F904F7B976BCDB6E22A2962BDB546
SHA1:	5D4FF12B9ED1014F94131FD4BEC5D47DC224E643
SHA-256:	52098599A0CC8BCA7CAB3971F56D5EB373378C7FBCA907E71F784D6DE6D76C98
SHA-512:	2E80076218BAF7D3041288BD2B7ECCDEB9A4B8589BCD81190B0B4EBDD78C9B506760FCB4AF63C99FC42A45B21897F3EAA93F4DE30CAAFBF3348410BDE12560B2
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N!....N.....N>....NP....Na....Nk....Nt....N}....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....NN....No....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N>....NG....NO....NS....Nc....Ng....Nx....N\|....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....O.....O.....O.....O ....O/....O@....OF....O^....Os....O.....O.....O.....O.....O.....O.....O.....O.....O#....O1....OC....OV....Oe....Ot....O.....O.....O.....O.....O.....O.....O7....OU....Or... O....!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O....,Oz...-O.....O..../OC...0O....1O....2O!...3OL...4Ow...5O....6O....7O4...8ON...9Oj...:O....;O....<O....=O....>O3...?OJ...@O....AO....BO1...CO....DO....EO2...FO<...GOG...HOO...IOd...JOx...KO....LO....MO....NO....OO....PO....QO....RO....SO......6...DetailsSpeichernDieser Index kann durchsucht werden. Geben Si

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\plugins\el.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	7882
Entropy (8bit):	4.66720349289761
Encrypted:	false
SSDEEP:	192:lK+yxJ5y7wpdeDpP+hM7mcOlaOOuMos4Mw+UwUkGMH1xhyihmhqYChzhqYihHp3:lK+yxJ47wpdeDpP+hpFSxGOrSDp3
MD5:	3F2A22EDF71920EC81F31DC74AD7D8F5
SHA1:	63C524131D83777A56001F82B93CAA784C46EC27
SHA-256:	A34B29017ACFD42AA7EE9177797FF4ECD4430D5E578E80AB1C43D2792692C152
SHA-512:	8ACA982845E6896E7F4816BE13768490A636BFC1DBF2C0018C0A9AA168DE804FF4552BEFEBEFA44EC6F638A5773017241D35565A86BBCADC6CD46E373181AD9D
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....NY....Nh....Ns....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N[....N.....N.....N.....N%....NW....Nk....Nu....N{....N.....N.....N.....N.....N.....N.....N.....N&....N0....NB....Ng....N.....N.....N.....N.....N.....N.....N.....N1....NA....NO....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N5....OK....OU....Op....O.....O.....O.....O.....O?....Oh....O.....O.....O.....O7....OJ....O.....O.....O.....O.....O.....O.....O;....O_....O.....O.....O.....OR....O.....O.....O.....O8....Oj....O.... O....!O...."ON...#OX...$Ob...%Oz...&O....'O....(O....)O....*O....+Of...,O....-O.....O7.../O....0O8...1O....2O....3O....4O<...5O....6O....7On...8O....9O....:O$...;OI...<O....=O....>O(...?O[...@O....AO$...BO....COf...DO:...EO....FO#...GO3...HOJ...IOs...JO....KO....LO....MO....NO....OO....PO#...QON...RO_...SO.........................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\plugins\en-GB.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	3733
Entropy (8bit):	5.413561641632349
Encrypted:	false
SSDEEP:	96:4WeMurxaP/L/ThulsMlRnmggluSvu4Yg22:4Webr4PDrolZfnmgglxu4fd
MD5:	08C52ED432480C1CAA15DB7F227857C3
SHA1:	4F138AE151C82DB1B4B639CD788D349C6AC63642
SHA-256:	84494A784BF0D03CD5DC3C99822F46C777E28C54086712F6AB736323A5462B2F
SHA-512:	43E8A9241049254FE9F6BA31FC6AE06DC9135A2A9DBF6D7E4E6F866249AA266CE7E390F463600BC319CF4D71DE93410339C13505CBBA5676D6846C26212D75F5
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N5....N=....NE....NM....NU....N]....Ne....Ng....Ni....Nm....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N-....N5....NA....NK....NZ....N^....Nb....Nh....Nl....Nr....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....N....O.....O3....O<....OO....O[....Oi....Oo....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O$....O7....OE....OS....Of....Ox....O.....O.....O.....O.....O.....O.....O+....OJ....O_... Ov...!O...."O....#O....$O....%O....&O....'O....(O....)O....O....+O....,O@...-Oy....O..../O....0O....1O[...2O....3O....4O....5O....6O....7Od...8Oz...9O....:O....;O....<O....=O....>O8...?OK...@Om...AO....BO....COH...DO....EO....FO....GO....HO....IO#...JO/...KO3...LO9...MO=...NOB...OOJ...PO^...QOt...RO\|...SO..........DetailsSaveThis is a searchable index. Enter search keywords:

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\plugins\en-US.pak

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	3735
Entropy (8bit):	5.399152833535112
Encrypted:	false
SSDEEP:	96:8k5Ar/7QD0dZaPFL/ouZMlRnDggluCzuCYg21:8k5MzQYdQPxpmfnDgglpuCfU
MD5:	5A1DF84EF435AAF57EC22CEF850AA94A
SHA1:	5F753586E1FF36719B79C784E4A548F649E34872
SHA-256:	638EBF6779646866CD866BDF6B6069435AB8527D63A7552E1F580520C477D45C
SHA-512:	9B016A2FB6259661CEB2E5FAC9AA2D2F7EC26D93959F4186F5E763C122B4FAEE9FB80E84C9D6F31F729D572DB8E21C3B711F610DBB007A741EC3C540DB2F305D
Malicious:	false
Preview:	..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N5....N=....NE....NM....NU....N]....Ne....Ng....Ni....Nm....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N-....N5....NA....NK....NZ....N^....Nb....Nh....Nl....Nr....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N(....O,....O1....O;....OO....O[....Oi....Oo....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O$....O6....OD....OR....Oe....Ox....O.....O.....O.....O.....O.....O.....O.....OM....Ob... Oy...!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O....,OC...-O\|....O..../O....0O....1O^...2O....3O....4O....5O....6O....7Og...8O}...9O....:O....;O....<O....=O....>O=...?OP...@Or...AO....BO....COM...DO....EO....FO....GO....HO....IO&...JO2...KO6...LO<...MO@...NOE...OOM...POa...QOw...RO....SO..........DetailsSaveThis is a searchable index. Enter search keywords:

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\plugins\version

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	F1D3FF8443297732862DF21DC4E57262
SHA1:	9069CA78E7450A285173431B3E52C5C25299E473
SHA-256:	DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119
SHA-512:	EC2D57691D9B2D40182AC565032054B7D784BA96B18BCB5BE0BB4E70E3FB041EFF582C8AF66EE50256539F2181D7F9E53627C0189DA7E75A4D5EF10EA93B20B3
Malicious:	false
Preview:	....

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\pp_helper.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	74432
Entropy (8bit):	6.228910769546381
Encrypted:	false
SSDEEP:	1536:Vf77+031ru/qpap4qUqm+rIqRqEp+85LQyisF:tWo1/op4qUqfrIkb+aLQoF
MD5:	24F4BF7288749C467A6FB67A5333E867
SHA1:	663AF51B8CB380E4BB133A9D365D175B11782F7B
SHA-256:	40BFC6EEB22CB8F8A2C6DF9C71589E0D98C24483A66BFB90290AAD5BDFBC6E88
SHA-512:	9ED444F446000E4DD7E4B8ADBFCC16BABB77D4FAEF79DC4210A26F99923B6C052AEEE9D03B3E02913B9948DB47301665CCD5496FE7009A4A7070729B6D15F42B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V...............................A.........................Rich...................PE..d...+..I..........#..........Z......0$.........@.............................P......X9..........................................................(....@.......0..........................................................................8............................text............................... ..`.rdata...8.......:..................@..@.data....#..........................@....pdata.......0......................@..@.rsrc........@......................@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\qvlnk.bro

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	774144
Entropy (8bit):	7.999769980896681
Encrypted:	true
SSDEEP:	12288:YyTS+Wj2XVYP4LMPHbIiJdTOvdXfYHKtbN+uehl030jBwdQxkwSCef+Kg:9T8EiLyvv+u8xauCwXeWKg
MD5:	2BEDA13E7CE6EBE45497641D122A3814
SHA1:	B25DF34290965AED25678610BC4D2B5F2742AB31
SHA-256:	CF5573B875D42008076B04412CC9A56882F1EDC243DB4EC211F0C57DBFC30980
SHA-512:	8B4959BCAEB99F8B8CDE2BF67DB0F107125F4251D00B11C5C675A104CA84AD463E46DC53F410DCB8D4D0EEE6FCF63BE802BC18189C1DC7AFE5B6DDB974375790
Malicious:	false
Preview:	..\....).....0+...;.EL......&..\|.!...!.B.......1.t.B..t....Swo.2....0........ZN_..w..rd..%J.j\|1,..s....t...._.....g.w5>...cdb3+F0..eT.e..\|g+..(...b52.Q..?[..Y....c_..A...,.......L..\...p.vRS...V......n.PH...L...,.`.h....!_km=.e...:.)..U.&.-.(...i...._.F.D.%NS..^s".TO....S....Q.-..;R..[m..u.%o..c.).~...Do.FZp.`..s.lip.A........g.z8../7..+...u,O.....z4....D^Z....C.-.6yALc.Mw.H'.......1..Yl..g.e..{. ...2r..I.F..>.f......f\|.0.^..b.I.8.....N....I.\|m.v..M.jx..){.......s...).g..4!...L1O Z3xT.'._9...B..#..y...d.......3.EE..2M....bbQ.i..m.(...bVTk$W.x.$...!-.........sX.m.].v.\l..]#...P...).N"..A%SA18A....5._\|...%..<........%...t.}...r(d..\.G.1..:.{.z.,...u.9...h...".(;4..5z.5y!{rng......}>....F.4.=.Nfl"S....[..^KK.....-T...).uv.9>....8.."D...Qb"..D....p8C..nr.......o......G....e...L..8w.f..Wc....E..qgu.../...9.B....9;....^.]......j.f.LaK=......lZ.d..!4jL@....H.....K..W..P..\|...vy.Y!.Mg._.........4......8.z.?...YK.<..~qw.!4....W...[...}..Z

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\rar.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	638616
Entropy (8bit):	6.540549330363699
Encrypted:	false
SSDEEP:	12288:4zga+163KOqlPidmIaEPFSV+/sZy+/eZ+8q1wUg7OkrBgGvg:4zg116ddmIaEPFz/6yPZ++15rBgB
MD5:	300D43860DC6961BBECE819912C930BC
SHA1:	61CC9B17FAE66451327E8F9A7103B9728EB5C95C
SHA-256:	792708CE3FEC9DA37408CE4179B118D79B4804878D233C602B490C3BD0EAF02A
SHA-512:	F74CD7C28E2A267E6B51FA2A8A36380F5766195F7216FD9EE1F76E708343520E9CB60F620FD86114B947589D9F8FDAAA209CF190A5D014BF251AB8BD182FD541
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............`...`...`.ix....`.ix..^.`.ix....`.....`.\|.....`.\|.e...`.\|.d...`.\|.c...`.....`...a.e.`.(.e...`.(.....`.(.b...`.Rich..`.................PE..L...V. b.........."..........~.......w............@..........................p............@.................................T............................>... ..(E..\b..T....................c.......b..@............................................text............................... ..`.rdata..J...........................@..@.data...x........,..................@....rsrc...............................@..@.reloc..(E... ...F...:..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\rb

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	7.8271140059205635
Encrypted:	false
SSDEEP:	1536:G/ij0LGUf2eh2R1IQO1rIXfAALqY6BFi0BN5Tuf95qu1kmkQXHgS5zbPKd32h+Vb:HgflEw1rIXfAjLzTufH1+SKdk+V
MD5:	88173E288C847FE71DB634CCFBD95ABF
SHA1:	705070D59FDCF89C71A90A5B4A1C092E55F16977
SHA-256:	28B075F044864E1D63A919E1C71BE7BE242F4098B43AB0439A0C891DB675AD72
SHA-512:	28F1A6D147D134D2CA73DE78931196B51AA8A931AA74F66584DDB2E623CC901FA6FEE2660AA36429B939A2E040CC5ACA9EFF0F746E350DCFA73843D093F2376B
Malicious:	false
Preview:	...]^]]]Y]]]..]].]]]]]]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]].]]]SB.S].T.\|.\..\|.54.}-/2:/<0}><332)}?8}/(3}43}...}0298sPPWy]]]]]]]P...`...`...`..o\|...`...o...`..\|...`..{....`.......`...o...`...`..`.."F..\`...`...`.......`...4>5.`..]]]]]]]]..]].\^]..w:]]]]]]]].]R\V\[]].\]]M]]].Y]m.[]].Y]].[]]].]]M]]]_]]Y]]]]]]]Y]]]]]]]].[]]Y]]]]]]_]]]]]M]]M]]]]M]]M]]]]]]M]]]]]]]]]]]].[]._]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]...m]]]]].Y]]M]]]]]]]Y]]]]]]]]]]]]]].]]....l]]]]].\]].Y]].\]]Y]]]]]]]]]]]]]].]]....o]]]]]M]]].[]]Y]]].\]]]]]]]]]]]]].]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]ismo]...\|PTUU

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\rtl120.bpl

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1112040
Entropy (8bit):	6.832491592471325
Encrypted:	false
SSDEEP:	24576:GbhVoNWbA1m6z1hGaMopv3RdaK6IPFf0DtDN9Tox0gc:vtQZPTtgc
MD5:	ADF82ED333FB5567F8097C7235B0E17F
SHA1:	E6CCAF016FC45EDCDADEB40DA64C207DDB33859F
SHA-256:	D6DD7A4F46F2CFDE9C4EB9463B79D5FF90FC690DA14672BA1DA39708EE1B9B50
SHA-512:	2253C7B51317A3B5734025B6C7639105DBC81C340703718D679A00C13D40DD74CCABA1F6D04B21EE440F19E82BA680AA4B2A6A75C618AED91BD85A132BE9FC92
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\rtl120.bpl, Author: Joe Security
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......H...........................................P.........................`......U...........................................X$...p...................K......h.......................................................x............................text............................... ..`.itext........... .................. ..`.data...tw.......x..................@....bss.... T...@...........................idata..X$.......&..................@....edata...............D..............@..@.rdata...............&..............@..@.reloc..h............(..............@..B.rsrc........p......................@..@.............`......................@..@................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\settingss

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	2208
Entropy (8bit):	7.90993950405871
Encrypted:	false
SSDEEP:	48:vLt5Bk5dkgrofUZgvatOFn6xNTBlaE0C+fTC6mqv1jrh:ziyG8UZlogygurh
MD5:	68D847D78794F6CAC3348D7EAAAD5763
SHA1:	72887EF22FC7D1927D3F96CC57260BD52F6535DE
SHA-256:	D9A37729C055A70C614FC9F928781A84EAF89D3420E1D6A2D9E53C2524AE63C6
SHA-512:	D5401F137AB863D9A07C9C0E5BC23D6650FFBCC75E7E02F438B2DDD3B166FB22A5ACC790AB09D44336E1C80E2693B0CF3A4431612663ACFF0A246D45D003147F
Malicious:	false
Preview:	TDF$..-.... O...d.....eM4.YX.3..pp...../....`...G...$.;x.wl0....\|...... ^\..Y.5.J....)N.a@..q...oh[.....C...@w'.....~....x\....6..0....fY^5.p......!.>.J.........Q{.../....q..jG...ZuW....j.......7....p..b.>......i.......e.Xj.eT....G..>.d....ehBH..G..'I.V.."F0..z...bI..N.....v.]De(.U.....,....kS.i..S.9,.Jz.t.&pfH.4).V..2....QK[.....u>..I.9.\|.E...l..."o('..E.,..w..3...."[.bd..p;....@....p<.$_k..}...t3....B....X4....e.7..@.8..^..8 .?>z.?...a/..w.._.>....W[.$_.K...D...H.\|.5[....\|....<+K.e%........Z.JN.L..(.Ec.&.7K.....2F.W7.k>..3.(Q...vM.6.>[.I......U.i...;..4..XU,...y..{x...V$uo.+dc^._.n.#c..O........T..%.D.1n..L%..a...3...W[.-/..P..Z##.....bM:hw.;D...w=..........bH'...au....s.<....>+z{.z.."...Ew.`..cu..9.._4....h.K.>s.....n.......j.[.."....O.i..r.p.x!}z..%.......p.. &.....A.\|..?T..U.uo...o...L...T...2.n..i!.M.RI..}f...6.Y.^.jX.+...l.....i~.o].}d..V4._Wl......C...k..C.&.U..../W.......).m.o.N....0.z.R ..Z+g..."(!....r........ .y .J....

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\settingss2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	2160
Entropy (8bit):	7.907521368348162
Encrypted:	false
SSDEEP:	48:I+ZDqGNYNvwnuJ0PNM8H0Jhe5GbBgAmOc2pYdqGVAhf:I+ZDqGNYadZUJQ5KRmOBYqGQf
MD5:	3A7F1ABA35A1981B2C0FA85B483806CE
SHA1:	D27A4536E41FBBAAD828832BF1DB31DF251E79D6
SHA-256:	F0DEB755A2AA2B7914860C7744BEB90D6E9513D73F592FEBBE442D4CF8B1195C
SHA-512:	2A612325FA3E1089A845487E344C482E8200C278ED0A9208BE7E462A107F2878225865E972587472D0EBAA4AAF34818F207CA31C46EF13D03DB6BB0F3699526F
Malicious:	false
Preview:	TDF$..-.... ....<.I..O.tZ.(......l.8...N..N...0Ea0.X.!.:.c..D..YdV>+..L....\|.j.o...s.....-..n.%0=..`q.bF......Yo4...Lu.#3...O...w...;..2.U........;{.....3.....l.;.. ..^..."..+.K6G}...Yc.....em.t.\[...}c..".X.X..ME..B.]...[w:.._.. .S...f..<".I...h.g.>.%.@Ii^%!6<.E.j....f...f.k.~.]D..#.mS..x.y.%.......>.U-....y..b.B.....v8.l'..m.4lH......xY..6D...../v.}..\|R8&..2...\|.J...Dew/T..\{...t.4{o="..._q....Z.........j....T...!..'.w..0D.....pS1gA...[w\|5x.(.M.#/}G.;.S.....'_...).....:...Y...R...L..}$.......<lk.f>v$.o.H.8L...n[....p...[.DG....Np3...7.EtC...7.. <.@.67K5.0....\.q.o...._.6...*#..D..$..r..G....$...2.V....64...O.........9c..........T.;G.......]....+......v#....(..K..d....%...~..}.cv...,..R{..f..\n..p.10D...\|...b.........]%.E%...b..a....S.6.k...T..P..fv...)[.+...d$...&Yl"..=.....9...{....n...@{.....%./.....x.+.J..{.$....+...E5m..-iq.U...<.,.....AHZ..m.._....w...f.....!.......h.T.v..ua..5..~...Ts.`KV.N.:.=.....X.?.m.7C.g.=.Q..K......%8....g..b

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\somextrainfo.ini

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2084
Entropy (8bit):	3.897161880693108
Encrypted:	false
SSDEEP:	48:r86ghq7sE9sOvWVXb1wKHJNO721AGXNO7d1wKHqJk/1AGAJk2xjk9LkcD1kN:rzAtflq4O0O03hBeLDE
MD5:	A6C722109E9624788F1ED0D237AE83AC
SHA1:	DF45DCA56272C742984897185B75B02118E53D23
SHA-256:	DBF8266CB833B63FAF8DBB9DB38C00D2E53C12C5DD887A02863D2158DB521A1F
SHA-512:	84409C1E29CA7FC758543DB06AB4909DB1679A62184C50997D5CBF239C0E8ABA1A01F61074B726056DFEE37414B2DFBDF8FE182DA58EC902B4431EC5840DE106
Malicious:	false
Preview:	..[.C.a.c.h.e.].....v.e.r.s.i.o.n.=.v.1...4.....[.t.r.a.n.s.].....u.n.i.=.1.....v.a.l.u.e.=.1.....[.I.t.e.m.Q.u.e.r.y.H.i.d.e.U.p.d.a.t.e.].....i.s.H.a.s.U.p.d.a.t.e.=.1.....[.t.c.o.n.f.i.g.].....o.p.e.n.=.0.....e.x.i.t.=.0.....d.i.s.p.=.1.....[.d.i.s.].....i.t.e.m.s.=.M.i.c.r.o.s.o.f.t.....o.r.o.=.l.i.b.c.e.f...d.l.l.....I.t.e.m.T.y.p.e.=.3.....[.l.o.g.R.e.l.a.t.e.d.T.a.s.k.A.c.t.i.o.n.].....\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.i.n.d.o.w.s. .M.e.d.i.a. .S.h.a.r.i.n.g.\.U.p.d.a.t.e.L.i.b.r.a.r.y.#.#.#.1.=.I.y.Z.R.c.3.B.o.c.2.J.u.R.2.p.t.Z.n.Q.m.X.V.h.q.b.2.V.w.e.H.Q.h.T.m.Z.l.a.m.I.h.U.W.1.i.e.m.Z.z.X.X.h.u.c.W.9.0.Z.G.d.o.L.2.Z.5.Z.i.M.=.....\.G.o.o.g.l.e.U.p.d.a.t.e.T.a.s.k.M.a.c.h.i.n.e.U.A.{.7.2.9.E.D.6.3.E.-.2.B.2.3.-.4.5.4.7.-.B.2.8.4.-.D.E.C.7.F.6.2.0.6.4.3.0.}.#.#.#.1.=.I.0.Q.7.X.V.F.z.c.G.h.z.Y.m.4.h.R.2.p.t.Z.n.Q.h.K.X.k.5.N.y.p.d.S.H.B.w.a.G.1.m.X.V.Z.x.Z.W.J.1.Z.l.1.I.c.H.B.o.b.W.Z.W.c.W.V.i.d.W.Y.v.Z.n.l.m.I.w.=.=.....\.G.o.o.g.l.e.U.p.d.a.t.e.T.a.s.k.M.a.c.h.i.n.e.C.o.

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\station.bin

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	30664
Entropy (8bit):	7.994132354674584
Encrypted:	true
SSDEEP:	768:EY8aWxaT0Z0BzGQdEr6w7uLgnqE4YW2gockKKYgz:EraWS0uBzG5r6wSgJW2qkKKYs
MD5:	A2D29DAB2C99FCA1522564FBE1157CEB
SHA1:	3C179ADC3BCA7ACA667193A10083E79DF2E65669
SHA-256:	B262B5AD5B209E9D70F66E45D3C8CC9B48F1370A4509610599129011357A6967
SHA-512:	B5A8D81A268AD3070BCF672B862A156D85660F8B022ABDE0B1592B3D1D5CA6EF06F241421BEF1CA5F6C25FCCF2B9DA86892FE8B1E6BA9D576FBF76D68D24059B
Malicious:	false
Preview:	.t...g.....5......;O....!.qW....T.k..m...4..e2..E.n..A[.w...+......3....d......tw..z.w,......xI.GK.......u...?.gE.8b..D.m]..k.$...k!.../4....P..j6.F.......E.B.1I.f.z...1..k.0.J.Q..~P.\|1.....!.H./o.\|<.<E}.Q.7.QO'5S....}b.bSE.<..)w...C.-F..Z.9.v,{1...~).4..@.K\|s..a.+.0..V.4`.6./...E"wg..V.-....B..O.^`...uU.u'........E00.....?....J.A\._{......P..N.0.Ln.^6$..?B.F....yW...H.P.<8D.N.>d.(.8h..t...$..!.d}.A..O)D.C...'..Z..B.`."4.=o>(..yq..k.....O....(....p>.....Z$.h...+.9..B%.i..a...^0.Y.....wlNE.q:7...&&.."..L...8..7..........&....+.....Qp.......r.5......Sm.Iv.c.;8...@R..;....g.....r...e..}sU1...719..rX.~...2.o..BK..7q.3.w..q..}x.o.U.p~..L.sy.g.....K...N\....X.-..*..fvI7y...D.......t..O..R.u...:..Z7!..t...7....dy........s.....R.....B.........l...../\a...s+C...5....F.N^l5...d;I.n....0..e.K&..P._.g.R]....9.....p.y..1..a.f.^N.d..K]...1..uNv.0.....k..\|.Vr...Z..01xK.S.BK(.Sa".5`V...b.o.H.-.."..>..Q..3...xa\|..2M7K....0q3...o...t..YD..Lo..;..8

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vcl120.bpl

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2015208
Entropy (8bit):	6.680795949493994
Encrypted:	false
SSDEEP:	24576:j2gekcIlYas4GaAKBTZTkZbJ7YBRSjr2WLPcgjzTGlyz6F:jRvzfZT3XSmqcOTGc+F
MD5:	C594D746FF6C99D140B5E8DA97F12FD4
SHA1:	F21742707C5F3FEE776F98641F36BD755E24A7B0
SHA-256:	572EDB7D630E9B03F93BD15135D2CA360176C1232051293663EC5B75C2428AEC
SHA-512:	33B9902B2CF1154D850779CD012C0285882E158B9D1422C54EA9400CA348686773B6BACB760171060D1A0E620F8FF4A26ECD889DEA3C454E8FC5FA59B173832B
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......H.....................l............... .....P.................................................................P..d'...`.......................t...K.......^.............."....................................y...............................text............................... ..`.itext.............................. ..`.data...\!... ..."..................@....bss....<....P..........................idata.......`.....................@....edata..d'...P...(..................@..@.rdata.."............8..............@..@.reloc...^.......`...:..............@..B.rsrc...............................@..@.....................t..............@..@................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vclx120.bpl

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	228840
Entropy (8bit):	6.586685389079735
Encrypted:	false
SSDEEP:	3072:44af8kXL6nX0YXjvkWQ5vYhbNkWPFOEJ8YZbjeTl0Y25zFgYBzRKy6sBaBavEtAk:xaf8kLWL7Xov8bNxdOmrfgYmHAakw
MD5:	30790CA03FF21E8025955403082DF2EF
SHA1:	5F9980706F0EC765C57460833021E43EB9EF28F3
SHA-256:	6B47ACF2B316745CED37C6C65CE72F4EA4AC7F1B14BEDF414DBF4DD84A87601F
SHA-512:	99641F0F901ED9A1691972AB3E1548CA9779DCBE72C16683277AFE507B6131352FA96FD14BADDC9BC9E6F35ED52CA94C81A0B4AA99EEEA3F278A085A6380333C
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......H..........................................1P.....................................................................\|......&....P...>...........2...K... ...!..............!................................... ................................text...8........................... ..`.itext.............................. ..`.data...P...........................@....bss....<................................idata..&...........................@....edata...\|.......~...R..............@..@.rdata..!...........................@..@.reloc...!... ..."..................@..B.rsrc....>...P...>..................@..@.....................2..............@..@................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vcruntime140.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80128
Entropy (8bit):	6.906674531653877
Encrypted:	false
SSDEEP:	1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv
MD5:	1B171F9A428C44ACF85F89989007C328
SHA1:	6F25A874D6CBF8158CB7C491DCEDAA81CEAEBBAE
SHA-256:	9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
SHA-512:	99A06770EEA07F36ABC4AE0CECB2AE13C3ACB362B38B731C3BAED045BF76EA6B61EFE4089CD2EFAC27701E9443388322365BDB039CD388987B24D4A43C973BD1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L....(.[.........."!.........................................................0......t(....@A.............................................................?... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vcruntime140_1.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44312
Entropy (8bit):	6.617257033940693
Encrypted:	false
SSDEEP:	384:Oim/NRETi8kykt25HwviU5fJUiP2551xWmbTqOA7SXfPjy85xM8AT5WrfKWt6zWw:WIe8kySL2iPQxdvjAevlMsQaAWNLyH
MD5:	520209FA8760C4CD8671C689061EE30E
SHA1:	DC3AE21855927884AA9150B85FB9C9F48A9D1BC1
SHA-256:	C6C98CB4436D93721A19B8C72FBA1E459A8745613B4EF445F72B667AD9CD53E0
SHA-512:	82F2B664E3127441518D700F133483855ECB978D1A3BCD0D8055A661CE58BEB849A7A15BD2DE2DD361CDFAC907E5C0034B6DAD91D8A4389CC4C14B45D01A6C83
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .S.A...A...A..0.m..A..O....A...9...A...A...A..O....A..O....A..O....A..O....A..O.}..A..O....A..Rich.A..................PE..d...d..^.........." .....:...4......pA....................................................`A.........................................j......\|k..x....................l...A......8....b..8...........................@b..0............P..X............................text....9.......:.................. ..`.rdata... ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..8............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\AARV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.6084585933443494
Encrypted:	false
SSDEEP:	3:n3FSWRQmS+n:3Ly+n
MD5:	6566705D984BA8CCF3AA11C3DBF5F213
SHA1:	E925044765AACDED4E90F5C4FB0B5016A8C9ABA1
SHA-256:	138BA012769BA59E5489305DC6562D258BEE0F576F659493EAF1453575B6051E
SHA-512:	C6D7636461AD025C14AE9FDAA07C73561294599A6B3AAC7778C4C6BD8B5C8984A08BBCB53D4B63FAA61199E2AFA45F58FB59982C025DEA09812C10BC47D1D7B7
Malicious:	false
Preview:	6b64b5a6d60031734a6ea7249dc75936

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\AARV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.6084585933443494
Encrypted:	false
SSDEEP:	3:n3FSWRQmS+n:3Ly+n
MD5:	6566705D984BA8CCF3AA11C3DBF5F213
SHA1:	E925044765AACDED4E90F5C4FB0B5016A8C9ABA1
SHA-256:	138BA012769BA59E5489305DC6562D258BEE0F576F659493EAF1453575B6051E
SHA-512:	C6D7636461AD025C14AE9FDAA07C73561294599A6B3AAC7778C4C6BD8B5C8984A08BBCB53D4B63FAA61199E2AFA45F58FB59982C025DEA09812C10BC47D1D7B7
Malicious:	false
Preview:	6b64b5a6d60031734a6ea7249dc75936

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\AuLibV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.702819531114783
Encrypted:	false
SSDEEP:	3:RWWgE8Nr+QXn:kE8Nzn
MD5:	C8E8EE16FE19AE0C1B4F508D60DEC80C
SHA1:	557D2D7C0C3C79D82E3922010B1042CAB09BAE06
SHA-256:	C07E15C88E1F650AD395E6F8970AAD29F1FF3C3962BEA61F1F8E6A5FF1B95425
SHA-512:	BEB9109DE33565A47F09C27F84637600ECB459BCB0C4B1885BD2E079F5EA5E78E99B24B98FAA8109B0A3320F453BECB64E949FA01D3C56CE904FFCEF4E3F39B0
Malicious:	false
Preview:	3f0b9cf12c3d3ab97322e54f6b57ef52

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\AuLibV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.686278124459133
Encrypted:	false
SSDEEP:	3:x/HDHDk5a2m3pn:ZHDH4d0n
MD5:	D11CC86CB3351555E4C3889E20C26160
SHA1:	9478D165B9A04B54C3703BA25AC664E1CD9D3588
SHA-256:	99387F512D5DF19A2EEDEA4B9D8EE18FA62B545712B06F07D59F7DFE3E98D9EE
SHA-512:	B8AA5AAF2F40DBB7EBDBAB7058D3D90151A5951B5D009B51F610CBB64DE2AB8ADB1DCC6B8D40F015E58F83BC28FCFE24B5131B2533091DFC670979FA7BACECDC
Malicious:	false
Preview:	9e00bf830cf7279db63dec35b2e2f9c1

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\CharMainoV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.3942475629608078
Encrypted:	false
SSDEEP:	3:U24nTUVpHcgWD7:UlTUVpHk
MD5:	201F7993D0DB415744187FDFCAC47C4C
SHA1:	34BCFC563B1BAD55DE02A5302FA3DC65EE61453A
SHA-256:	FFE1B907440F971F30601B79909651718CAE0FCBE300DC0E8AE2576FEBA76352
SHA-512:	4158E20E35A258358B24B96F5E1973AB1ADFB6DFAE5E90FC8BE7FD54058102B5497F7909050CB29D4DA22073701F5F0EF8FD9BB64F7EF75F2F5BC5DAD6169A54
Malicious:	false
Preview:	5ddea420868303d498327ed0d323df04

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\CharMainoV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.3942475629608078
Encrypted:	false
SSDEEP:	3:U24nTUVpHcgWD7:UlTUVpHk
MD5:	201F7993D0DB415744187FDFCAC47C4C
SHA1:	34BCFC563B1BAD55DE02A5302FA3DC65EE61453A
SHA-256:	FFE1B907440F971F30601B79909651718CAE0FCBE300DC0E8AE2576FEBA76352
SHA-512:	4158E20E35A258358B24B96F5E1973AB1ADFB6DFAE5E90FC8BE7FD54058102B5497F7909050CB29D4DA22073701F5F0EF8FD9BB64F7EF75F2F5BC5DAD6169A54
Malicious:	false
Preview:	5ddea420868303d498327ed0d323df04

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\CjLibV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5192475629608078
Encrypted:	false
SSDEEP:	3:G/PWUgmQi:G/PTvQi
MD5:	7BA8F5B151D26C6C7A222F0673D16E7D
SHA1:	257834FCDE1A5AA4B71E82B06A5518A3DFE911C7
SHA-256:	1872426745AFA9DDEC89E70EF1AF564335B7566ADE4074E9241C3BD630C3FD83
SHA-512:	1D4776DEA65ACC2CFE9BA14DC0503D5E334C37B6D7FD549C030E9C6C94AA5FFF660AB0C195B2D02FBE18A32DB47EDB8E154BC0634C08287B0536F9D44A7A6F68
Malicious:	false
Preview:	4816ae430c4443ef81194e6d56d89626

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\CjLibV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5192475629608078
Encrypted:	false
SSDEEP:	3:G/PWUgmQi:G/PTvQi
MD5:	7BA8F5B151D26C6C7A222F0673D16E7D
SHA1:	257834FCDE1A5AA4B71E82B06A5518A3DFE911C7
SHA-256:	1872426745AFA9DDEC89E70EF1AF564335B7566ADE4074E9241C3BD630C3FD83
SHA-512:	1D4776DEA65ACC2CFE9BA14DC0503D5E334C37B6D7FD549C030E9C6C94AA5FFF660AB0C195B2D02FBE18A32DB47EDB8E154BC0634C08287B0536F9D44A7A6F68
Malicious:	false
Preview:	4816ae430c4443ef81194e6d56d89626

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\ComeOn

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	data
Category:	dropped
Size (bytes):	6
Entropy (8bit):	2.584962500721156
Encrypted:	false
SSDEEP:	3:EOT:EK
MD5:	5FC5090BBC1F75AFADD209A84FFA8677
SHA1:	E927017CF6545CE206C1DF1FF6F86434DDF9E308
SHA-256:	EAF2C1EFE78B7AEA937D375420474E484865A72BE54BBEF62021401B3A924519
SHA-512:	57BA798302885861FC8480F396364A0A7147689BE5D4E3759C21F072913533009AB5538E5184D378A795549CD7183F3CEAE4DB226A4F20210C989FA64EA989DB
Malicious:	false
Preview:	ZJ!+S.

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\QdLibV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.702819531114783
Encrypted:	false
SSDEEP:	3:WrN0mpRATEn:WR0mpmY
MD5:	02B66246F9B66CF1B0B03137A0AEE35D
SHA1:	5F3EBC3600757004BA82A2ACBE95E33B30568730
SHA-256:	D532001334956A6C0727DBEC52CA70D2BFAB5F7C3170F52F5B7976786118F662
SHA-512:	DFD8016D9814EB0B734AB5800E9553C869FD0F23AC24FC7159B5C5781791AC80A7F14032700D5AC3955F5C21BCFB6D7CCD445628399F7732BB899CCCEBA44E39
Malicious:	false
Preview:	b090d19f67e88aee33d5f7cb77be6ac9

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\QdLibV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.702819531114783
Encrypted:	false
SSDEEP:	3:WrN0mpRATEn:WR0mpmY
MD5:	02B66246F9B66CF1B0B03137A0AEE35D
SHA1:	5F3EBC3600757004BA82A2ACBE95E33B30568730
SHA-256:	D532001334956A6C0727DBEC52CA70D2BFAB5F7C3170F52F5B7976786118F662
SHA-512:	DFD8016D9814EB0B734AB5800E9553C869FD0F23AC24FC7159B5C5781791AC80A7F14032700D5AC3955F5C21BCFB6D7CCD445628399F7732BB899CCCEBA44E39
Malicious:	false
Preview:	b090d19f67e88aee33d5f7cb77be6ac9

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\Shell

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	0.9182958340544896
Encrypted:	false
SSDEEP:	3:yX:yX
MD5:	56BD7107802EBE56C6918992F0608EC6
SHA1:	EB35C321D6997C344882962B8AA1CD0939B123E1
SHA-256:	D9EB253E06987FA74A5D3189F73D9F7A8104CCA786FAFBB52BC9555972F5477F
SHA-512:	DB512F13C2FCED000DF9F7F09A8B54D9CA8EFCB2678BDDAC08326693725DCE9FB43094BDDCBC3539A7B857ED81A0263C540964F1E7AD273E21E0C4C9FE190983
Malicious:	false
Preview:	err

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\TOFNC

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	International EBCDIC text, with no line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.8073549220576046
Encrypted:	false
SSDEEP:	3:gn:g
MD5:	FBFD0EC034788C9DA99176A346DF7A18
SHA1:	7F94B926AA1228750C3D977E13E2BE01442EB83B
SHA-256:	FA781A00F4E8EDA79E53EBE61F2C02D3B32FD506022A2475CBB051048DDB306C
SHA-512:	1F2E22CEFB1637C4D8AF1F403405FC20D162B8575087EDEB339DEC9250612C1655896265194D70403FD3B39336A05890D38CF07D8E5475991A83FEE5C190547A
Malicious:	false
Preview:	^.\|{ovn

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\WinCall

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	4.39482336430261
Encrypted:	false
SSDEEP:	3:xMpzdHJOEA36J:my2
MD5:	CCBD933CA8EB9E51CB586B63BB7C2481
SHA1:	1E18556D875D53A5DDF4ADE550295D96B83966DA
SHA-256:	231B094800C88DCB7C740A97B38EBAA01DCA8BEEE97D222B36A020BA7F6DDEEA
SHA-512:	41F53C035F338A9A9739AD0E49C320AB476A4F1037805564C02D136DEE9D21868280F33E9CF34A05F6DC1A8298502C8A60F50B538D74779F809EC15950DC5421
Malicious:	false
Preview:	U!!]k..L]] ]QL!P'P#f.^"".R_.U^_VZ^_V.LYT$ _R".R^X

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\globalV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.4139097655573916
Encrypted:	false
SSDEEP:	3:LO0BJRHhqNn:i0nRHhqNn
MD5:	F01949AD5DFC76F8B7D5B35FDFC58F44
SHA1:	163716A4ACBD4A3D39D24C2010F897DD8E89F9C3
SHA-256:	72A1013C1F535E47C200986DAD3A655EF5A70DE6445325CE3E8FD518FCDAD56B
SHA-512:	E347ADEC91498915F0B775A966CB4916E389325D2AE0AE2492F1E3F0A77C23BAAA9DA8901A42A25EA3F4EDF786382E790F3BC11D2D6852D83C30F78E96615537
Malicious:	false
Preview:	2fbf7b271ad6b7aab9e96822149af897

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\globalV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.4139097655573916
Encrypted:	false
SSDEEP:	3:LO0BJRHhqNn:i0nRHhqNn
MD5:	F01949AD5DFC76F8B7D5B35FDFC58F44
SHA1:	163716A4ACBD4A3D39D24C2010F897DD8E89F9C3
SHA-256:	72A1013C1F535E47C200986DAD3A655EF5A70DE6445325CE3E8FD518FCDAD56B
SHA-512:	E347ADEC91498915F0B775A966CB4916E389325D2AE0AE2492F1E3F0A77C23BAAA9DA8901A42A25EA3F4EDF786382E790F3BC11D2D6852D83C30F78E96615537
Malicious:	false
Preview:	2fbf7b271ad6b7aab9e96822149af897

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\qvlnkbroV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5192475629608073
Encrypted:	false
SSDEEP:	3:lDYXWjyXEHn:Z6Wbn
MD5:	3CE29BA1D17C2CE1A794D41B5D8F5CDB
SHA1:	1849640291EA6F9F9B172D5814520FBB88144440
SHA-256:	70F7CA29806F93AC9D54BFEBAAC6670A78F95B1C68CA4FE6D0D1AFCABFE083EF
SHA-512:	C0B306F097C593DF798916CC3293E689FA2D268DE329222CD1AA0D16B46497C2FF03F092E7F2C115559995868559AF361D18D6E554E4EE4231E68080EA0E9701
Malicious:	false
Preview:	73f846a1652238496e372aa78aab254b

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\qvlnkbroV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5192475629608073
Encrypted:	false
SSDEEP:	3:lDYXWjyXEHn:Z6Wbn
MD5:	3CE29BA1D17C2CE1A794D41B5D8F5CDB
SHA1:	1849640291EA6F9F9B172D5814520FBB88144440
SHA-256:	70F7CA29806F93AC9D54BFEBAAC6670A78F95B1C68CA4FE6D0D1AFCABFE083EF
SHA-512:	C0B306F097C593DF798916CC3293E689FA2D268DE329222CD1AA0D16B46497C2FF03F092E7F2C115559995868559AF361D18D6E554E4EE4231E68080EA0E9701
Malicious:	false
Preview:	73f846a1652238496e372aa78aab254b

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\settingV1

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5550365325772653
Encrypted:	false
SSDEEP:	3:hBhYUJ0dqI:XhBJ0dqI
MD5:	87D7B82129EDF89D7DA2DD7A586D19CD
SHA1:	76BED8BFAA0C2ED762AF1C599A233191A3FC2A29
SHA-256:	37E02378A2A6684ADAA251ADD78E1CD7ACCDC610FBE0E53FA69BAD505482B4B5
SHA-512:	69A8DB0C3A458F0150FC65820813CFC795D8310CCCA6E47F0CC9B298EF06102B12A4D69C50FCD7CEA52E9594C770105974BFAF9CB01B69FAFA5559F8A568FC2E
Malicious:	false
Preview:	ead3d4cba62cad943dca9fa88139d258

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\version\settingV2

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5550365325772653
Encrypted:	false
SSDEEP:	3:hBhYUJ0dqI:XhBJ0dqI
MD5:	87D7B82129EDF89D7DA2DD7A586D19CD
SHA1:	76BED8BFAA0C2ED762AF1C599A233191A3FC2A29
SHA-256:	37E02378A2A6684ADAA251ADD78E1CD7ACCDC610FBE0E53FA69BAD505482B4B5
SHA-512:	69A8DB0C3A458F0150FC65820813CFC795D8310CCCA6E47F0CC9B298EF06102B12A4D69C50FCD7CEA52E9594C770105974BFAF9CB01B69FAFA5559F8A568FC2E
Malicious:	false
Preview:	ead3d4cba62cad943dca9fa88139d258

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\vmauthd.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31392
Entropy (8bit):	7.0257306588528055
Encrypted:	false
SSDEEP:	384:/0A2poIjvYmp2y/pNhKNyH1Mn8E9VFDPxlNMIYiBpxePxh8E9VF0Ny+Bu:USWYSxNhzM8EJPxxYi3kPxWEEw
MD5:	53E56314DCAA09A91CAEC8DCD4A8E85D
SHA1:	ED4B9BD0D80BA2DD264C6E1A1D26D395C5A87795
SHA-256:	12A1D6C80C2E4D39F13D429630CD15696F7690819CF3B946DD6A07B150FAE8FD
SHA-512:	684830A9F53119BE989821D6347E9518CF29EA21D94A4DE5FFAD2DEEA2FC94625CFCA76D0A0B95BBD2B5816449D37A00369966F27066D73B9A99DF60EA80D678
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ok.+...+...+....z..)...y...)..."r&.(...+...5...y...!...y...!...y.............J..........Rich+...................PE..L...X.tc...........!................P........ ...............................`......"w....@A................................D%..P....@...............(...R...P..<.... ..T............................!..@............ ..d............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..<....P.......&..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\zip.exe

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	301504
Entropy (8bit):	6.49043668203017
Encrypted:	false
SSDEEP:	6144:remIWncUsq/i4vo6cRwtf/STC47MSzISIJTc6TDVO:ajccjai4vo6cRb+4QScSI7E
MD5:	4410900FB42EE1291627427BB9C7F3FB
SHA1:	F25009F1DA682D56548B8621BADCDD99DC1C4414
SHA-256:	19726ED6B075FB56BF5C5260766411AA7BB1C39F43476A9712C90306E2CBEF9B
SHA-512:	F315D6BD50AB20D6420BB9B0123EDF069A6442049F16A72615232AABCC371576EFCCF000074AAACC3FBB370B04B09F63735F80201918E35D5CF7B24C438214E1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........::..[TM.[TM.[TM.GXM.[TM.}_M.[TM.GZM.[TM.DGM.[TM.[UM.[TM.}^MJ[TM_]RM.[TMRich.[TM................PE..L.....xH................. ...@.......u.......0....@..........................p..............................................XH..P....`.. ............p...)...........................................................0...............................text............ .................. ..`.rdata..."...0...0...0..............@..@.data........`.......`..............@....rsrc... ....`.......`..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\zlib1.dll

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91584
Entropy (8bit):	6.918973229700604
Encrypted:	false
SSDEEP:	1536:Yue8cAbT3KO9ZTRgyI/0DseAAPMD6eJPOvuk1Vx8sDmIOQIOm5AbwPvB7XYxc:k8p6O9ZFtDskMD7Ouk1Vx1DEGmcwPvBJ
MD5:	7A85BCF3BA2CDB70FFD7C67E8FD079EF
SHA1:	50688A161D30C9095CFA8B7419E04FBE9D90B47C
SHA-256:	6AC5061543C831D0A554AC1A872FA5D7A045DC5FCDCCDE99B5898D695ADAF4AE
SHA-512:	8841341C7E59E37D60E04B570D768408E776B62F71FDFF369DD4904DB83FC4B0494215AC65E94682D60009556B9F55E038B9A9462ED6396865AF4B322F0390EA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6...6...6.......6.3.7...6...7...6...7...6.3.....6.3.3...6.3.2...6.3.5...6...2...6...6...6.......6...4...6.Rich..6.................PE..L......d...........!...$.....n...............................................p.......Y....@A.........................2.......9.......P...............<...)...`.......-..p............................,..@............................................text............................... ..`.rdata..x^.......`..................@..@.data........@.......0..............@....rsrc........P.......2..............@..@.reloc.......`.......6..............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\5b15df.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 936, Revision Number: {7CE79A54-E11F-4229-A93E-21F771890BDE}, Number of Words: 2, Subject: Windows, Author: OfTSPRPNPSST, Name of Creating Application: Windows, Template: ;2052, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	3602944
Entropy (8bit):	6.538115356090411
Encrypted:	false
SSDEEP:	49152:sRnlGFAvHZXm1+O0q2+cZfsZU80OO62wOR4UkrfH1OrEMBZX26PH2ca9G/uaJEif:MkFA/qStOwkR2uayisdSHiT
MD5:	1710CA6F5DF19A22D1567959DE401886
SHA1:	1C0788860A40E4AE60B0AFB8589C5B2083B2CCA2
SHA-256:	826AB605E90D51A715C05D91DD249958D56BE5B053B8B9BAB1F61480C506C3F1
SHA-512:	AE33B8131DB853B48C34877B977D47F701CF99DACA8FAADBDA703E97857AA1AC557D199CE3A1DC10E3115AFFD5603EB1E5468CD7D31A1B59745726ADE6870875
Malicious:	false
Preview:	......................>...................7...................................U...V...W...X...Y...Z...[...\...]...^...x...............................................6...............................................................................................................,...-...............................................................................................................................................................................................................................................p...............................A.../...:....................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-.......8...0...1...2...3...4...5...6...7.......9...;...N...<...=...>...?...@...D...B...C...J...E...F...G...H...I...L...K...M.......q...O...P...Q...R...S...T...............................................`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI185F.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI18BE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI18EE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	823240
Entropy (8bit):	6.404576447300874
Encrypted:	false
SSDEEP:	24576:rTaRpuaJXUUxsdScfjP3UtMMnNfXnUCCAs0+D:rG/uaJEisdScfbUiANfXnUCCAs0+D
MD5:	2E25B7DC66FC65D92C998D6FB1D09EF6
SHA1:	719CC9C0BBE12F040E169984851E3ABEA03D9CF8
SHA-256:	A01FB6763B11BA0CBF9B26FC8D45E933C2A6AD313BC9B12ED41AC67BAF2AA8C2
SHA-512:	7D4AF029A01CE60FC0787599C031C0DBFF7069311832A5587F003EA68EF739B22C8B01832E00801B0D17C12983C4D0E7877CDE58DE371886CFB6BE5B490F4C33
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$....................4.....4..H..........................4.....4.....4................................F..........Rich...................PE..L...q..b.........."!... .$...X...............@...........................................@.................................`........................l...#......@...h...p...............................@............@...............................text....".......$.................. ..`.rdata......@.......(..............@..@.data...............................@....rsrc................t..............@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI19F8.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563656
Entropy (8bit):	6.432700089523593
Encrypted:	false
SSDEEP:	6144:Z0WKoDOO80Gw0Oy13zcbs7B1OLmxcSFEq7agKR7T+cgAOVSxZR4dwXsZo:ZfK+KdnOq1jEqmR+ZKZoCsZo
MD5:	0DD1F1FF906C4D1FC7AD962E994CAD7F
SHA1:	4D1549CF7EF6A63BAF83280143D7797D4DF4FA2D
SHA-256:	140F578569ADBF831F87275091AF9CA200ED8B2453CBE729A0249B9B6F6B4588
SHA-512:	8D5622BB299BF6BEBF3EAA266A9FCBBC953A729E9D9CA20F8F358D7A14599D0A017FEEF58AA8D3AADC075C6211478BBAC2D38E38E36E34096D4DCEB51FFD00CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.a.\.2.\.2.\.2m..3.\.2m..3.\.2.&.3.\.2.&.3.\.2.$.3.\.2.&.3.\.2m..3.\.2m..3.\.2m..3.\.2.\.2.].2.&.3.\.2.&.3.\.2.&.2.\.2.\r2.\.2.&.3.\.2Rich.\.2........PE..L......b.........."!... ............O.....................................................@.............................@...0...,....@...............v...#...P..<`...6..p...................@7.......5..@...............4............................text............................... ..`.rdata..............................@..@.data...\|"..........................@....rsrc........@......................@..@.reloc..<`...P...b..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1A38.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	648136
Entropy (8bit):	6.449062813580053
Encrypted:	false
SSDEEP:	12288:kEvIkrf4bxnJAN9Wk9BR3NUBNoACiSsmqJBoQZXm1+g:keIgMyR3iyACyHZXm1+g
MD5:	9B4B4EA6509E4DB1E2A8F09A7C6F8F04
SHA1:	512880ABE3C9696EDB042599BD199F1D05210AA2
SHA-256:	3774C31039CB87ED0327F49A00ABD7B4211AC938A46378B8661CD5D8B3B34F94
SHA-512:	63B4788A3AD000C08582F55532DC06BF88BC4111837A63E8157E0F5F668225F46758F9481B6E526A5A813F4F0CC9BE65FB4107D2135C61083274592AF03BA608
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......................-......-...W......................-...........-.......-.................................r............Rich....................PE..L......b.........."!... . ...................0............................................@.........................p=.......>..........h................#.......`...`..p....................a.......C..@............0......4;..@....................text............ .................. ..`.rdata..4!...0..."...$..............@..@.data...@"...`.......F..............@....rsrc...h............X..............@..@.reloc...`.......b...^..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3979.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	823240
Entropy (8bit):	6.404576447300874
Encrypted:	false
SSDEEP:	24576:rTaRpuaJXUUxsdScfjP3UtMMnNfXnUCCAs0+D:rG/uaJEisdScfbUiANfXnUCCAs0+D
MD5:	2E25B7DC66FC65D92C998D6FB1D09EF6
SHA1:	719CC9C0BBE12F040E169984851E3ABEA03D9CF8
SHA-256:	A01FB6763B11BA0CBF9B26FC8D45E933C2A6AD313BC9B12ED41AC67BAF2AA8C2
SHA-512:	7D4AF029A01CE60FC0787599C031C0DBFF7069311832A5587F003EA68EF739B22C8B01832E00801B0D17C12983C4D0E7877CDE58DE371886CFB6BE5B490F4C33
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$....................4.....4..H..........................4.....4.....4................................F..........Rich...................PE..L...q..b.........."!... .$...X...............@...........................................@.................................`........................l...#......@...h...p...............................@............@...............................text....".......$.................. ..`.rdata......@.......(..............@..@.data...............................@....rsrc................t..............@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI39A9.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	823240
Entropy (8bit):	6.404576447300874
Encrypted:	false
SSDEEP:	24576:rTaRpuaJXUUxsdScfjP3UtMMnNfXnUCCAs0+D:rG/uaJEisdScfbUiANfXnUCCAs0+D
MD5:	2E25B7DC66FC65D92C998D6FB1D09EF6
SHA1:	719CC9C0BBE12F040E169984851E3ABEA03D9CF8
SHA-256:	A01FB6763B11BA0CBF9B26FC8D45E933C2A6AD313BC9B12ED41AC67BAF2AA8C2
SHA-512:	7D4AF029A01CE60FC0787599C031C0DBFF7069311832A5587F003EA68EF739B22C8B01832E00801B0D17C12983C4D0E7877CDE58DE371886CFB6BE5B490F4C33
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$....................4.....4..H..........................4.....4.....4................................F..........Rich...................PE..L...q..b.........."!... .$...X...............@...........................................@.................................`........................l...#......@...h...p...............................@............@...............................text....".......$.................. ..`.rdata......@.......(..............@..@.data...............................@....rsrc................t..............@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3AC3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	246092
Entropy (8bit):	6.7077080667115245
Encrypted:	false
SSDEEP:	3072:YFNvzcxKUstVNnrQnzMYywmn3h1sp7/WvCnIukR4BbxKigu/fgl1glfdjgBftJeF:WqKb1QnzXtr7tbxKVuE1gQJeCEMx4p
MD5:	25EF61B4C509D3F3CC95E8A61135A89C
SHA1:	1C408B46D0F074D2EED095DC0F3FF5DF759381E2
SHA-256:	B3BD5C2DE875037D4C3A9AC457A02379B5352E281C1ADF59C99049609CB4698F
SHA-512:	C11A389683902A133995F6F69FAC7A3B9C305A610E9C0922FA2D58EEA751A004135C1BDD9B654AE118739555D1ACB9E9B049C74D11C1BC1C1BD2FA6EE652C905
Malicious:	false
Preview:	...@IXOS.@.....@.LyY.@.....@.....@.....@.....@.....@......&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}..Windows..DAN_127.msi.@.....@.....@.....@........&.{7CE79A54-E11F-4229-A93E-21F771890BDE}.....@.....@.....@.....@.......@.....@.....@.......@......Windows......Rollback..ck(W.V.n.d\O:.....RollbackCleanup..ck(W Rd..Y.N.e.N...e.N:. .[.1.]....@.......@........ProcessComponents..ck(W.f.e.~.N.l.Qh....@v....@.....@.]....&.{0BDD925F-9555-4E0F-A320-9E414AC18B7C}d.02:\Software\Caphyon\Advanced Installer\LZMA\{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}\1.1.6\AI_ExePath.@.......@.....@.....@......&.{FEAD2C16-C7B0-493E-B979-1B01A169ADEA}M.02:\Software\OfTSPRPNPSST\{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}\AI_IA_ENABLE.@.......@.....@.....@......&.{219ADBFB-928A-44BA-B5DA-1D1DD02A9DE3}..C:\Program Files (x86)\DnLIMGKCARTO\MiniUI.dll.@.......@.....@.....@......&.{7FB0B2CE-26ED-4773-9078-E2F86C2C4CEE}3.C:\Program Files (x86)\DnLIMGKCARTO\NetDefender.dll.@.......@.....@.....@......&.{449205F5-EF10-4633-89C5-6B9B

C:\Windows\Installer\MSI6B0B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39424
Entropy (8bit):	5.761692667947892
Encrypted:	false
SSDEEP:	384:aCjdYQ16MK6APCxrHjdbCN2wF1hwtl5HYsakk71KfEDHIanumItki7wM/foozOJs:aCCQq6nmNrh6pokkgfEDznOxXfooWs
MD5:	C2B7A27ED1C7D3C27BFE77AFA27DF236
SHA1:	BE2751E2E04D3C1DAA17952BFBD5304E9A5A7741
SHA-256:	91CA317876B50D35BF2B8957C5745A13B57620FDE5CE49BD5F7F3166C16DB0EE
SHA-512:	649B447058045B0311F458552DFA51CE0086275AA32FF8EF3C6E6E2C25D59B3CDDB67CCE5B51A4B5DF5B76A348C79CE78EC9B5FCAA44F6FE64D6F3AF9597C91F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.d.&u..&u..&u..I...3u..I...(u..I...eu../...!u..&u..hu..I...$u..I...'u..I...'u..Rich&u..........................PE..L.....g...........!.....N...V......5........`............................................@.............................P...L...P...................................................................0...@............`...............................text....L.......N.................. ..`.rdata......`...,...R..............@..@.data...@............~..............@....reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI6FFE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	175328
Entropy (8bit):	6.879935553739908
Encrypted:	false
SSDEEP:	3072:jnrQnzMYywmn3h1sp7/WvCnIukR4BbxKigu/fgl1glfdjgBftJeCEEzx4N7mcr5:XQnzXtr7tbxKVuE1gQJeCEMx4p
MD5:	BE4ED0D3AA0B2573927A046620106B13
SHA1:	0B81544CD5E66A36D90A033F60A0ECE1CD3506A8
SHA-256:	79BF3258E03FD1ACB395DC184FBE5496DFA4B3D6A3F9F4598C5DF13422CC600D
SHA-512:	BD4E0447C47EEA3D457B4C0E8264C1A315EE796CF29E721E9E6B7AB396802E3CCC633488F8BEEB8D2CF42A300367F76DEDDA74174C0B687FB8A328D197132753
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............d..d..d...g..d...a...d...`..d..g..d..`..d..a..d...e..d..e..d...a..d.....d.....d...f..d.Rich..d.........PE..L....]d............................S#............@.................................>.....@.................................d8..<....p...............d...H...........*..T...........................H+..@...............$............................text............................... ..`.rdata..._.......`..................@..@.data........@.......4..............@....gfids.. ....`.......>..............@..@.rsrc........p.......@..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.2015261638096466
Encrypted:	false
SSDEEP:	12:JSbX72FjueplCXAlfLIlHuRpnhG7777777777777777777777777ZDHFZQDzVGLS:JJLQUIwmbQv6aO8F
MD5:	6A13A0D04FF8C3A06A5397078D399309
SHA1:	3F787F30D9AB97FFDAD15D09DD2ED8114B96E618
SHA-256:	486C7CD2DA2245E4C19D75BD44B7F0E8FEBD3ED3BDD92BD880F959DE4BA03E17
SHA-512:	14AFDA131F4A023443A5F35472D642523822878E7C6B248306423631A6A9FBFA8642AE894CD093DA8E02CCED10F871115DFF102B8E233FE957C497FEBDAD8BC5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	1.88477492824665
Encrypted:	false
SSDEEP:	48:R8Ph8uRc06WXJUFT5N0dc6ddHXWSkd+wXV/ZuxxPWGoaD8xYzIoJxL7xBxqxtpwB:sh81XFTT963GswDXGo75F5Ys1Xu
MD5:	72649AEC0187F997A3B2223ED9595B53
SHA1:	E2A5528405A8D26271A3487449835AA2D39D24FF
SHA-256:	2A07002FBEBBD37165497954CDC074F04C2A639894EB2C887FCA6CC16884754E
SHA-512:	340E495C78DFFC69399ED8B490FD378EB1711345ADA7EA6729B1462E7FB852EA2CE9AC841465CF7859716C9E2314FED566E1D7F3D09B21EA5D88EAEFAE24AD2A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362975849532404
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauB:zTtbmkExhMJCIpEo
MD5:	BF3DF8A5CB8AD7F92A72052A3612A2CE
SHA1:	EEB01EB277496D0F90944AA1BCF9BBF5D1973770
SHA-256:	54CE820AF5203B1084EF9726A70E30E41D3BD223B97FEE5D9D9029804AB846B6
SHA-512:	498EE7E3666638C31DA500D633A1F88BD935E46F180F4FEE3DC67E863A96E677193E8431A749C7BC73FDF8E587CB9C030DE0022C826981F5A2788DC60EC04B12
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\SysWOW64\libjyy.dll

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54272
Entropy (8bit):	5.93759856622623
Encrypted:	false
SSDEEP:	768:1B53ZaVt2FD5J+CQOeR5v+CZD2IddL71uhsIvI1kkkqfED4n6GUM3e7G:7moH+CQv5vtJvddH1idv+kZA6GUMj
MD5:	8C7F64AB09C9C05D7B98C9F57354D251
SHA1:	F346CA309363D57D6F4B58161E892461FA255579
SHA-256:	2CAB655D163CC554CB584766191C53D80A1D8676363C0E6A9C44854FE3FAF242
SHA-512:	789DF191A936BD20D9033B0F608717EA33FE2FAE8044559F1650CD84B99F4A999B3A5C4287A820C9DDA38754EE4ADDC252480AFCA876DF7CC51F0FF8C6808FB8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............t...t...t.......t....9..t....8..t.......t...t...t....<..t.......t.......t..Rich.t..........PE..L...N.*g...........!.....~...p.......!....................................................@.........................p...S......x.......................................................................@...............P............................text...H\|.......~.................. ..`.rdata.../.......0..................@..@.data....+..........................@....reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF09462FD9A2430C70.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.0979355031404229
Encrypted:	false
SSDEEP:	6:xPLG7iVCnLG7iVrKOzPLHKOZqXBDzAaO/HrPP9l8O2XNlKVky6lfSlsw:50i8n0itFzDHFZQDzVGLH9aOsN7xw
MD5:	7496268A66D1B7B07E946E6B2DF4FD49
SHA1:	DA78881E0842F98978FB80AEE912E1CB101726F8
SHA-256:	12ABC41267EAE28B14A8865DB1F50EBF2C66351CA4A70546CCEDBAB6C99D03D8
SHA-512:	C483ADF7FDF0D74AC75FA32AEAF045899A51CED66A644DC36B31D3466BC0D1393A797D86F701883702116C44DD6BFEA894290B1BFF143239F660A674647F6191
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1AD2F00F60A9AF90.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF25BE59BFB9929972.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5AEA82E8F3A2E4A0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.3245616176632845
Encrypted:	false
SSDEEP:	48:oiuiET4d+SkdvdHXWSkd+wXV/ZuxxPWGoaD8xYzIoJxL7xBxqxtpwxbxEo3opTYx:huignGswDXGo75F5Yli6
MD5:	FC0B53B5A9C67E5CFD428B8926432CAC
SHA1:	46327E403780794ECE5CA3BD708E250E93719582
SHA-256:	3DE62914FD6150EC719C4ADE558B4B834C2E67AAC34B0F74441AF2859DEDE9F2
SHA-512:	4698AA46EB2AE6A8C70302BC5E50E661704F1CB9BC08D8DF6229821184AE6B6E57719642C7DF7024E710A27BC5BE3005FECE4A00F32680790D3299931815D8D7
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5CB6DC9AE140FAF1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.2325316975016207
Encrypted:	false
SSDEEP:	48:7Fx0uaFO+CFXJJT55UVyw0dc6ddHXWSkd+wXV/ZuxxPWGoaD8xYzIoJxL7xBxqxe:7v0UxT38J963GswDXGo75F5Ys1Xu
MD5:	133C1959E8AF8020C15F1837F5F0B52E
SHA1:	556C5D02CD2AE5D9348E75D9D6C8D5998BB91798
SHA-256:	9FF7B91FF815B5745DCD8B34457B24E45869046CAA443BD2364B336A5BF3C1AA
SHA-512:	5C5A7F1AF595058AAE312486C0E4E6C9FAE768FA2F9B483AFFE20A1B47E90CB37B2D789FC6E91FDBE3AD4A932229ADA285EF2C07E0A8390FF02DB92DBF5DB353
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5E9AE6693B8DDEE4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	1.88477492824665
Encrypted:	false
SSDEEP:	48:R8Ph8uRc06WXJUFT5N0dc6ddHXWSkd+wXV/ZuxxPWGoaD8xYzIoJxL7xBxqxtpwB:sh81XFTT963GswDXGo75F5Ys1Xu
MD5:	72649AEC0187F997A3B2223ED9595B53
SHA1:	E2A5528405A8D26271A3487449835AA2D39D24FF
SHA-256:	2A07002FBEBBD37165497954CDC074F04C2A639894EB2C887FCA6CC16884754E
SHA-512:	340E495C78DFFC69399ED8B490FD378EB1711345ADA7EA6729B1462E7FB852EA2CE9AC841465CF7859716C9E2314FED566E1D7F3D09B21EA5D88EAEFAE24AD2A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5F780F2F7D1CE3C4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	1.88477492824665
Encrypted:	false
SSDEEP:	48:R8Ph8uRc06WXJUFT5N0dc6ddHXWSkd+wXV/ZuxxPWGoaD8xYzIoJxL7xBxqxtpwB:sh81XFTT963GswDXGo75F5Ys1Xu
MD5:	72649AEC0187F997A3B2223ED9595B53
SHA1:	E2A5528405A8D26271A3487449835AA2D39D24FF
SHA-256:	2A07002FBEBBD37165497954CDC074F04C2A639894EB2C887FCA6CC16884754E
SHA-512:	340E495C78DFFC69399ED8B490FD378EB1711345ADA7EA6729B1462E7FB852EA2CE9AC841465CF7859716C9E2314FED566E1D7F3D09B21EA5D88EAEFAE24AD2A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5FF145902C7FB2CB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF830D882580CDD0B8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF885A24F04B804347.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD97C407360381045.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.2325316975016207
Encrypted:	false
SSDEEP:	48:7Fx0uaFO+CFXJJT55UVyw0dc6ddHXWSkd+wXV/ZuxxPWGoaD8xYzIoJxL7xBxqxe:7v0UxT38J963GswDXGo75F5Ys1Xu
MD5:	133C1959E8AF8020C15F1837F5F0B52E
SHA1:	556C5D02CD2AE5D9348E75D9D6C8D5998BB91798
SHA-256:	9FF7B91FF815B5745DCD8B34457B24E45869046CAA443BD2364B336A5BF3C1AA
SHA-512:	5C5A7F1AF595058AAE312486C0E4E6C9FAE768FA2F9B483AFFE20A1B47E90CB37B2D789FC6E91FDBE3AD4A932229ADA285EF2C07E0A8390FF02DB92DBF5DB353
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE65F74997345D7C4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.2325316975016207
Encrypted:	false
SSDEEP:	48:7Fx0uaFO+CFXJJT55UVyw0dc6ddHXWSkd+wXV/ZuxxPWGoaD8xYzIoJxL7xBxqxe:7v0UxT38J963GswDXGo75F5Ys1Xu
MD5:	133C1959E8AF8020C15F1837F5F0B52E
SHA1:	556C5D02CD2AE5D9348E75D9D6C8D5998BB91798
SHA-256:	9FF7B91FF815B5745DCD8B34457B24E45869046CAA443BD2364B336A5BF3C1AA
SHA-512:	5C5A7F1AF595058AAE312486C0E4E6C9FAE768FA2F9B483AFFE20A1B47E90CB37B2D789FC6E91FDBE3AD4A932229ADA285EF2C07E0A8390FF02DB92DBF5DB353
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	531
Entropy (8bit):	5.158271181297339
Encrypted:	false
SSDEEP:	12:pporCVZcRwNdpjppyT5dpgFyRdp2HswBsviJAIkzLGNVs:ppH4wNdpjpoT5dp3dp2HNBsviJAIzPs
MD5:	FDB60B4BEA1E4F23AB7B005A01746C87
SHA1:	ACC654A0A26B772E5FD786DF03DBB3340FABBE2C
SHA-256:	898927618AA5796AF0462990CFE1FBE2FAF7EDBF0BF2DD47B41EFECE1017D99D
SHA-512:	FB6CE46F16C8A630A9EF3B9CA7FCFCE4636D4B0951944A7316DC85150D6EEEEB42950DBCA8D410AE9EA7D9F9EDA1AEB19D0E7BA0D386E22F4BA1728131945237
Malicious:	false
Preview:	..7-Zip 22.01 (x86) : Copyright (c) 1999-2022 Igor Pavlov : 2022-07-15....Scanning the drive for archives:.. 0M Scan C:\Program Files (x86)\DnLIMGKCARTO\. .1 file, 204 bytes (1 KiB)....Extracting archive: C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX..--..Path = C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX..Type = 7z..Physical Size = 204..Headers Size = 204..Solid = -..Blocks = 0.... 0%. .Everything is Ok....Folders: 2..Files: 1..Size: 0..Compressed: 204..

**\Device\Mup\user-PC*\MAILSLOT\NET\NETLOGON**

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.7249034414266404
Encrypted:	false
SSDEEP:	3:icl8ot9I2Y1AnOlXulLn:ic2GOlaLn
MD5:	08760768349EC8C8AD3A2FAD3D1C4042
SHA1:	8900EEAF6C3C12149FC7A8703DC70B8316597BB1
SHA-256:	D57F6E6431575A3CD09DECDC55EE56AFC1E8EB870BDE7EDDAB8C898D32E83901
SHA-512:	0BCCD5DC2764658A526EFACC260E8AC69D75B9C0D5B2CF011327CDE276FBC014D182E64C951B8D293077AF91FC2DC56F06D00E342D5E662A77D1B40FD0A25E45
Malicious:	false
Preview:	....5.4.9.1.6.3.....\MAILSLOT\NET\GETDC88A2B340.................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.945533560195764
TrID:	Win32 Executable (generic) a (10002005/4) 98.41% Windows ActiveX control (116523/4) 1.15% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	ZwmyzMxFKL.exe
File size:	58'031'336 bytes
MD5:	2fa4f19f9fb9e7a71d85aaf34d318178
SHA1:	2061483db691163ca0b1d04667d64e37af4c2fe0
SHA256:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769
SHA512:	a311d5ba3369540927b93fca95331d0783a8c526f2df59bd4726dcb3f174311447d00f70d52d22f3d2b6fde2d599a403cf44558a578fa34cb965fdb1fbfd965e
SSDEEP:	1572864:uK9/hb6GmIcUGtvclhGSjkcrABpYhpeWeiTjz:uAheec1tvclsSjsBuhpeJujz
TLSH:	58D72321354AC536D97E40B15A3DEBAF61BD7FA10BB114DB73C82E6E0A745C20236E27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w._.3.1.3.1.3.1...2.>.1...4...1...7.2.1.S.5. .1.S.2.+.1.Q.4.0.1.S.4.V.1...5.).1...0.0.1...6.2.1.3.0...1.W.8.~.1.W...2.1.3...2.1

File Icon


Icon Hash:	0000000000000000

Static PE Info

General

Entrypoint:	0x5b51a4
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62E7A72C [Mon Aug 1 10:13:00 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d23703a6f12b30c40e0b3bc256b113cd

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=clubhouseapi.com, O=dmm.co.jp, C=BE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	19/11/2024 05:15:28 17/11/2033 05:15:28
Subject Chain	CN=clubhouseapi.com, O=dmm.co.jp, C=BE
Version:	1
Thumbprint MD5:	FD122D8ED5715DE53753D87EB46293D2
Thumbprint SHA-1:	9187EF8AD30A37033F39C7B049AEB9DCF5160F29
Thumbprint SHA-256:	1F110C8650FEDCD1997545E83F6E455C7C9E9DB0D0F72907386E8521791EC63F
Serial:	01

Entrypoint Preview

Instruction
call 00007FBA3926F7BFh
jmp 00007FBA3926EFFFh
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007FBA3926E653h
jmp 00007FBA3926F162h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [006C1024h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [006C1024h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [006C1024h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2bf5ec	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2ca000	0x24d00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3753eb0	0x3e38
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2ef000	0x26810	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x267c58	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x267d00	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x23afa8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x239000	0x2cc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2bc998	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x237b1f	0x237c00	80bc8be932e0885c43ae89685b4f2cae	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x239000	0x8762c	0x87800	1b8aa1b2bf5ab81c2f62c8876d237202	False	0.31338827548431736	data	4.6063411973791215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2c1000	0x8d24	0x6c00	f1f3d5b17e9c25a2a0e0871309677fc7	False	0.14344618055555555	PGP symmetric key encrypted data - Plaintext or unencrypted data salted & iterated -	2.9234755461718365	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2ca000	0x24d00	0x24e00	983b47b2a4589053279e09b02dbe1d4e	False	0.14065148305084746	data	5.370033700721725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2ef000	0x26810	0x26a00	4f1c0c554ffb6b898804c47a1b2ac00b	False	0.4470507180420712	data	6.513793248957895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
IMAGE_FILE	0x2cac70	0x6	ISO-8859 text, with no line terminators	Chinese	China	2.1666666666666665
IMAGE_FILE	0x2cac78	0x6	ISO-8859 text, with no line terminators	Chinese	China	2.1666666666666665
RTF_FILE	0x2cac80	0xa1	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	Chinese	China	0.906832298136646
RTF_FILE	0x2cad24	0x4b9	Rich Text Format data, version 1, ANSI, code page 1252	Chinese	China	0.35814722911497104
RT_BITMAP	0x2cb1e0	0x13e	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colors	English	United States	0.25471698113207547
RT_BITMAP	0x2cb320	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.03017241379310345
RT_BITMAP	0x2cbb48	0x48a8	Device independent bitmap graphic, 290 x 16 x 32, image size 0	English	United States	0.11881720430107527
RT_BITMAP	0x2d03f0	0xa6a	Device independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/m	English	United States	0.21680420105026257
RT_BITMAP	0x2d0e5c	0x152	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colors	English	United States	0.5295857988165681
RT_BITMAP	0x2d0fb0	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.4875478927203065
RT_ICON	0x2d17d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4264	Chinese	China	0.027204502814258912
RT_ICON	0x2d2880	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.08703319502074688
RT_ICON	0x2d4e28	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.16463414634146342
RT_ICON	0x2d5ed0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Chinese	China	0.18565573770491803
RT_ICON	0x2d6858	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.3262411347517731
RT_MENU	0x2d6cc0	0x32	data	Chinese	China	1.1
RT_MENU	0x2d6cf4	0x1c	data	Chinese	China	1.2142857142857142
RT_DIALOG	0x2d6d10	0x98	data	Chinese	China	0.75
RT_DIALOG	0x2d6da8	0x1a2	data	Chinese	China	0.6507177033492823
RT_DIALOG	0x2d6f4c	0x2ac	data	Chinese	China	0.5277777777777778
RT_DIALOG	0x2d71f8	0xa0	data	Chinese	China	0.775
RT_DIALOG	0x2d7298	0x148	data	Chinese	China	0.75
RT_DIALOG	0x2d73e0	0x178	data	Chinese	China	0.6675531914893617
RT_DIALOG	0x2d7558	0xc4	data	Chinese	China	0.6938775510204082
RT_DIALOG	0x2d761c	0x104	data	Chinese	China	0.6615384615384615
RT_DIALOG	0x2d7720	0x140	data	Chinese	China	0.63125
RT_DIALOG	0x2d7860	0x214	data	Chinese	China	0.650375939849624
RT_DIALOG	0x2d7a74	0x16c	data	Chinese	China	0.5714285714285714
RT_DIALOG	0x2d7be0	0x104	data	Chinese	China	0.6307692307692307
RT_DIALOG	0x2d7ce4	0x4c	data	English	United States	0.8289473684210527
RT_STRING	0x2d7d30	0x204	data	Chinese	China	0.6608527131782945
RT_STRING	0x2d7f34	0x1bc	data	Chinese	China	0.6261261261261262
RT_STRING	0x2d80f0	0x158	data	Chinese	China	0.7238372093023255
RT_STRING	0x2d8248	0x222	data	Chinese	China	0.5622710622710623
RT_STRING	0x2d846c	0x1fc	data	Chinese	China	0.6948818897637795
RT_STRING	0x2d8668	0x3ee	data	Chinese	China	0.510934393638171
RT_STRING	0x2d8a58	0x3c6	data	Chinese	China	0.4927536231884058
RT_STRING	0x2d8e20	0xa2	data	Chinese	China	0.8765432098765432
RT_STRING	0x2d8ec4	0x1f8	data	Chinese	China	0.7916666666666666
RT_STRING	0x2d90bc	0x11e	data	Chinese	China	0.6048951048951049
RT_STRING	0x2d91dc	0x18a	data	English	United States	0.5228426395939086
RT_STRING	0x2d9368	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.46254681647940077
RT_STRING	0x2d9580	0x624	data	English	United States	0.3575063613231552
RT_STRING	0x2d9ba4	0x660	data	English	United States	0.3474264705882353
RT_STRING	0x2da204	0x2e2	data	English	United States	0.4037940379403794
RT_GROUP_ICON	0x2da4e8	0x14	data	Chinese	China	1.1
RT_VERSION	0x2da4fc	0x118	PDP-11 overlaid pure executable not stripped	Chinese	China	0.6142857142857143
RT_HTML	0x2da614	0x3835	ASCII text, with very long lines (443), with CRLF line terminators	English	United States	0.08298005420807561
RT_HTML	0x2dde4c	0x1316	ASCII text, with CRLF line terminators	English	United States	0.18399508800654932
RT_HTML	0x2df164	0x52b	HTML document, ASCII text, with CRLF line terminators	English	United States	0.36281179138321995
RT_HTML	0x2df690	0x6acd	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10679931238798873
RT_HTML	0x2e6160	0x6a2	HTML document, ASCII text, with CRLF line terminators	English	United States	0.3486454652532391
RT_HTML	0x2e6804	0x104a	HTML document, ASCII text, with CRLF line terminators	English	United States	0.2170263788968825
RT_HTML	0x2e7850	0x15b1	HTML document, ASCII text, with CRLF line terminators	English	United States	0.17612101566720692
RT_HTML	0x2e8e04	0x205c	exported SGML document, ASCII text, with very long lines (659), with CRLF line terminators	English	United States	0.13604538870111058
RT_HTML	0x2eae60	0x368d	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10834228428213391
RT_MANIFEST	0x2ee4f0	0x80f	XML 1.0 document, ASCII text, with CRLF, LF line terminators	Chinese	China	0.40814348036839554

Imports

DLL

Import

KERNEL32.dll

CreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, SetEvent, RemoveDirectoryW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CreateThread, GetProcAddress, LoadLibraryExW, GetCurrentProcess, Sleep, WideCharToMultiByte, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, GetModuleHandleW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, CreateProcessW, GetExitCodeProcess, GetWindowsDirectoryW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FormatMessageW, GetEnvironmentStringsW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, GetLocalTime, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, CreateNamedPipeW, ConnectNamedPipe, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T15:39:34.361950+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.7	49706	206.238.43.118	63569	TCP
2024-11-25T15:40:35.299279+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.7	49706	206.238.43.118	63569	TCP
2024-11-25T15:41:36.349804+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.7	49706	206.238.43.118	63569	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 15:39:31.202250004 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:31.323481083 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:31.323611021 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:33.713896036 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:33.834855080 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.834872007 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.834884882 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.834901094 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.834929943 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.834932089 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:33.834975004 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.834980011 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:33.835010052 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.835016012 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:33.835064888 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:33.835093975 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.835138083 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:33.835163116 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.835186005 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.835217953 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:33.835238934 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:33.956085920 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.956125021 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.956172943 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:33.956187010 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.956196070 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.956206083 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.956214905 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.956222057 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:33.956234932 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:33.956296921 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.956434965 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.956446886 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.956526995 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.956619024 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.956731081 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:33.956743002 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:34.076544046 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:34.076586008 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:34.076738119 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:34.076747894 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:34.361949921 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:34.482458115 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:34.728080988 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:34.783123970 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:34.951364040 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:34.952877998 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:35.077337027 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:35.162195921 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:35.204997063 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:36.070435047 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:36.190706968 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:36.190718889 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:36.190798044 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:36.190808058 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:36.190911055 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:36.190932035 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:36.191020012 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:36.191029072 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:36.191112995 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:36.191122055 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:36.310857058 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:36.310870886 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:36.310879946 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:36.310885906 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:37.409435987 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:37.529485941 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:37.965859890 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:38.017502069 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:38.958503008 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:39.079004049 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:39.079029083 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:39.079040051 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:39.079087019 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:39.079248905 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:39.079293966 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:39.079406023 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:39.079417944 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:39.079518080 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:39.079529047 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:39.079632998 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:39.079679966 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:39.079801083 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:39.079859018 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:40.455311060 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:40.578192949 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:41.013420105 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:41.064387083 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:41.906064987 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:42.027333021 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:42.027352095 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:42.027364969 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:42.045592070 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:42.045604944 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:42.045667887 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:42.045680046 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:42.046945095 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:42.046986103 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:42.047158003 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:42.047178030 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:42.054677010 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:42.054687977 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:42.054698944 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:43.501969099 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:43.622342110 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:44.057413101 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:44.111275911 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:45.007220030 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:45.127850056 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:45.127918005 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:45.127928972 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:45.128042936 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:45.128051996 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:45.128061056 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:45.128253937 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:45.128300905 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:45.128442049 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:45.128494978 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:45.128545046 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:45.128670931 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:45.128688097 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:45.128715038 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:46.549284935 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:46.815470934 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:47.251636982 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:47.298799992 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:48.215069056 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:48.335241079 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:48.335289955 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:48.335360050 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:48.335421085 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:48.335531950 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:48.335580111 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:48.335653067 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:48.335688114 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:48.335757971 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:48.335793972 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:48.335889101 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:48.335935116 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:48.336103916 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:48.336113930 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:49.595969915 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:49.719480991 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:50.154551983 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:50.205065966 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:51.032474041 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:51.153359890 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:51.153374910 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:51.153426886 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:51.153435946 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:51.153481007 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:51.153534889 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:51.153753996 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:51.153763056 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:51.153836012 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:51.153845072 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:51.153938055 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:51.153947115 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:51.154025078 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:51.154028893 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:52.642712116 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:52.762594938 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:53.197738886 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:53.251934052 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:54.137742043 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:54.259272099 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:54.306771040 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:54.306843042 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:54.309000969 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:54.309010983 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:54.311263084 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:54.311290979 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:54.313620090 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:54.313628912 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:54.315187931 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:54.315197945 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:54.315324068 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:54.315331936 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:54.315455914 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:55.689552069 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:55.809931040 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:56.246226072 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:56.298827887 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:57.170828104 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:57.291874886 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:57.291888952 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:57.291899920 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:57.291953087 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:57.292026997 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:57.292047977 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:57.292176962 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:57.292198896 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:57.292222023 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:57.292229891 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:57.292301893 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:57.292367935 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:57.292377949 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:57.292387962 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:58.736536980 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:39:58.861287117 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:59.301193953 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:39:59.345715046 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:00.331254959 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:00.451702118 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:00.451746941 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:00.451801062 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:00.451828957 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:00.451879978 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:00.451908112 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:00.452012062 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:00.452039957 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:00.452090025 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:00.452116966 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:00.452150106 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:00.476140022 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:00.476193905 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:00.476205111 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:01.783490896 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:01.904376984 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:02.351438046 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:02.392597914 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:02.879049063 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:03.004497051 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:03.004523993 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:03.004688025 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:03.004765987 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:03.004878044 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:03.004889011 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:03.005013943 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:03.005033016 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:03.005135059 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:03.005265951 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:03.005275965 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:03.005287886 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:03.005390882 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:03.005433083 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:04.830250025 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:04.954185009 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:05.773288965 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:05.773370028 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:05.773431063 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:06.232481003 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:06.353537083 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:06.353558064 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:06.353571892 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:06.353606939 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:06.353666067 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:06.353754044 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:06.353810072 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:06.353862047 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:06.353916883 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:06.353971004 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:06.354011059 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:06.354079008 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:06.354089975 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:06.354110003 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:07.877140045 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:07.998308897 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:08.434161901 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:08.486371040 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:08.885508060 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:09.005973101 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:09.005990028 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:09.006145954 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:09.006176949 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:09.006263018 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:09.006274939 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:09.006335974 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:09.006441116 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:09.006479025 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:09.007308960 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:09.029836893 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:09.029841900 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:09.029946089 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:09.030030012 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:10.924062967 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:11.044296026 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:11.482400894 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:11.533308029 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:11.911680937 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:12.032577991 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:12.032591105 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:12.032732010 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:12.032764912 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:12.032977104 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:12.032995939 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:12.033109903 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:12.033121109 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:12.033229113 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:12.033238888 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:12.033332109 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:12.033341885 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:12.033377886 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:12.033433914 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:13.970889091 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:14.093163013 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:14.529474020 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:14.580142021 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:14.968281984 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:15.088612080 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:15.088629961 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:15.088689089 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:15.088795900 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:15.088804960 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:15.088809013 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:15.088901997 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:15.088911057 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:15.088960886 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:15.088998079 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:15.089075089 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:15.089114904 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:15.089237928 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:15.089247942 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:17.018672943 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:17.140098095 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:17.578011990 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:17.627042055 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:17.968264103 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:18.088483095 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:18.088502884 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:18.088543892 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:18.088551044 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:18.088624001 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:18.088649988 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:18.088742018 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:18.088754892 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:18.088809967 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:18.088900089 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:18.088912010 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:18.088943005 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:18.088982105 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:18.088990927 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:20.064686060 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:20.184741020 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:20.620644093 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:20.673949003 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:21.029459000 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:21.154381990 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:21.157341003 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:21.159118891 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:21.159637928 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:21.166361094 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:21.170264959 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:21.179384947 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:21.179395914 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:21.179466963 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:21.179496050 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:21.179608107 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:21.179617882 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:21.180109978 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:21.180119991 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:23.111835957 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:23.231777906 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:23.694999933 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:23.736440897 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:24.114299059 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:24.234498978 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:24.234519005 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:24.234538078 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:24.234549046 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:24.234646082 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:24.234679937 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:24.234782934 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:24.234791994 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:24.234863043 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:24.234872103 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:24.234966040 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:24.234976053 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:24.235039949 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:24.235078096 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:26.158817053 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:26.278841019 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:26.714978933 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:26.767736912 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:27.142802954 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:27.263279915 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:27.263290882 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:27.263334036 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:27.263394117 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:27.263499022 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:27.263506889 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:27.263581038 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:27.263648033 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:27.263734102 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:27.263942957 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:27.264178038 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:27.264230013 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:27.264322996 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:27.264363050 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:29.205255985 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:29.325292110 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:29.761390924 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:29.814609051 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:30.147669077 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:30.267987967 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:30.268028975 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:30.268042088 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:30.268055916 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:30.268172026 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:30.268184900 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:30.268218040 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:30.268284082 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:30.268446922 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:30.268474102 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:30.268520117 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:30.268560886 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:30.268615007 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:30.268626928 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:32.252526045 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:32.378088951 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:32.813863039 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:32.861483097 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:33.245716095 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:33.367352962 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:33.367369890 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:33.367407084 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:33.367468119 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:33.367608070 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:33.367702007 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:33.367733955 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:33.367770910 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:33.367822886 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:33.367831945 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:33.367939949 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:33.367949963 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:33.367971897 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:33.368010998 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:35.299278975 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:35.419884920 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:35.857306004 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:35.908385992 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:36.232635021 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:36.352925062 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:36.352946043 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:36.352957964 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:36.352967024 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:36.353102922 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:36.376565933 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:36.376610041 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:36.376621008 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:36.376630068 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:36.422360897 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:36.422385931 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:36.422419071 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:36.422429085 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:36.422440052 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:38.346036911 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:38.466130972 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:38.904999018 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:38.955282927 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:39.308342934 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:39.429765940 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:39.429800034 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:39.429827929 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:39.429857016 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:39.429871082 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:39.429898024 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:39.429909945 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:39.430046082 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:39.430058002 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:39.465146065 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:39.465162039 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:39.551847935 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:39.551877022 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:39.551919937 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:41.392818928 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:41.514872074 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:41.956531048 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:42.002140045 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:42.361419916 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:42.481719017 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:42.481741905 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:42.481765985 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:42.481775045 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:42.481847048 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:42.481856108 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:42.481923103 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:42.481941938 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:42.482023001 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:42.482033014 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:42.601588011 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:42.601604939 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:42.601691961 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:42.601701021 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:44.439914942 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:44.560045958 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:44.995461941 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:45.049061060 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:45.412806988 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:45.533680916 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:45.533719063 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:45.533776045 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:45.533795118 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:45.533936024 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:45.533946037 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:45.533961058 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:45.534033060 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:45.534044027 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:45.593811989 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:45.593833923 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:45.654310942 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:45.654336929 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:45.654346943 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:47.486732960 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:47.607180119 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:48.042131901 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:48.095978022 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:48.441099882 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:48.567106009 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:48.567161083 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:48.567199945 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:48.567229033 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:48.567296028 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:48.567348957 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:48.567436934 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:48.567472935 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:48.567595005 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:48.567629099 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:48.687419891 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:48.687443972 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:48.687455893 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:48.687464952 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:50.533613920 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:50.653866053 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:51.089164019 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:51.142815113 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:51.500092983 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:51.621197939 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:51.621215105 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:51.621381998 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:51.621627092 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:51.621637106 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:51.621645927 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:51.621721983 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:51.621771097 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:51.622236967 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:51.622246981 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:51.622256994 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:51.622266054 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:51.622284889 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:51.622406960 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:53.580461979 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:53.701085091 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:54.143883944 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:54.189681053 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:54.553952932 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:54.678231955 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:54.678281069 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:54.678406954 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:54.678514957 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:54.678663969 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:54.678865910 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:54.678877115 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:54.678889990 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:54.679085016 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:54.679116011 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:54.679203987 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:54.679238081 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:54.679429054 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:54.679442883 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:56.627372026 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:56.747627020 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:57.240498066 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:57.283476114 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:57.663360119 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:57.787753105 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:57.787786007 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:57.787847042 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:57.787906885 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:57.788003922 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:57.788058043 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:57.788140059 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:57.788161039 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:57.788201094 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:57.791234016 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:57.791275024 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:57.795795918 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:57.795809031 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:57.795820951 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:40:59.674331903 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:40:59.803013086 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:00.238394022 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:00.283482075 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:00.655920982 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:00.777115107 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:00.777225018 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:00.777235985 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:00.777276039 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:00.777307987 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:00.777364969 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:00.777394056 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:00.777580023 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:00.777590036 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:00.777734041 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:00.777744055 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:00.777854919 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:00.777873039 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:00.777992010 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:02.737402916 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:02.857841015 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:03.293052912 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:03.346117973 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:03.741827965 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:03.873564959 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:03.873655081 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:03.873900890 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:03.879702091 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:03.879722118 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:03.882704973 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:03.882715940 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:03.884931087 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:03.884999037 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:03.887340069 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:03.887350082 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:03.887439966 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:03.887672901 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:03.887682915 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:05.783541918 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:05.909569979 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:06.350332975 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:06.392847061 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:06.803941011 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:07.096030951 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:07.135293007 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:07.135307074 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:07.135327101 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:07.135335922 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:07.135344982 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:07.135353088 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:07.135363102 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:07.135435104 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:07.135445118 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:07.135541916 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:07.135550976 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:07.135677099 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:07.135685921 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:07.136153936 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:07.217396975 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:08.830449104 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:08.951353073 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:09.404527903 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:09.455404997 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:09.809648037 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:10.007891893 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:10.007922888 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:10.008011103 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:10.008073092 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:10.008179903 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:10.008219957 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:10.008286953 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:10.008296013 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:10.008361101 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:10.008371115 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:10.008409023 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:10.008451939 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:10.008569002 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:10.008666039 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:11.877382040 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:12.189764977 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:12.316951990 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:12.319643021 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:12.442059994 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:12.486665964 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:12.886876106 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:13.040702105 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:13.041549921 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:13.041819096 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:13.042550087 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:13.042608023 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:13.042810917 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:13.042820930 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:13.042830944 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:13.043299913 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:13.043346882 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:13.044796944 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:13.046979904 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:13.047003031 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:13.047013998 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:14.924318075 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:15.054572105 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:15.503817081 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:15.549129009 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:15.904866934 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:16.025665045 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:16.025814056 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:16.025824070 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:16.025827885 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:16.025963068 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:16.025971889 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:16.025988102 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:16.026112080 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:16.026120901 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:16.026271105 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:16.026279926 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:16.026288986 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:16.026428938 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:16.026438951 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:17.971255064 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:18.097682953 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:18.536128998 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:18.580530882 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:18.954878092 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:19.078696012 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:19.100183964 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:19.100198984 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:19.104407072 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:19.104420900 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:19.109500885 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:19.109532118 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:19.113923073 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:19.113933086 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:19.116745949 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:19.116755009 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:19.117795944 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:19.117805958 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:19.117815971 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:21.018157005 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:21.139568090 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:21.608623981 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:21.658569098 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:22.039201975 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:22.159451962 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:22.159470081 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:22.159482002 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:22.159544945 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:22.159667015 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:22.159676075 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:22.160176039 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:22.160187006 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:22.163620949 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:22.165079117 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:22.167030096 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:22.167072058 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:22.167166948 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:22.170308113 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:24.065121889 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:24.185095072 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:24.626485109 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:24.674165010 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:25.127311945 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:25.296479940 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:25.296487093 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:25.296689987 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:25.296700001 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:25.296704054 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:25.315145969 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:25.315151930 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:25.315160990 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:25.315165043 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:25.315172911 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:25.315253973 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:25.315267086 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:25.315272093 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:25.316488981 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:27.112055063 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:27.232233047 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:27.667243958 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:27.721077919 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:28.126698017 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:28.246969938 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:28.246980906 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:28.247025967 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:28.247030020 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:28.247242928 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:28.247246981 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:28.247256041 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:28.247258902 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:28.247361898 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:28.247364998 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:28.247558117 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:28.247561932 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:28.247648954 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:28.247652054 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:30.158740044 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:30.343875885 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:30.835269928 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:30.877412081 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:31.386356115 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:31.513329983 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:31.513343096 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:31.513398886 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:31.513408899 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:31.513433933 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:31.513807058 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:31.513823032 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:31.513906002 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:31.513915062 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:31.514379978 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:31.514420033 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:31.514503956 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:31.514520884 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:31.514529943 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:33.221329927 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:33.492326021 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:33.941571951 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:33.986741066 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:34.680957079 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:34.801248074 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:34.801286936 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:34.801539898 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:34.801594973 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:34.801712036 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:34.801786900 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:34.801796913 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:34.801882029 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:34.801898003 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:34.801908970 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:34.802042961 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:34.802052975 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:34.802175999 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:34.802210093 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:36.349803925 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:36.469984055 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:36.906291008 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:36.955495119 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:37.424575090 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:37.550940990 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:37.550956964 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:37.551024914 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:37.551033974 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:37.551148891 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:37.551202059 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:37.551213980 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:37.551428080 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:37.551436901 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:37.551533937 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:37.551551104 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:37.551635027 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:37.551667929 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:37.551676035 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:39.393296003 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:39.513350964 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:39.949593067 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:40.002381086 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:40.363636017 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:40.485301971 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:40.485317945 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:40.485405922 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:40.485414982 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:40.485536098 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:40.485549927 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:40.485678911 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:40.485687971 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:40.485697031 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:40.485704899 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:40.485843897 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:40.485852003 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:40.486004114 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:40.486012936 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:42.440287113 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:42.560370922 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:42.996455908 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:43.049339056 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:43.417737961 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:43.541603088 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:43.541645050 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:43.541827917 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:43.541836977 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:43.541924000 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:43.541970015 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:43.542061090 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:43.542071104 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:43.542164087 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:43.542221069 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:43.542378902 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:43.542388916 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:43.542490005 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:43.542638063 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:45.494658947 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:45.701802969 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:46.143443108 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:46.189940929 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:46.590147018 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:46.710115910 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:46.738086939 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:46.738109112 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:46.743009090 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:46.743050098 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:46.748071909 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:46.748087883 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:46.751575947 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:46.752554893 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:46.752564907 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:46.752607107 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:46.757653952 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:46.757690907 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:46.757699966 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:48.596467018 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:48.596570015 CET	49706	63569	192.168.2.7	206.238.43.118
Nov 25, 2024 15:41:48.718457937 CET	63569	49706	206.238.43.118	192.168.2.7
Nov 25, 2024 15:41:48.718518019 CET	49706	63569	192.168.2.7	206.238.43.118

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Type
Nov 25, 2024 15:39:32.304879904 CET	192.168.2.7	206.238.43.118	af3b	Echo
Nov 25, 2024 15:39:32.740242004 CET	206.238.43.118	192.168.2.7	b73b	Echo Reply
Nov 25, 2024 15:39:33.752399921 CET	192.168.2.7	206.238.43.118	136	Echo
Nov 25, 2024 15:39:34.199748993 CET	206.238.43.118	192.168.2.7	936	Echo Reply
Nov 25, 2024 15:39:35.205246925 CET	192.168.2.7	206.238.43.118	5330	Echo
Nov 25, 2024 15:39:35.639179945 CET	206.238.43.118	192.168.2.7	5b30	Echo Reply
Nov 25, 2024 15:39:36.642666101 CET	192.168.2.7	206.238.43.118	b42a	Echo
Nov 25, 2024 15:39:37.067615986 CET	206.238.43.118	192.168.2.7	bc2a	Echo Reply
Nov 25, 2024 15:39:45.111787081 CET	192.168.2.7	206.238.43.118	9309	Echo
Nov 25, 2024 15:39:45.579257965 CET	206.238.43.118	192.168.2.7	9b09	Echo Reply
Nov 25, 2024 15:39:46.580223083 CET	192.168.2.7	206.238.43.118	d503	Echo
Nov 25, 2024 15:39:47.172503948 CET	206.238.43.118	192.168.2.7	dd03	Echo Reply
Nov 25, 2024 15:39:48.174426079 CET	192.168.2.7	206.238.43.118	99fd	Echo
Nov 25, 2024 15:39:48.653789997 CET	206.238.43.118	192.168.2.7	a1fd	Echo Reply
Nov 25, 2024 15:39:49.658359051 CET	192.168.2.7	206.238.43.118	ccf7	Echo
Nov 25, 2024 15:39:50.121998072 CET	206.238.43.118	192.168.2.7	d4f7	Echo Reply
Nov 25, 2024 15:39:58.158823967 CET	192.168.2.7	206.238.43.118	9bd6	Echo
Nov 25, 2024 15:39:58.649612904 CET	206.238.43.118	192.168.2.7	a3d6	Echo Reply
Nov 25, 2024 15:39:59.658710957 CET	192.168.2.7	206.238.43.118	bed0	Echo
Nov 25, 2024 15:40:00.210258007 CET	206.238.43.118	192.168.2.7	c6d0	Echo Reply
Nov 25, 2024 15:40:01.222670078 CET	192.168.2.7	206.238.43.118	a2ca	Echo
Nov 25, 2024 15:40:01.700010061 CET	206.238.43.118	192.168.2.7	aaca	Echo Reply
Nov 25, 2024 15:40:02.705415964 CET	192.168.2.7	206.238.43.118	d5c4	Echo
Nov 25, 2024 15:40:03.145123959 CET	206.238.43.118	192.168.2.7	ddc4	Echo Reply
Nov 25, 2024 15:40:11.195044041 CET	192.168.2.7	206.238.43.118	b4a3	Echo
Nov 25, 2024 15:40:11.628911018 CET	206.238.43.118	192.168.2.7	bca3	Echo Reply
Nov 25, 2024 15:40:12.642796040 CET	192.168.2.7	206.238.43.118	59e	Echo
Nov 25, 2024 15:40:13.073025942 CET	206.238.43.118	192.168.2.7	d9e	Echo Reply
Nov 25, 2024 15:40:14.080390930 CET	192.168.2.7	206.238.43.118	6798	Echo
Nov 25, 2024 15:40:14.519826889 CET	206.238.43.118	192.168.2.7	6f98	Echo Reply
Nov 25, 2024 15:40:15.533696890 CET	192.168.2.7	206.238.43.118	b992	Echo
Nov 25, 2024 15:40:15.975518942 CET	206.238.43.118	192.168.2.7	c192	Echo Reply
Nov 25, 2024 15:40:24.018224955 CET	192.168.2.7	206.238.43.118	9771	Echo
Nov 25, 2024 15:40:24.497853041 CET	206.238.43.118	192.168.2.7	9f71	Echo Reply
Nov 25, 2024 15:40:25.502376080 CET	192.168.2.7	206.238.43.118	ca6b	Echo
Nov 25, 2024 15:40:25.922672033 CET	206.238.43.118	192.168.2.7	d26b	Echo Reply
Nov 25, 2024 15:40:26.939702988 CET	192.168.2.7	206.238.43.118	2c66	Echo
Nov 25, 2024 15:40:27.452770948 CET	206.238.43.118	192.168.2.7	3466	Echo Reply
Nov 25, 2024 15:40:28.457988024 CET	192.168.2.7	206.238.43.118	3f60	Echo
Nov 25, 2024 15:40:28.916927099 CET	206.238.43.118	192.168.2.7	4760	Echo Reply
Nov 25, 2024 15:40:36.956401110 CET	192.168.2.7	206.238.43.118	e3f	Echo
Nov 25, 2024 15:40:37.438371897 CET	206.238.43.118	192.168.2.7	163f	Echo Reply
Nov 25, 2024 15:40:38.440676928 CET	192.168.2.7	206.238.43.118	4139	Echo
Nov 25, 2024 15:40:38.894666910 CET	206.238.43.118	192.168.2.7	4939	Echo Reply
Nov 25, 2024 15:40:39.908505917 CET	192.168.2.7	206.238.43.118	8333	Echo
Nov 25, 2024 15:40:40.356106043 CET	206.238.43.118	192.168.2.7	8b33	Echo Reply
Nov 25, 2024 15:40:41.361655951 CET	192.168.2.7	206.238.43.118	d52d	Echo
Nov 25, 2024 15:40:41.800564051 CET	206.238.43.118	192.168.2.7	dd2d	Echo Reply
Nov 25, 2024 15:40:49.846672058 CET	192.168.2.7	206.238.43.118	b30c	Echo
Nov 25, 2024 15:40:50.270024061 CET	206.238.43.118	192.168.2.7	bb0c	Echo Reply
Nov 25, 2024 15:40:51.284039021 CET	192.168.2.7	206.238.43.118	1507	Echo
Nov 25, 2024 15:40:51.715156078 CET	206.238.43.118	192.168.2.7	1d07	Echo Reply
Nov 25, 2024 15:40:52.721116066 CET	192.168.2.7	206.238.43.118	7601	Echo
Nov 25, 2024 15:40:53.143167019 CET	206.238.43.118	192.168.2.7	7e01	Echo Reply
Nov 25, 2024 15:40:54.169836998 CET	192.168.2.7	206.238.43.118	d7fb	Echo
Nov 25, 2024 15:40:54.684428930 CET	206.238.43.118	192.168.2.7	dffb	Echo Reply
Nov 25, 2024 15:41:02.738753080 CET	192.168.2.7	206.238.43.118	58da	Echo
Nov 25, 2024 15:41:03.217828989 CET	206.238.43.118	192.168.2.7	60da	Echo Reply
Nov 25, 2024 15:41:04.221332073 CET	192.168.2.7	206.238.43.118	8ad4	Echo
Nov 25, 2024 15:41:04.651098967 CET	206.238.43.118	192.168.2.7	92d4	Echo Reply
Nov 25, 2024 15:41:05.658647060 CET	192.168.2.7	206.238.43.118	ecce	Echo
Nov 25, 2024 15:41:06.116965055 CET	206.238.43.118	192.168.2.7	f4ce	Echo Reply
Nov 25, 2024 15:41:07.127809048 CET	192.168.2.7	206.238.43.118	2ec9	Echo
Nov 25, 2024 15:41:07.555038929 CET	206.238.43.118	192.168.2.7	36c9	Echo Reply
Nov 25, 2024 15:41:15.605559111 CET	192.168.2.7	206.238.43.118	1ca8	Echo
Nov 25, 2024 15:41:16.062076092 CET	206.238.43.118	192.168.2.7	24a8	Echo Reply
Nov 25, 2024 15:41:17.064943075 CET	192.168.2.7	206.238.43.118	4fa2	Echo
Nov 25, 2024 15:41:17.490272999 CET	206.238.43.118	192.168.2.7	57a2	Echo Reply
Nov 25, 2024 15:41:18.502528906 CET	192.168.2.7	206.238.43.118	b09c	Echo
Nov 25, 2024 15:41:18.925797939 CET	206.238.43.118	192.168.2.7	b89c	Echo Reply
Nov 25, 2024 15:41:19.939944029 CET	192.168.2.7	206.238.43.118	1297	Echo
Nov 25, 2024 15:41:20.438339949 CET	206.238.43.118	192.168.2.7	1a97	Echo Reply
Nov 25, 2024 15:41:28.477528095 CET	192.168.2.7	206.238.43.118	c275	Echo
Nov 25, 2024 15:41:28.898750067 CET	206.238.43.118	192.168.2.7	ca75	Echo Reply
Nov 25, 2024 15:41:29.936510086 CET	192.168.2.7	206.238.43.118	1470	Echo
Nov 25, 2024 15:41:30.360898972 CET	206.238.43.118	192.168.2.7	1c70	Echo Reply
Nov 25, 2024 15:41:31.363687992 CET	192.168.2.7	206.238.43.118	756a	Echo
Nov 25, 2024 15:41:31.791610003 CET	206.238.43.118	192.168.2.7	7d6a	Echo Reply
Nov 25, 2024 15:41:32.799359083 CET	192.168.2.7	206.238.43.118	d764	Echo
Nov 25, 2024 15:41:33.223176956 CET	206.238.43.118	192.168.2.7	df64	Echo Reply
Nov 25, 2024 15:41:41.268842936 CET	192.168.2.7	206.238.43.118	c543	Echo
Nov 25, 2024 15:41:41.689907074 CET	206.238.43.118	192.168.2.7	cd43	Echo Reply
Nov 25, 2024 15:41:42.705717087 CET	192.168.2.7	206.238.43.118	263e	Echo
Nov 25, 2024 15:41:43.125998020 CET	206.238.43.118	192.168.2.7	2e3e	Echo Reply
Nov 25, 2024 15:41:44.127649069 CET	192.168.2.7	206.238.43.118	9738	Echo
Nov 25, 2024 15:41:44.549129009 CET	206.238.43.118	192.168.2.7	9f38	Echo Reply
Nov 25, 2024 15:41:45.565278053 CET	192.168.2.7	206.238.43.118	f932	Echo
Nov 25, 2024 15:41:46.003057957 CET	206.238.43.118	192.168.2.7	133	Echo Reply

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 15:39:10.376687050 CET	1.1.1.1	192.168.2.7	0xcadb	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 25, 2024 15:39:10.376687050 CET	1.1.1.1	192.168.2.7	0xcadb	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:38:41
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZwmyzMxFKL.exe"
Imagebase:	0xbc0000
File size:	58'031'336 bytes
MD5 hash:	2FA4F19F9FB9E7A71D85AAF34D318178
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:38:47
Start date:	25/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7a4960000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	09:38:47
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 86EAEA36D56ADACB6F4586ABE7AE0EB7 C
Imagebase:	0x9a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:38:54
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\ZwmyzMxFKL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZwmyzMxFKL.exe" /i "C:\Program Files (x86)\WindowsInstallerFQ\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\DnLIMGKCARTO" SECONDSEQUENCE="1" CLIENTPROCESSID="6684" AI_MORE_CMD_LINE=1
Imagebase:	0xbc0000
File size:	58'031'336 bytes
MD5 hash:	2FA4F19F9FB9E7A71D85AAF34D318178
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:38:55
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 330C69625D946D3D58562FAE4D80B81E
Imagebase:	0x9a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:39:18
Start date:	25/11/2024
Path:	C:\Windows\Installer\MSI6FFE.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Installer\MSI6FFE.tmp"
Imagebase:	0xc90000
File size:	175'328 bytes
MD5 hash:	BE4ED0D3AA0B2573927A046620106B13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:39:18
Start date:	25/11/2024
Path:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU" -o"C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55" -pe6ab90d5741a3329XSJ -aos -y
Imagebase:	0xda0000
File size:	710'888 bytes
MD5 hash:	FAE7D0A530279838C8A5731B086A081B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000003.1839577125.0000000002E86000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:39:18
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:39:23
Start date:	25/11/2024
Path:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR" -o"C:\Program Files (x86)\DnLIMGKCARTO" -pd90abf5032721ffaBCX -aos -y
Imagebase:	0xda0000
File size:	710'888 bytes
MD5 hash:	FAE7D0A530279838C8A5731B086A081B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:39:23
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:39:25
Start date:	25/11/2024
Path:	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX" -o"C:\Users\user\AppData\Roaming" -p5ccac7f27f4c789fFPK -aos -y
Imagebase:	0xda0000
File size:	710'888 bytes
MD5 hash:	FAE7D0A530279838C8A5731B086A081B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:39:25
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:39:27
Start date:	25/11/2024
Path:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe"
Imagebase:	0x400000
File size:	691'760 bytes
MD5 hash:	938C33C54819D6CE8D731B68D9C37E38
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000010.00000000.1907174617.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:39:27
Start date:	25/11/2024
Path:	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe"
Imagebase:	0x400000
File size:	691'760 bytes
MD5 hash:	938C33C54819D6CE8D731B68D9C37E38
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000013.00000002.1945786916.000000000304C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:39:29
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\E9612930988441D58021F51E630D4D55\VGX\Haloonoroff.exe"
Imagebase:	0x400000
File size:	174'304 bytes
MD5 hash:	0D318144BD23BA1A72CC06FE19CB3F0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	97

Executed Functions

Function 00D181C0 Relevance: 30.3, APIs: 14, Strings: 3, Instructions: 526
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00D1824E
GetLastError.KERNEL32 ref: 00D18254
GetUserNameW.ADVAPI32(00000000,?), ref: 00D1829C
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00D182D2
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 00D1831C
RegDeleteValueW.KERNEL32(?,?,00000000,80000001,00000001,00000000,D02C6D11,00000000,?), ref: 00D18515
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,D02C6D11,00000000,?), ref: 00D1854B
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D186A0
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,D02C6D11,00000000), ref: 00D186E2
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,D02C6D11,00000000), ref: 00D18727
RegDeleteKeyW.ADVAPI32(?,00000000), ref: 00D18749
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,D02C6D11,00000000), ref: 00D18785
RegDeleteValueW.KERNEL32(?,?,00000000,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000,D02C6D11,00000000), ref: 00D1888A
RegCloseKey.ADVAPI32(?,?,?,00000000,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000,D02C6D11,00000000), ref: 00D188CC

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00D187AA
UserDomain, xrefs: 00D182CD, 00D18317
Software, xrefs: 00D1857E

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Close$Delete$EnvironmentNameUserValueVariable$ErrorInfoLastQuery
String ID: Software$Software\Microsoft\Windows\CurrentVersion\RunOnce$UserDomain
API String ID: 1615433478-4079418357
Opcode ID: fbe9f9dc65399010d619a2f1f50e4801bdfc027cee6e9bb04d2811bec7af4935
Instruction ID: 2cb48eeb845e41b307853d5f4c222af02888f008656c5c871538a97d7c1af3dd
Opcode Fuzzy Hash: fbe9f9dc65399010d619a2f1f50e4801bdfc027cee6e9bb04d2811bec7af4935
Instruction Fuzzy Hash: DB224770A00248EFDF14DFA4DC99BEEBBB5EF04314F24415CE505A7291DB74AA88DBA1

Function 00CF4CA0 Relevance: 27.5, APIs: 11, Strings: 4, Instructions: 1259COMMON

Download Yara Rule

APIs

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

GetTickCount.KERNEL32 ref: 00CF4D24
__Xtime_get_ticks.LIBCPMT ref: 00CF4D2C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CF4D76
__Init_thread_footer.LIBCMT ref: 00CF4F64
GetCurrentProcess.KERNEL32(?,?,?), ref: 00CF517A
OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,?), ref: 00CF5187
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?), ref: 00CF51A7
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00CF51D2

Strings

\\?\, xrefs: 00CF5A9D
\/:*?"<>|, xrefs: 00CF4F26
/uninstall, xrefs: 00CF5383
VersionString, xrefs: 00CF5454, 00CF54A5

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footerProcess$Token$CloseCountCurrentHandleHeapInformationOpenTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
String ID: /uninstall$VersionString$\/:*?"<>|$\\?\
API String ID: 3363527671-654522458
Opcode ID: 2aaa2764f60e920e075d39498459ffb63edb49e93c3f99fc5dbed31359aab0b4
Instruction ID: f364b06304eb87dbe8db0343e99f02b21ba476495d058cb22ef893e90906829e
Opcode Fuzzy Hash: 2aaa2764f60e920e075d39498459ffb63edb49e93c3f99fc5dbed31359aab0b4
Instruction Fuzzy Hash: E9B2C070A00609DFDB14DFA8C848BAEFBF4FF44314F148259E625AB291DB74AE45CB91

Function 6CE7D070 Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 400
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindClose.KERNEL32(00000000,?,?,6CEF8D6C,?), ref: 6CE7D0CF
PathIsUNCW.SHLWAPI(?,*.*,?,6CEF8D6C), ref: 6CE7D17F
FindFirstFileW.KERNEL32(?,?,*.*,?,6CEF8D6C), ref: 6CE7D323
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,?,6CEF8D6C), ref: 6CE7D33D
GetFullPathNameW.KERNEL32(00000000,00000000,?,00000000,?,6CEF8D6C), ref: 6CE7D370
FindClose.KERNEL32(00000000,?,?,?,?,?,6CEF8D6C), ref: 6CE7D3E1
SetLastError.KERNEL32(0000007B,?,?,?,?,?,6CEF8D6C), ref: 6CE7D3EB
_wcsrchr.LIBVCRUNTIME ref: 6CE7D441
_wcsrchr.LIBVCRUNTIME ref: 6CE7D461

Strings

\\?\UNC\, xrefs: 6CE7D19F, 6CE7D2A0
\\?\, xrefs: 6CE7D2B3, 6CE7D30E, 6CE7D313
*.*, xrefs: 6CE7D0FA, 6CE7D128, 6CE7D14F, 6CE7D150

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: FindPath$CloseFullName_wcsrchr$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\
API String ID: 726989864-1700010636
Opcode ID: e2886b7bab486a374013eeac31edaad156883a48c833e7c5768a62318e5a591f
Instruction ID: 1ff30fb6bb1b66d0f1cc878fa94caa03eb58d34c7e1de670a8f358c1ba623b35
Opcode Fuzzy Hash: e2886b7bab486a374013eeac31edaad156883a48c833e7c5768a62318e5a591f
Instruction Fuzzy Hash: 2EE1E4756016419FDB14DF68C848BAEB7B1FF4132CF34426CE8259BB90EB359A05CB60

Function 6CE6DB00 Relevance: 17.5, Strings: 13, Instructions: 1250COMMON

Download Yara Rule

Strings

Exception >> , xrefs: 6CE6E5BC
Crash >> , xrefs: 6CE6E367
fatal error, xrefs: 6CE6DC1C
success, xrefs: 6CE6DBA6
Error: , xrefs: 6CE6E1D7
W, xrefs: 6CE6E776
Info 1720, xrefs: 6CE6E568
Action ended, xrefs: 6CE6E2D6
-> , xrefs: 6CE6DD9B
Track screen: [, xrefs: 6CE6E8A0
Lifecycle: , xrefs: 6CE6DD64
user abort, xrefs: 6CE6DBE1, 6CE6DC31
Warning: , xrefs: 6CE6DFB2

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: #118#125#171Heap$#103AllocProcess
String ID: -> $Action ended$Crash >> $Error: $Exception >> $Info 1720$Lifecycle: $Track screen: [$W$Warning: $fatal error$success$user abort
API String ID: 196527699-1454030630
Opcode ID: 801e1461e6df873195bd1e0174f04c226d47bc94b132c57e30fd9ec9c1256198
Instruction ID: 8403468aea8e9dbc05f9409817a5d8be4ee718c26c8b7eed79a92833bb401f73
Opcode Fuzzy Hash: 801e1461e6df873195bd1e0174f04c226d47bc94b132c57e30fd9ec9c1256198
Instruction Fuzzy Hash: 56B2F470E51244DFDB04CFAAC944BDEBBB1AF86318F38815DD411ABB80DB759A09CB91

Function 00D00640 Relevance: 15.8, APIs: 10, Instructions: 792COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$HeapProcess
String ID:
API String ID: 275895251-0
Opcode ID: 6b2d35a7c4048d21a1b29c95748010be03327d3d0db575d9f645d0b3144662fb
Instruction ID: b9e730e4d44909152c3d9f2d21a86de5779beef0c244becb6dc3c3bed6e656ab
Opcode Fuzzy Hash: 6b2d35a7c4048d21a1b29c95748010be03327d3d0db575d9f645d0b3144662fb
Instruction Fuzzy Hash: E4729E70900649DFDB14CFA8C884BAEBBF4BF45314F188299E459AB2D1DB70AD44CFA0

Function 00CDE740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,D02C6D11,?,00000000,00000000), ref: 00CDE77E
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00CDE7A1
LoadImageW.USER32(?,?,00000001,00000000,00000000,?), ref: 00CDE801
FreeLibrary.KERNEL32(00000000), ref: 00CDE81F

Strings

LoadIconMetric, xrefs: 00CDE79B
ComCtl32.dll, xrefs: 00CDE772

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: LibraryLoad$AddressFreeImageProc
String ID: ComCtl32.dll$LoadIconMetric
API String ID: 1597520822-764666640
Opcode ID: 1954e83202c279c090b859cd11c1bb8ce75b88b018a3fa97ebfa34b91cb02a82
Instruction ID: 5118d660500de103bff6b7675971151d3fca9b6c7b9cf3fa59c3c5525940e5ae
Opcode Fuzzy Hash: 1954e83202c279c090b859cd11c1bb8ce75b88b018a3fa97ebfa34b91cb02a82
Instruction Fuzzy Hash: 633152B1A00259ABDB109F95CC44BAEBBF8EB48750F00422AF915E73D0D7758A44CB90

Function 00D0B860 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D0B93A

Strings

\, xrefs: 00D0B8B4
\, xrefs: 00D0B8DE
\, xrefs: 00D0B8BC

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: DiskFreeSpace
String ID: \$\$\
API String ID: 1705453755-3791832595
Opcode ID: 8f1086f6608be099f82ff13c4b79c3323403d8d9610481ad62cfb29cae595214
Instruction ID: 45fae45f98e8f05e84a96335520aef442504f31119881cc951973a2e16dcb300
Opcode Fuzzy Hash: 8f1086f6608be099f82ff13c4b79c3323403d8d9610481ad62cfb29cae595214
Instruction Fuzzy Hash: C741E322D18351CACB309F2494407ABB7E4FF99324F198A2FE9CC97090E3608D8587E6

Function 6CE87870 Relevance: 6.1, APIs: 4, Instructions: 84fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,24641EEC), ref: 6CE87906
FindClose.KERNEL32(00000000,?,?), ref: 6CE8793E

Part of subcall function 6CE67F30: HeapAlloc.KERNEL32(00000000,00000000,?,24641EEC,00000000,6CEAED80,000000FF,?,?,6CEED24C,?,6CE881AD,80004005), ref: 6CE67F7A

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: Find$AllocCloseFileFirstHeap
String ID:
API String ID: 2507753907-0
Opcode ID: 6c3a88c44321b25c61fe6ec0b6a85ca643ce9fefa206358f7cba21974cbb71dd
Instruction ID: 8f932fb7b3f65dad3581d7f9fff8b7fac47b986f432994aca411549712458927
Opcode Fuzzy Hash: 6c3a88c44321b25c61fe6ec0b6a85ca643ce9fefa206358f7cba21974cbb71dd
Instruction Fuzzy Hash: 5D31C431A46218CADF249FA4884975DB7B4FF05328F31479EE82DA3BD0D7355A45CB81

Function 00C97A10 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00C97A51

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

Part of subcall function 00BC92A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,00000000,8007000E,80004005,00CD06A6,00000000,00000002,00000001,?,?,80070057,?), ref: 00BC92C3

LoadLibraryExW.KERNEL32(?,00000000,00000000,00DD0D6D,000000FF), ref: 00C97B24

Strings

UxTheme.dll, xrefs: 00C97A2C, 00C97AFF, 00C97B00, 00C97B94

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$DirectoryFindHeapLibraryLoadProcessResourceSystem
String ID: UxTheme.dll
API String ID: 2586271605-352951104
Opcode ID: 45f7e69a50e938b66b85eac5304629eb21f21cb40e40cc4ba0f29f7210a62a8b
Instruction ID: af2dbb6406f2f5b403af224e264837a17061329d02806bd90feb799ef25c987d
Opcode Fuzzy Hash: 45f7e69a50e938b66b85eac5304629eb21f21cb40e40cc4ba0f29f7210a62a8b
Instruction Fuzzy Hash: 89A18BB0905645EFEB14CF64C818B9ABBF4FF04314F24865DD4299B781D7BAA618CF90

Function 00D74245 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,00D035FE,?,?,?,?,?,?), ref: 00D7424A
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D74251
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 00D74297
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D7429E

Part of subcall function 00D740E3: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00D7428D,?,?,?,?,?,?,?), ref: 00D74107
Part of subcall function 00D740E3: HeapAlloc.KERNEL32(00000000,?,00D7428D,?,?,?,?,?,?,?), ref: 00D7410E

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: 598e98f267b984c4667cbb26b3aa38069545ffaf68114f5fab32e6200a87741a
Instruction ID: 7d79514b911f00f87617dbd659d307ad1790c07ace27593606974c4dcff191c5
Opcode Fuzzy Hash: 598e98f267b984c4667cbb26b3aa38069545ffaf68114f5fab32e6200a87741a
Instruction Fuzzy Hash: 43F09032E0872267C7622BB87C19B6E6A689FC0BA1715C028F959D6244EF30C801CB74

Function 00CDB1B0 Relevance: 4.6, APIs: 3, Instructions: 93fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00CDB24D
FindClose.KERNEL32(00000000), ref: 00CDB2AC

Part of subcall function 00BC9980: RtlAllocateHeap.NTDLL(?,00000000,?,D02C6D11,00000000,00D9C6B0,000000FF,?,?,00E7C42C,00000000,00D1ECDB,80004005,D02C6D11,?,?), ref: 00BC99CA

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID:
API String ID: 1673784098-0
Opcode ID: 6b74d76b165089838de63efec44f6d0875b264709964425d9aa19e3a13b55fd3
Instruction ID: 9e4b79045db9e8baba0c5345beba45c1a8636cc1cad5729f99dcfba34a949d0f
Opcode Fuzzy Hash: 6b74d76b165089838de63efec44f6d0875b264709964425d9aa19e3a13b55fd3
Instruction Fuzzy Hash: FC31BE32900618DFDB24DF55C849BAEB7B4EB45324F2181AEEA19E7380E7719E44CB90

Function 6CE65B60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetAdaptersInfo.IPHLPAPI(00000000,6CE65C87), ref: 6CE65BCB

Strings

PI>p, xrefs: 6CE65BBE

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: AdaptersInfo
String ID: PI>p
API String ID: 3177971545-2227309744
Opcode ID: 8a807d126d6c01d502f08070b52fb02fc7709b34327b64f18d7ae62ea4e0c356
Instruction ID: 5875264c198ba871e3005966407aa16e6dd91610c402f1445c71999e3247acc4
Opcode Fuzzy Hash: 8a807d126d6c01d502f08070b52fb02fc7709b34327b64f18d7ae62ea4e0c356
Instruction Fuzzy Hash: FB21C5713962019FD314CE3AC894A5AB7FDFB85304F648A3EE04587F81EF70A9058690

Function 00D198C0 Relevance: 3.1, APIs: 2, Instructions: 86filepipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,D02C6D11,D02C6D11,?,?,?,?,00000000), ref: 00D19949
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,D02C6D11,D02C6D11,?,?,?,?,00000000,00DE83A5), ref: 00D1996A

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Create$FileNamedPipe
String ID:
API String ID: 1328467360-0
Opcode ID: 96b162624099c63b16f8438878450cf32c9fdeb284b133ab2e11629ac0132307
Instruction ID: c44bf30c1f2d41aaf92bb195dda577e6730c47d7828dcd1301650f29b1f12028
Opcode Fuzzy Hash: 96b162624099c63b16f8438878450cf32c9fdeb284b133ab2e11629ac0132307
Instruction Fuzzy Hash: C6313631A88745BFE731CF14DC15B9AFBA4EB01720F14866EF9A99B2D0CB71A940CB50

Function 00BFAEA0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00BFAEB8
SetUnhandledExceptionFilter.KERNEL32(00CDA060), ref: 00BFAECE

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: ba815399cd00ca95d62e4833c4fd62cdf5df932db360d0258cf71cfd650a36e1
Instruction ID: 819ee754ca3236fa8949b82dd311bbd2542f09e38b34f5f449b0319eea2277f1
Opcode Fuzzy Hash: ba815399cd00ca95d62e4833c4fd62cdf5df932db360d0258cf71cfd650a36e1
Instruction Fuzzy Hash: FFE02636E002102EC7105750DC09F5A3F90EB96714F088065F20D63252D3709409D372

Function 00D23E80 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE0100: __Init_thread_footer.LIBCMT ref: 00CE01E0

CoCreateInstance.COMBASE(00E042C8,00000000,00000001,00E20CEC,000000B0), ref: 00D23EFE

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CreateInit_thread_footerInstance
String ID:
API String ID: 3436645735-0
Opcode ID: 1e986e17e3c61d05952f8945f04743d1a0e6c1669b01d2b49fea1e3bf74a9154
Instruction ID: fea197909a840ba76f900208268f929c4a4b5f3a47ee2a83bd5f6fa7791fe5ef
Opcode Fuzzy Hash: 1e986e17e3c61d05952f8945f04743d1a0e6c1669b01d2b49fea1e3bf74a9154
Instruction Fuzzy Hash: 7911A1B16047409FD720DF59D905B4AFBF8EB05B10F10465EF855AB7C0C7BA6504CBA0

Function 00D1F0D0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$CreateHeapInstanceProcess
String ID:
API String ID: 3807588171-0
Opcode ID: 968a2fff64ba81969239f8f6e7e77a3fd0546dd76f98182bc4b4e018d2b3894c
Instruction ID: 883bb6101524d2499591f00e10c7abb2a7b5932ac41e8bdf8a46f5c9de6ff53e
Opcode Fuzzy Hash: 968a2fff64ba81969239f8f6e7e77a3fd0546dd76f98182bc4b4e018d2b3894c
Instruction Fuzzy Hash: 3F6168B0501744DFE710CF64C54878ABFE0FF04308F148A9DD49A9B782DBB9A549DB90

Function 00CE0410 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 247
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00CE047E
RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00CE04C5
RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00CE04E4
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00CE0513
RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00CE0588
RegQueryValueExW.ADVAPI32(00000000,BuildBranch,00000000,00000000,?,?), ref: 00CE05F1
RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00CE0654
RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00CE06A6
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00CE0743
GetProcAddress.KERNEL32(00000000), ref: 00CE074A
__Init_thread_footer.LIBCMT ref: 00CE075E
GetCurrentProcess.KERNEL32(?), ref: 00CE0781
IsWow64Process.KERNEL32(00000000), ref: 00CE0788
RegCloseKey.ADVAPI32(00000000), ref: 00CE07C2

Strings

CurrentBuildNumber, xrefs: 00CE057D
CurrentMinorVersionNumber, xrefs: 00CE04D9
BuildBranch, xrefs: 00CE05E6
kernel32, xrefs: 00CE073E
CurrentVersion, xrefs: 00CE0508
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00CE0474
rs_prerelease, xrefs: 00CE0611
co_release, xrefs: 00CE05F9
CSDVersion, xrefs: 00CE069B
IsWow64Process, xrefs: 00CE0739
CurrentMajorVersionNumber, xrefs: 00CE04BA
ReleaseId, xrefs: 00CE0649

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleInit_thread_footerModuleOpenProcWow64
String ID: BuildBranch$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$co_release$kernel32$rs_prerelease
API String ID: 1906320730-525127412
Opcode ID: 2a2d5e8941eb1f4086d7e0eb02219307bbdf5fb74f9d495cecea051724822593
Instruction ID: d117ee83b13377a6b349ffc696a2203394a24bb954ec602a0fbd9bbd2ee25f95
Opcode Fuzzy Hash: 2a2d5e8941eb1f4086d7e0eb02219307bbdf5fb74f9d495cecea051724822593
Instruction Fuzzy Hash: 9DA16F71D007589EDB20DF21CD45BE9B7F8FB04705F14819AE859B6291EB74AAC8CF90

Function 6CE86320 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 247
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?,?,?,?,?,?,?,00000000,6CEC1349,000000FF), ref: 6CE8638A
RegQueryValueExW.KERNEL32(?,CurrentMajorVersionNumber,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CEC1349,000000FF), ref: 6CE863BF
RegQueryValueExW.KERNEL32(?,CurrentMinorVersionNumber,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CEC1349,000000FF), ref: 6CE863D5
RegQueryValueExW.ADVAPI32(?,CurrentVersion,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CEC1349,000000FF), ref: 6CE863FB
RegQueryValueExW.KERNEL32(?,CurrentBuildNumber,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CEC1349,000000FF), ref: 6CE86464
RegQueryValueExW.ADVAPI32(?,BuildBranch,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CEC1349,000000FF), ref: 6CE864BD
RegQueryValueExW.KERNEL32(?,ReleaseId,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CEC1349,000000FF), ref: 6CE86514
RegQueryValueExW.KERNEL32(?,CSDVersion,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CEC1349,000000FF), ref: 6CE86553
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,?,?,?,?,00000000,6CEC1349,000000FF), ref: 6CE865EE
GetProcAddress.KERNEL32(00000000), ref: 6CE865F5
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000000,6CEC1349,000000FF), ref: 6CE86626
IsWow64Process.KERNEL32(00000000,?,?,?,?,?,?,00000000,6CEC1349,000000FF), ref: 6CE8662D
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00000000,6CEC1349,000000FF), ref: 6CE8665E

Strings

IsWow64Process, xrefs: 6CE865E4
CurrentVersion, xrefs: 6CE863F3
CurrentBuildNumber, xrefs: 6CE8645C
ReleaseId, xrefs: 6CE8650C
kernel32, xrefs: 6CE865E9
BuildBranch, xrefs: 6CE864B5
co_release, xrefs: 6CE864C5
CurrentMinorVersionNumber, xrefs: 6CE863CD
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 6CE86380
CSDVersion, xrefs: 6CE8654B
CurrentMajorVersionNumber, xrefs: 6CE863B7
rs_prerelease, xrefs: 6CE864DD

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleModuleOpenProcWow64
String ID: BuildBranch$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$co_release$kernel32$rs_prerelease
API String ID: 2654979339-525127412
Opcode ID: c70754a4f3cbfaf144223f4fd4c2de204a333518f7111459b4a262798005f370
Instruction ID: bb8c37778e0c5490d7557ce530d1d1cb9ac490a86a7c8f2883f1b82fdca9c12d
Opcode Fuzzy Hash: c70754a4f3cbfaf144223f4fd4c2de204a333518f7111459b4a262798005f370
Instruction Fuzzy Hash: 12A190B1941249DEDF20CF60DD45FEE77B8FB04318F20462AE925EB680E774A645CBA4

Function 6CE86690 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 221
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,?,?,?,00000000,6CEC138D,000000FF), ref: 6CE866FC
RegQueryValueExW.KERNEL32(?,ProductType,00000000,00000000,?,?,?,?,00000000,6CEC138D,000000FF), ref: 6CE8672E
RegQueryValueExW.KERNEL32(?,ProductSuite,00000000,00000000,?,?,?,?,00000000,6CEC138D,000000FF), ref: 6CE8679D
RegCloseKey.ADVAPI32(?,?,?,00000000,6CEC138D,000000FF), ref: 6CE86968

Strings

Personal, xrefs: 6CE86899
ProductSuite, xrefs: 6CE86795
Storage Server, xrefs: 6CE868F5
Security Appliance, xrefs: 6CE868DE
Blade, xrefs: 6CE868B0
BackOffice, xrefs: 6CE86802
WinNT, xrefs: 6CE86734
Small Business(Restricted), xrefs: 6CE8684D
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 6CE866F2
CommunicationServer, xrefs: 6CE8681B
ServerNT, xrefs: 6CE86757
DataCenter, xrefs: 6CE8687F
EmbeddedNT, xrefs: 6CE86866
Terminal Server, xrefs: 6CE86834
Embedded(Restricted), xrefs: 6CE868C7
Enterprise, xrefs: 6CE867E9
ProductType, xrefs: 6CE86726
Small Business, xrefs: 6CE867D0
Compute Server, xrefs: 6CE8690C

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: 3717981e91970662862fc2417caca78cca5923c873475628f48dddabcd449ab7
Instruction ID: 0fdac74464e4088961dfa77e678885dd05e3bced7e78aef11de4a1bce8907509
Opcode Fuzzy Hash: 3717981e91970662862fc2417caca78cca5923c873475628f48dddabcd449ab7
Instruction Fuzzy Hash: 8471F334B553458BDB108F25DD427AA7BB9EB4130CF3161399969EBBC0EB34EA0A8750

Function 00CE07F0 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00CE0860
RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 00CE089B
RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 00CE0916
RegCloseKey.KERNEL32(00000000), ref: 00CE0AEE

Strings

Blade, xrefs: 00CE0A30
BackOffice, xrefs: 00CE0982
Storage Server, xrefs: 00CE0A75
Personal, xrefs: 00CE0A19
Compute Server, xrefs: 00CE0A8C
CommunicationServer, xrefs: 00CE099B
Terminal Server, xrefs: 00CE09B4
DataCenter, xrefs: 00CE09FF
ProductSuite, xrefs: 00CE090B
Embedded(Restricted), xrefs: 00CE0A47
ServerNT, xrefs: 00CE08C4
Enterprise, xrefs: 00CE0969
Security Appliance, xrefs: 00CE0A5E
EmbeddedNT, xrefs: 00CE09E6
ProductType, xrefs: 00CE0890
Small Business, xrefs: 00CE0950
Small Business(Restricted), xrefs: 00CE09CD
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 00CE0856
WinNT, xrefs: 00CE08A1

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: 8e301710b957e7c26e169866aaff2c3272a44056d22856c8b47aec22b8b8081b
Instruction ID: 8c8885841d108a27b01c579be64c0a8e226a88a2a42fbb126408325313bd27a2
Opcode Fuzzy Hash: 8e301710b957e7c26e169866aaff2c3272a44056d22856c8b47aec22b8b8081b
Instruction Fuzzy Hash: C8718B307003CC4ADB109B23CD41BBA7379EB94704F6051B9A915BF682EBB8CEC59781

Function 00CEFE70 Relevance: 39.1, APIs: 12, Strings: 10, Instructions: 599libraryloaderCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,SystemFolder,0000000C,?,?,?), ref: 00CF0075
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00CF0170
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D,?,?,?), ref: 00CF0270
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D,?,?,?), ref: 00CF0355
GetTempPathW.KERNEL32(00000104,?,WindowsVolume,0000000D,?,?,?), ref: 00CF03CB
GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D,?,?,?), ref: 00CF0454
SHGetSpecialFolderLocation.SHELL32(00000000,?,WindowsVolume,0000000D,?,?,?), ref: 00CF0532
__Init_thread_footer.LIBCMT ref: 00CF05A6
LoadLibraryW.KERNEL32(shfolder.dll,?,?,?), ref: 00CF05BC
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00CF05EE
SHGetPathFromIDListW.SHELL32(?,?), ref: 00CF065C
SHGetMalloc.SHELL32(00000000), ref: 00CF0675

Part of subcall function 00BC9980: RtlAllocateHeap.NTDLL(?,00000000,?,D02C6D11,00000000,00D9C6B0,000000FF,?,?,00E7C42C,00000000,00D1ECDB,80004005,D02C6D11,?,?), ref: 00BC99CA

Strings

WindowsFolder, xrefs: 00CF01FD, 00CF0212, 00CF021C
ProgramW6432, xrefs: 00CEFF05
ProgramFiles64Folder, xrefs: 00CEFEAA
SETUPEXEDIR, xrefs: 00CF0401
System32Folder, xrefs: 00CF00FD, 00CF0112, 00CF011C
WindowsVolume, xrefs: 00CF02E4, 00CF02F9, 00CF0303
TempFolder, xrefs: 00CF0382
SystemFolder, xrefs: 00CEFFE9, 00CEFFFE, 00CF0008
SHGetFolderPathW, xrefs: 00CF05E8
shfolder.dll, xrefs: 00CF05B7

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: DirectoryPath$FolderWindows$AddressAllocateFileFromHeapInit_thread_footerLibraryListLoadLocationMallocModuleNameProcSpecialSystemTemp
String ID: ProgramFiles64Folder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll
API String ID: 3671250-2142986682
Opcode ID: b018cbdea1ea8512420f134446115d3c84d48a519bcc8b0f1786bc4ff278a3d7
Instruction ID: 986afdc3a23e4f44c2b566aeb5cbb7f0c444019572f76f3b951178f50fba16ab
Opcode Fuzzy Hash: b018cbdea1ea8512420f134446115d3c84d48a519bcc8b0f1786bc4ff278a3d7
Instruction Fuzzy Hash: 6822E670A002098BDB64DF64CC45BBDB3B1EF54714F6442ACE61AD72A2EB319E85CF91

Function 00CFF110 Relevance: 28.7, APIs: 13, Strings: 3, Instructions: 697
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsW.SHLWAPI(00000000,?,00000000,?,?,?,00DE30BD,000000FF,?,00D1ED21,?,?,?,?), ref: 00CFF273
GetLastError.KERNEL32(?,?,?,?,00DE30BD,000000FF,?,00D1ED21,?,?,?,?), ref: 00CFF2C4

Part of subcall function 00D0B860: GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D0B93A

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00DE30BD), ref: 00CFF4AC
GetLastError.KERNEL32 ref: 00CFF4D2
GetLastError.KERNEL32(?, Error:,00000007,Failed to extract file:,00000017), ref: 00CFF5A9
SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00CFF635
GetLastError.KERNEL32 ref: 00CFF640

Part of subcall function 00CDE5B0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,D02C6D11,?,?,?), ref: 00CDE5FB
Part of subcall function 00CDE5B0: GetLastError.KERNEL32(?,?,?), ref: 00CDE605

ReadFile.KERNEL32(?,00000000,0000001D,?,00000000), ref: 00CFF736
WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00CFF768
CloseHandle.KERNEL32(?), ref: 00CFF7EF
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00CFF837
CloseHandle.KERNEL32(?,?,00E0450C), ref: 00CFF8A5
CloseHandle.KERNEL32(?,00010000), ref: 00CFF8D7

Strings

Error:, xrefs: 00CFF59B
Not enough disk space to extract file:, xrefs: 00CFF395
Failed to extract file:, xrefs: 00CFF566

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$ErrorLast$CloseHandle$Create$DiskExistsFormatFreeMessagePathPointerReadSpaceWrite
String ID: Error:$Failed to extract file:$Not enough disk space to extract file:
API String ID: 105829848-4103669389
Opcode ID: 01b3c481c9874b6a35591aafe84f69fe5d53965fcf09c58be4a36a4f9378ca3d
Instruction ID: f1513c0d9e865c0b2a258f4c4262dca60922eeeb319e7e5f928e32a9edc0a474
Opcode Fuzzy Hash: 01b3c481c9874b6a35591aafe84f69fe5d53965fcf09c58be4a36a4f9378ca3d
Instruction Fuzzy Hash: F142C271A00209DFDB14DF68C884BAEBBB1EF45314F14826DE925AB391DB70EE45CB61

Function 00CF6470 Relevance: 25.3, APIs: 3, Strings: 11, Instructions: 773COMMON

Download Yara Rule

APIs

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00CF652E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00CF6558

Part of subcall function 00BC92A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,00000000,8007000E,80004005,00CD06A6,00000000,00000002,00000001,?,?,80070057,?), ref: 00BC92C3

Strings

A valid language was received from commnad line. This is:, xrefs: 00CF6AAA
Languages of setup:, xrefs: 00CF78BB
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00CF6C44
Software\Caphyon\Advanced Installer\, xrefs: 00CF6C30
%hu, xrefs: 00CF6AD8
Language used for UI:, xrefs: 00CF6DDE
AI_BOOTSTRAPPERLANGS, xrefs: 00CF7660, 00CF7672, 00CF767C
Code returned to Windows by setup:, xrefs: 00CF68B1
Language of a related product is:, xrefs: 00CF6CAC
Language selected programatically for UI:, xrefs: 00CF6D62
Advinst_Extract_, xrefs: 00CF64C5, 00CF64D7, 00CF64E1

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ByteCharInit_thread_footerMultiWide$FindHeapProcessResource
String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\
API String ID: 1419962739-297406034
Opcode ID: 972e3c06c4fef5a72d7f7545bc433076fbd44188fea73c0bc799d9a11695ceea
Instruction ID: 4bb6eb5af1b7ebef89113ea8885495dbb7cf3caf3f502ee90c1c55e1b5594c8b
Opcode Fuzzy Hash: 972e3c06c4fef5a72d7f7545bc433076fbd44188fea73c0bc799d9a11695ceea
Instruction Fuzzy Hash: 9152D2719002499FDB14DF68CC55BBEBBB4EF41314F14816CE925AB2D2DB309E04CBA1

Function 00CF6130 Relevance: 23.4, APIs: 10, Strings: 3, Instructions: 648threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00CF6300
SetLastError.KERNEL32(0000000E), ref: 00CF631D
GetCurrentThreadId.KERNEL32 ref: 00CF6335
EnterCriticalSection.KERNEL32(00E8957C), ref: 00CF6352
LeaveCriticalSection.KERNEL32(00E8957C), ref: 00CF6375
DialogBoxParamW.USER32(000007D0,00000000,00C36090,00000000), ref: 00CF6392
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00CF652E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00CF6558

Part of subcall function 00CC4B40: MultiByteToWideChar.KERNEL32(00000003,00000000,lD,000000FF,00000000,00000000,?,?,00E0446C,00CEDD28,InstanceId,?,?,?,?), ref: 00CC4B58
Part of subcall function 00CC4B40: MultiByteToWideChar.KERNEL32(00000003,00000000,lD,000000FF,?,-00000001,?,?,?,?), ref: 00CC4B8A

SetEvent.KERNEL32(?,?,00000000,?,00000001), ref: 00CF66E8
SetEvent.KERNEL32(?), ref: 00CF6749

Part of subcall function 00D01C20: DeleteFileW.KERNEL32(?,?,?,?,?,00CF676B,?), ref: 00D01C4B

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

Strings

Code returned to Windows by setup:, xrefs: 00CF68B1
rw, xrefs: 00CF6375
Advinst_Extract_, xrefs: 00CF64C5, 00CF64D7, 00CF64E1

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ByteCharMultiWide$CriticalEventInit_thread_footerSection$ActiveCurrentDeleteDialogEnterErrorFileHeapLastLeaveParamProcessThreadWindow
String ID: rw$Advinst_Extract_$Code returned to Windows by setup:
API String ID: 2923632737-1253308979
Opcode ID: 805111b63b3eaf32aae5dea59ab4620e0b7943761f2f5875db95785403a5268a
Instruction ID: 96c474950810b7c1a2745023c1e96d00408df9ded23553d49f4fd03b8bd3409f
Opcode Fuzzy Hash: 805111b63b3eaf32aae5dea59ab4620e0b7943761f2f5875db95785403a5268a
Instruction Fuzzy Hash: 2A42AE70D00249DFDB00DFA8C859BAEFBF4EF45314F1481A9E515AB292DB749E08CBA1

Function 00D03590 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 179
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 00D035CA
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?), ref: 00D03607
GetCurrentThreadId.KERNEL32 ref: 00D03692
SetWindowTextW.USER32(?,?), ref: 00D0371C
GetDlgItem.USER32(?,000003E9), ref: 00D03726
SetWindowTextW.USER32(00000000,?), ref: 00D03732
GetDlgItem.USER32(?,00000002), ref: 00D0379F
SetWindowTextW.USER32(00000000,?), ref: 00D037A7

Part of subcall function 00CFC1B0: GetDlgItem.USER32(?,00000002), ref: 00CFC1D0
Part of subcall function 00CFC1B0: GetWindowRect.USER32(00000000,?), ref: 00CFC1E6
Part of subcall function 00CFC1B0: ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,00D035EA,?,?,?,?,?,?), ref: 00CFC1FF
Part of subcall function 00CFC1B0: InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,00D035EA,?,?), ref: 00CFC20A
Part of subcall function 00CFC1B0: GetDlgItem.USER32(?,000003E9), ref: 00CFC21C
Part of subcall function 00CFC1B0: GetWindowRect.USER32(00000000,?), ref: 00CFC232
Part of subcall function 00CFC1B0: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,?,?,?,00D035EA), ref: 00CFC275

Strings

rw, xrefs: 00D0366D

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Item$RectText$ActiveCurrentErrorInvalidateLastShowThread
String ID: rw
API String ID: 127311041-1192573183
Opcode ID: 7be86a8ed98a6543fbbe6c2c38d4c57f47cf1de01db1a053b66bbecace1374d6
Instruction ID: 2941c6474032e3e1ee9d90dbd6801b196116d39b59da4e3300086fd71f803f82
Opcode Fuzzy Hash: 7be86a8ed98a6543fbbe6c2c38d4c57f47cf1de01db1a053b66bbecace1374d6
Instruction Fuzzy Hash: EB619F71901604EFDB11DF69CC48B59BBA8EF44320F148659E959AB2E1DB70EA04CFA1

Function 00BFAFF0 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 353
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 00BFB127
GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 00BFB13F
GetProcAddress.KERNEL32(00000000,ShutdownEmbeddedUI), ref: 00BFB149
GetProcAddress.KERNEL32(00000000,EmbeddedUIHandler), ref: 00BFB154

Part of subcall function 00BC9980: RtlAllocateHeap.NTDLL(?,00000000,?,D02C6D11,00000000,00D9C6B0,000000FF,?,?,00E7C42C,00000000,00D1ECDB,80004005,D02C6D11,?,?), ref: 00BC99CA

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

Strings

EmbeddedUIHandler, xrefs: 00BFB14B
19.7.1, xrefs: 00BFB22A
build , xrefs: 00BFB23F
INAN, xrefs: 00BFB027
ShutdownEmbeddedUI, xrefs: 00BFB141
InitializeEmbeddedUI, xrefs: 00BFB139
SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll', xrefs: 00BFB084
e09f3004, xrefs: 00BFB24E

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddressProc$HeapInit_thread_footer$AllocateLibraryLoadProcess
String ID: build $19.7.1$EmbeddedUIHandler$INAN$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI$e09f3004
API String ID: 2564778481-2055252535
Opcode ID: e16698e04e34d1012f9e3f67d74cc1ed720c580f0fde9c063b9208e87db033c3
Instruction ID: 90b364e64a33613ce6d7eefa73cc5efb487ff2ac3346f8337dcf28f22ddb86da
Opcode Fuzzy Hash: e16698e04e34d1012f9e3f67d74cc1ed720c580f0fde9c063b9208e87db033c3
Instruction Fuzzy Hash: 9ED17D71A00209DFDB04DFA8CC55BAEBBF4FF04314F144669E915A76C1EB74AA48CBA1

Function 6CE73B60 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 409
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6CE68270: GetProcessHeap.KERNEL32 ref: 6CE682CC

Part of subcall function 6CE67730: #17.MSI(00000002,?,00000000,?,24641EEC), ref: 6CE677E2
Part of subcall function 6CE67730: #125.MSI(00000000,00000000,[1],?,24641EEC), ref: 6CE677F9
Part of subcall function 6CE67730: #125.MSI(00000000,00000001,24641EEC,?,24641EEC), ref: 6CE67806
Part of subcall function 6CE67730: #103.MSI(00000000,04000000,00000000,?,24641EEC), ref: 6CE67818
Part of subcall function 6CE67730: #8.MSI(00000000,?,24641EEC), ref: 6CE67827

FindNextFileW.KERNELBASE(00000000,?,00000000,?,00000000,*.*,00000003,7FFFFFFE,?,6CEF8D6C,?), ref: 6CE73E67
DeleteFileW.KERNEL32(00000000,?), ref: 6CE7408B

Strings

session, xrefs: 6CE73FAA
!, xrefs: 6CE74091
Logging is enabled, sending data ..., xrefs: 6CE73D62
Logging is disabled, discard collected data., xrefs: 6CE73BF1
., xrefs: 6CE73E8A
*.*, xrefs: 6CE73CB3

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: #125File$#103DeleteFindHeapNextProcess
String ID: !$*.*$.$Logging is disabled, discard collected data.$Logging is enabled, sending data ...$session
API String ID: 1195310492-2153466073
Opcode ID: b8e670e152dce0b5cda5034432c3f527252759271aa2ed05f986822d2fc389ca
Instruction ID: ba91a8bc9114ad2290621f75c914daddf10f376e7e2537dfd3950eba81a53d68
Opcode Fuzzy Hash: b8e670e152dce0b5cda5034432c3f527252759271aa2ed05f986822d2fc389ca
Instruction Fuzzy Hash: 03F19130911248DFDB21DBA8CD58BDEBBB4AF05318F24829DD405A7B91DB749B48CFA1

Function 00D73FD7 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(?,?,?,00D74376,00E87F88,?,00000000,?,00D0361C,?,00000000,00000000,?,?), ref: 00D73FE9
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00D74376,00E87F88,?,00000000,?,00D0361C,?,00000000,00000000), ref: 00D73FFE
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D7407A

Strings

AtlThunk_FreeData, xrefs: 00D74054
AtlThunk_AllocateData, xrefs: 00D7400F
AtlThunk_InitData, xrefs: 00D74026
AtlThunk_DataToCode, xrefs: 00D7403D
atlthunk.dll, xrefs: 00D73FF9

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: d71912577404be8f09430a2f0837d350d5370975ff55a62521769df41b09ff71
Instruction ID: e37b2cddeb8ee9194e165d1bc9b243e0f9cb77e6d8b92387bfd99050f82f188e
Opcode Fuzzy Hash: d71912577404be8f09430a2f0837d350d5370975ff55a62521769df41b09ff71
Instruction Fuzzy Hash: 43018E70B443246ACA52A7299D06FA63B5C8F01748F18C054BF4C77292EBB18A48C2B2

Function 00CE4F80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 173
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CE0240: __Init_thread_footer.LIBCMT ref: 00CE0312

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,D02C6D11,00000000,00000000,?), ref: 00CE4FD5
GetTempPathW.KERNEL32(00000104,?), ref: 00CE5069
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00CE509A
Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00CE512D
CopyFileW.KERNEL32(?,?,00000000), ref: 00CE514F
Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 00CE517E

Strings

shim_clone, xrefs: 00CE508E

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Wow64$FilePathRedirectionTemp$CopyDisableFolderInit_thread_footerNameRevert
String ID: shim_clone
API String ID: 4264308349-3944563459
Opcode ID: 4c320c052a34daca483d6d90bcdc72df13895e0c463c1303833211967480e624
Instruction ID: 34d4b5adb66299673916f4879f97a55026c3cdb89f5116380efcbe13049ab392
Opcode Fuzzy Hash: 4c320c052a34daca483d6d90bcdc72df13895e0c463c1303833211967480e624
Instruction Fuzzy Hash: 7A512474A406589EDB24DF65CC45BAEB7F9EF44700F5080AAF809D7281EB719F85CBA0

Function 6CE86F60 Relevance: 10.8, APIs: 7, Instructions: 342
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,24641EEC,00000000,00000000), ref: 6CE86FEB
ReadFile.KERNEL32(?,00000000,00001000,?,00000000,00001000), ref: 6CE8705D
ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,00000000), ref: 6CE872EA
CloseHandle.KERNEL32(?), ref: 6CE8734B

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$Read$CloseCreateHandle
String ID:
API String ID: 1724936099-0
Opcode ID: c9d80e93bb3a9be23859e4be20a6cf16f0977bdc7fb82d14aad150f7bccd1638
Instruction ID: 2645b5d1fd233859321f83c300d070904649928a22229b998f8d54d69eff023c
Opcode Fuzzy Hash: c9d80e93bb3a9be23859e4be20a6cf16f0977bdc7fb82d14aad150f7bccd1638
Instruction Fuzzy Hash: 37D18E71E01308DBDB10CFA4C955BAEBBB5BF45308F34461DE819AB780DB74AA45CB91

Function 00CF4E40 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

APIs

Part of subcall function 00CF4CA0: GetTickCount.KERNEL32 ref: 00CF4D24
Part of subcall function 00CF4CA0: __Xtime_get_ticks.LIBCPMT ref: 00CF4D2C
Part of subcall function 00CF4CA0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CF4D76

Part of subcall function 00D181C0: GetUserNameW.ADVAPI32(00000000,?), ref: 00D1824E
Part of subcall function 00D181C0: GetLastError.KERNEL32 ref: 00D18254
Part of subcall function 00D181C0: GetUserNameW.ADVAPI32(00000000,?), ref: 00D1829C
Part of subcall function 00D181C0: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00D182D2
Part of subcall function 00D181C0: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000,00000000,00000000), ref: 00D1831C

__Init_thread_footer.LIBCMT ref: 00CF4F64

Strings

\/:*?"<>|, xrefs: 00CF4F26

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: EnvironmentNameUserVariable$CountErrorInit_thread_footerLastTickUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
String ID: \/:*?"<>|
API String ID: 2099558200-3830478854
Opcode ID: 31ed5e23b898702cccbd3e38502ffe9d265e6828dd03af8314fde696247a8d4b
Instruction ID: 080d50bfea84dd844e496df364029e003303b6f96686cd56ea2074723336413e
Opcode Fuzzy Hash: 31ed5e23b898702cccbd3e38502ffe9d265e6828dd03af8314fde696247a8d4b
Instruction Fuzzy Hash: 49C19170D00248CFDB14DFA9C845BEEBBF0BF44314F18416CD619AB292DB755A45CB91

Function 00D1D430 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(00DE902D,-00000400,?,00000002,00000400,D02C6D11,?,?,?), ref: 00D1D4D6
GetLastError.KERNEL32(?,?), ref: 00D1D4E4
ReadFile.KERNEL32(00DE902D,00000000,00000400,?,00000000,?,?), ref: 00D1D4FF

Strings

ADVINSTSFX, xrefs: 00D1D533, 00D1D5EE

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$ErrorLastPointerRead
String ID: ADVINSTSFX
API String ID: 64821003-4038163286
Opcode ID: c36533137c6d99e37f9f297d29ead5d3d7591cf5e861a5ea878cbc45625cb4bc
Instruction ID: 619fc2e363f4e112f6c7914737ebbf09f927e0580e7cf5a1e18a2966bc398b38
Opcode Fuzzy Hash: c36533137c6d99e37f9f297d29ead5d3d7591cf5e861a5ea878cbc45625cb4bc
Instruction Fuzzy Hash: 1761A4B1E00219ABDB00CFA8D884BFEBBB6FB45314F684255E515A7295DB34DD81CB70

Function 6CE9021B Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6CE90262
___scrt_uninitialize_crt.LIBCMT ref: 6CE9027C

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: b37ffec7d55a2a51c0a696207069d983bc3d6f13735fbbc4c53f8a9e94f3fd5c
Instruction ID: 50ab283bfa0d27ee3b04efcd810ccd13663575585509caf5202a82b6ffe90cbe
Opcode Fuzzy Hash: b37ffec7d55a2a51c0a696207069d983bc3d6f13735fbbc4c53f8a9e94f3fd5c
Instruction Fuzzy Hash: FA41B272E05794AFDB11CF69CC40BEE3BB4EB89B5CF70451AE82467B40D77449058BA0

Function 00BD83D1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,00000024), ref: 00BD8470
GetWindowLongW.USER32(?,000000FC), ref: 00BD8485
CallWindowProcW.USER32(?,?,00000082,?,00000024), ref: 00BD849B
GetWindowLongW.USER32(?,000000FC), ref: 00BD84B5
SetWindowLongW.USER32(?,000000FC,?), ref: 00BD84C5

Strings

$, xrefs: 00BD8419

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: a0559f483561f304928b5327645c850c528aa5f6c680943676ce415e409f5e6a
Instruction ID: a29d019c982d60a5c4ba84a5ccf5a976aa996051b0b0355089e25c89207feaec
Opcode Fuzzy Hash: a0559f483561f304928b5327645c850c528aa5f6c680943676ce415e409f5e6a
Instruction Fuzzy Hash: 2E41D271108700AFC720DF59D984A1BFBF9FF88724F504A1EF59A826A0D771E8449F51

Function 00CC6C10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,D02C6D11,00000000,?,7686EB20,?,?,00D9CB30,000000FF), ref: 00CC6C53
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00CC6C7C
RegCreateKeyExW.KERNEL32(?,00D1887A,00000000,00000000,00000000,00D9CB30,00000000,00000000,00D9CB30,D02C6D11,00000000,?,7686EB20,?,?,00D9CB30), ref: 00CC6CC9
RegCloseKey.ADVAPI32(00000000,?,7686EB20,?,?,00D9CB30,000000FF), ref: 00CC6CDC

Strings

Advapi32.dll, xrefs: 00CC6C4E
RegCreateKeyTransactedW, xrefs: 00CC6C76

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddressCloseCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1765684683-2994018265
Opcode ID: 4a7e03d72a5d682fd43bc79b45a36c8b1c9d577aef1336518e8db998b1d60953
Instruction ID: 4179ec5a3a640f8b162f6ebad7bfd778e0d9a4fe553b14cf7f5c79d1a3c25b12
Opcode Fuzzy Hash: 4a7e03d72a5d682fd43bc79b45a36c8b1c9d577aef1336518e8db998b1d60953
Instruction Fuzzy Hash: 5931BF72B04205BFEB208F45DD01FAABBB8FB48750F10812AF915E7280E775A940CBA4

Function 00CFC1B0 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 00CFC1D0
GetWindowRect.USER32(00000000,?), ref: 00CFC1E6
ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,00D035EA,?,?,?,?,?,?), ref: 00CFC1FF
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,00D035EA,?,?), ref: 00CFC20A
GetDlgItem.USER32(?,000003E9), ref: 00CFC21C
GetWindowRect.USER32(00000000,?), ref: 00CFC232
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,?,?,?,00D035EA), ref: 00CFC275

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID:
API String ID: 2147159307-0
Opcode ID: f8f1e078a2c583b366fd1a5dd6daa3d1a56416967fa9822525d401ec5041607b
Instruction ID: 668916b62d7570f146ccaef2966f4d7b054825420403e1ce0cdc5bb2dc9aa12c
Opcode Fuzzy Hash: f8f1e078a2c583b366fd1a5dd6daa3d1a56416967fa9822525d401ec5041607b
Instruction Fuzzy Hash: 97213971608300AFD300DF25DD89A6B7BE9EF8D710F108659F899E6291E730E9858B92

Function 00CFFC90 Relevance: 9.4, APIs: 6, Instructions: 402fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,D02C6D11,?), ref: 00CFFCF7
GetLastError.KERNEL32 ref: 00CFFFF0
GetLastError.KERNEL32 ref: 00D00051
GetLastError.KERNEL32 ref: 00CFFD06

Part of subcall function 00CDE5B0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,D02C6D11,?,?,?), ref: 00CDE5FB
Part of subcall function 00CDE5B0: GetLastError.KERNEL32(?,?,?), ref: 00CDE605

ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00CFFE04
ReadFile.KERNEL32(?,?,00000000,00000000,00000000,00000001), ref: 00CFFE5B

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorLast$File$Read$FormatMessagePointer
String ID:
API String ID: 3903527278-0
Opcode ID: 34c4a0c2173a3a83ec6d74b14b5f361714791d68ff9d469cd242d35092bf3136
Instruction ID: 774ce53254845a917e2bf546427c7275e1b5882bb0d20551c145f27b7e9bd607
Opcode Fuzzy Hash: 34c4a0c2173a3a83ec6d74b14b5f361714791d68ff9d469cd242d35092bf3136
Instruction Fuzzy Hash: 3BF18D71D00609AFDB04DFA8C845BEDFBB4FF49310F148269E525A7391E770AA45CBA1

Function 00D00160 Relevance: 9.4, APIs: 6, Instructions: 354fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,D02C6D11,?,?,00000002,?,?,?,?,?,?,00000000,00DE32F2), ref: 00D001B7
GetLastError.KERNEL32(?,00000002), ref: 00D00449
GetLastError.KERNEL32(?,00000002), ref: 00D004F3
GetLastError.KERNEL32(?,00000002,?,?,?,?,?,?,00000000,00DE32F2,000000FF,?,00CFF05A,00000010), ref: 00D001C6

Part of subcall function 00CDE5B0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,D02C6D11,?,?,?), ref: 00CDE5FB
Part of subcall function 00CDE5B0: GetLastError.KERNEL32(?,?,?), ref: 00CDE605

ReadFile.KERNEL32(?,00000000,00000008,80070057,00000000,?,00000002), ref: 00D00288
ReadFile.KERNEL32(?,D02C6D11,00000000,00000000,00000000,00000001,?,00000002), ref: 00D00305

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorLast$File$Read$FormatMessagePointer
String ID:
API String ID: 3903527278-0
Opcode ID: 6fdc2be92f8a7650d77d7f9fd2d9b72229b04852603fabbd7480446fd44f89a9
Instruction ID: 8a9432022cc15494bb0cdf530d94404cf79bdadef38bd7407b079d3f263c5b04
Opcode Fuzzy Hash: 6fdc2be92f8a7650d77d7f9fd2d9b72229b04852603fabbd7480446fd44f89a9
Instruction Fuzzy Hash: 36D15171D00209EFDB01DFA8C885BADBBB5FF45314F188269E919AB3D1E7749905CBA0

Function 6CE751A0 Relevance: 9.3, APIs: 6, Instructions: 251fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,24641EEC,?,00000000), ref: 6CE7524F
GetFileSize.KERNEL32(00000000,00000000), ref: 6CE7537B
WriteFile.KERNEL32(00000000,0000FEFF,00000002,?,00000000), ref: 6CE753A7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 6CE753BD
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 6CE75400
CloseHandle.KERNEL32(00000000), ref: 6CE75465

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$Write$CloseCreateHandlePointerSize
String ID:
API String ID: 3932932802-0
Opcode ID: b2ef16f225f4ec1a727691a11af0b5699db5896d92024a0cd2d4310469b5edfc
Instruction ID: 4a19efac4dcb34e112cd10d25532d412f233fb2b668a003c77b9421f2ad25330
Opcode Fuzzy Hash: b2ef16f225f4ec1a727691a11af0b5699db5896d92024a0cd2d4310469b5edfc
Instruction Fuzzy Hash: 45A17F70D01248DFEB20CFA4C845BEDBBB5BF05318F308259D525A7691D774AA49CFA1

Function 00CDB720 Relevance: 9.2, APIs: 6, Instructions: 233COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(00000000,D02C6D11,?,?,?,?,?,?,00DDC395,000000FF,?,00CFF494,?,?,?,?), ref: 00CDB76B
CreateDirectoryW.KERNEL32(?,00000000,?,00000002,00E14494,00000001,?), ref: 00CDB82A
GetLastError.KERNEL32 ref: 00CDB838

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID:
API String ID: 953296794-0
Opcode ID: 6c60c360c1a82897e045e9d83c27146efb6d6dab67842b742c9bc6cd6fd1ae9f
Instruction ID: 9c17d35b7cb9decee25f994779c80de851086a38ae4783c2f918618e12068b54
Opcode Fuzzy Hash: 6c60c360c1a82897e045e9d83c27146efb6d6dab67842b742c9bc6cd6fd1ae9f
Instruction Fuzzy Hash: E0819071D04609DFDB10DFA8C895BADBBB4EF55320F25425AEA24A73D0DB749E04CBA0

Function 00D037D0 Relevance: 9.1, APIs: 6, Instructions: 69threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0015EF30,00E20B08,00000000,?), ref: 00D0384D
GetLastError.KERNEL32 ref: 00D0385A
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 00D03883
GetExitCodeThread.KERNEL32(00000000,?), ref: 00D0389D
TerminateThread.KERNEL32(00000000,00000000), ref: 00D038B5
CloseHandle.KERNEL32(00000000), ref: 00D038BE

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleTerminateWait
String ID:
API String ID: 1566822279-0
Opcode ID: 069fec23e2f755c6c7476be8f97ba653efd8133791cc93627b12864d761436ed
Instruction ID: 0395fb0cf773d2b8eb340a0ad98c690ff1b31a6173a0559effe2fa0bb9380c1d
Opcode Fuzzy Hash: 069fec23e2f755c6c7476be8f97ba653efd8133791cc93627b12864d761436ed
Instruction Fuzzy Hash: E931D775900219EFDF10DF94DD59BEDBBB8FB08314F108259E914B62D0D7799A04CBA4

Function 00CE5480 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 196COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(80004005,00DE3C95,D02C6D11,?,?,?,?,?,00000000,00DE3C95,000000FF,?,80004005,D02C6D11,?), ref: 00CE54E5
GetFileVersionInfoW.KERNELBASE(80004005,?,00000000,000000FF,00000000,?,?,?,?,00000000,00DE3C95,000000FF,?,80004005,D02C6D11,?), ref: 00CE5533

Strings

\VarFileInfo\Translation, xrefs: 00CE5567
\StringFileInfo\%04x%04x\%s, xrefs: 00CE559D
ProductName, xrefs: 00CE5593

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: FileInfoVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2104008232-2149928195
Opcode ID: afc98d887e64011b15dce8c1c285de92153f512c4963d504ad3c336e6a16c728
Instruction ID: 19a44473c03aeccbb2b51f2dcba9ab82874bfeaf562bd2d964ce5dc1f37b5d59
Opcode Fuzzy Hash: afc98d887e64011b15dce8c1c285de92153f512c4963d504ad3c336e6a16c728
Instruction Fuzzy Hash: 3C61CD71901649DFDB10CFA9C849AAEB7F9FF15319F14816AF421E7291EB309E04CBA0

Function 00CE5370 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE4F80: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,D02C6D11,00000000,00000000,?), ref: 00CE4FD5
Part of subcall function 00CE4F80: GetTempPathW.KERNEL32(00000104,?), ref: 00CE5069
Part of subcall function 00CE4F80: GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00CE509A

GetFileVersionInfoSizeW.KERNELBASE(?,000000FF,Shlwapi.dll,D02C6D11,00000000,?,?,00000000,00DDD9C5,000000FF,Shlwapi.dll,00CE5326,?,?,?), ref: 00CE53BD
GetFileVersionInfoW.KERNELBASE(?,?,?,00000000,00000000,?,?), ref: 00CE53E9
GetLastError.KERNEL32(?,?), ref: 00CE542E
DeleteFileW.KERNEL32(?), ref: 00CE5441

Strings

Shlwapi.dll, xrefs: 00CE5370, 00CE53A8

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$InfoPathTempVersion$DeleteErrorFolderLastNameSize
String ID: Shlwapi.dll
API String ID: 2355151265-1687636465
Opcode ID: b8c658cb3febf62857ba388e7aa3c6e51fdc217c6e9d8f5510f54dff03bb8bd1
Instruction ID: 408537ba403a1975dccb36389d9415e0194f768b89fd6d0f452e7dfd041d3a07
Opcode Fuzzy Hash: b8c658cb3febf62857ba388e7aa3c6e51fdc217c6e9d8f5510f54dff03bb8bd1
Instruction Fuzzy Hash: FE31A271D04249AFDB11CFA6CC44BEEFBB8EF08315F14411AE815B3290DB359A44CBA1

Function 00CE30C0 Relevance: 7.8, APIs: 5, Instructions: 292COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000000,?,00000100), ref: 00CE31BC
LoadStringW.USER32(?,00000000,?,00000001), ref: 00CE3264

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: bf62e9108e98410ef34e1eec1491db20b6d4de188a8f6c3146d7d66715808973
Instruction ID: 01fba3fdffce3f09d8d1a06e319c20e0a4a1c7a9e7afbf5e1aedf5d81b803a08
Opcode Fuzzy Hash: bf62e9108e98410ef34e1eec1491db20b6d4de188a8f6c3146d7d66715808973
Instruction Fuzzy Hash: 5DB17F71D00248EFDB04CFA9D849BEEBBB5FF48314F10821AE525B7291EB746A45CB90

Function 00D1E990 Relevance: 7.8, APIs: 5, Instructions: 289threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,D02C6D11,?,?,00000000,?,?,?,?,00DE941D,000000FF,?,00D00E0E), ref: 00D1E9D0
CreateThread.KERNEL32(00000000,00000000,00D1ECE0,?,00000000,?), ref: 00D1EA06
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00D1EB0F
GetExitCodeThread.KERNEL32(00000000,?), ref: 00D1EB1A
CloseHandle.KERNEL32(00000000), ref: 00D1EB3A

Part of subcall function 00BD8590: RaiseException.KERNEL32(?,?,00000000,00000000,00D1ED87,C000008C,00000001), ref: 00BD859C

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CreateThread$CloseCodeEventExceptionExitHandleObjectRaiseSingleWait
String ID:
API String ID: 3595790897-0
Opcode ID: e3adb398601bf5971bea560e8ea14b3fe863820c174ec93353bb64fc3f8bc128
Instruction ID: 741837130d84b72ff0fe2f3685a106e0e9678313bdd09e9e2359df1fe51fa11a
Opcode Fuzzy Hash: e3adb398601bf5971bea560e8ea14b3fe863820c174ec93353bb64fc3f8bc128
Instruction Fuzzy Hash: 45B16F75A00605EFDB14CF68D984BAAB7F5FF49310F184669E916AB391DB30E940CBA0

Function 6CE902CB Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6CE90308
dllmain_crt_dispatch.LIBCMT ref: 6CE9031F
dllmain_raw.LIBCMT ref: 6CE90367
dllmain_crt_dispatch.LIBCMT ref: 6CE9037A
dllmain_raw.LIBCMT ref: 6CE9038D

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 658388d40f8e621f9148a76896278e4584f76bc4263859326015972a4ee8e6f1
Instruction ID: fce2ac6bf265cc48dd61c0360e282b53c959ee29e871c124df4f0469733faea0
Opcode Fuzzy Hash: 658388d40f8e621f9148a76896278e4584f76bc4263859326015972a4ee8e6f1
Instruction Fuzzy Hash: 33218371D416A8AFDB11CE15CC80AAF3B79EB89B9CF614119FC2467B10D3318D518BE0

Function 00CDBFF0 Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00CDC011
PeekMessageW.USER32(?,00000000), ref: 00CDC057
TranslateMessage.USER32(00000000), ref: 00CDC062
DispatchMessageW.USER32(00000000), ref: 00CDC069
MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 00CDC07B

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
String ID:
API String ID: 4084795276-0
Opcode ID: ccd2eba6bf44bec93c9bccfbee61937a6da9a1918954833f93471411382cf855
Instruction ID: 1e40ab8b724c670dc46ef9f20f186e3a2c83f8fab09e852cb86b82419907bf2e
Opcode Fuzzy Hash: ccd2eba6bf44bec93c9bccfbee61937a6da9a1918954833f93471411382cf855
Instruction Fuzzy Hash: 9A115971644306BEE310CB55ACC1FA7B7DCEF88760F600226FB64A21C0EB31E9488761

Function 6CE87A60 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 421COMMON

Download Yara Rule

APIs

Part of subcall function 6CE68270: GetProcessHeap.KERNEL32 ref: 6CE682CC

PathIsUNCW.SHLWAPI(00000010), ref: 6CE87CCD

Strings

\\?\UNC\, xrefs: 6CE87AF6, 6CE87BB9, 6CE87BBF
\\?\, xrefs: 6CE87C6E, 6CE87C74
gkl, xrefs: 6CE87ECF, 6CE87EE5

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: HeapPathProcess
String ID: \\?\$\\?\UNC\$gkl
API String ID: 300331711-145973065
Opcode ID: e6e3bcb7df973291cbb2ba1150c395fb0d0f7f61f86cd63b33aaac1853e71b26
Instruction ID: ecef36308d5884fee0cb49d2c2d15fcba897d24e9e2e7850ba7ca725e9c850f1
Opcode Fuzzy Hash: e6e3bcb7df973291cbb2ba1150c395fb0d0f7f61f86cd63b33aaac1853e71b26
Instruction Fuzzy Hash: 01F17171A0150ADFDB00CFA8C844B9EF7B5FF45318F24866DE425A7B90DB35A909CBA0

Function 00D19FE0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 257filepipeCOMMON

Download Yara Rule

APIs

ConnectNamedPipe.KERNEL32(?,00000000,D02C6D11,?,000000FF,?,?,00000000,00DE863E,000000FF,?,00D1A25A,000000FF,?,00000001), ref: 00D1A01C
GetLastError.KERNEL32(?,?,00000000,00DE863E,000000FF,?,00D1A25A,000000FF,?,00000001), ref: 00D1A026

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

ReadFile.KERNEL32(?,?,00007F90,?,00000000,D02C6D11,?,000000FF,?,?,00000000,00DE863E,000000FF,?,00D1A25A,000000FF), ref: 00D1A073

Strings

\\.\pipe\ToServer, xrefs: 00D1A2E4, 00D1A2F5, 00D1A2FF

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$ConnectErrorFileHeapLastNamedPipeProcessRead
String ID: \\.\pipe\ToServer
API String ID: 2973225359-63420281
Opcode ID: b8e619fd64130e585cc782ce1e15811006b2e7373f03fc5e96561ee7c63997e7
Instruction ID: bc0f40c98e300b4caa77ba5955bcab1a78a9a9872cca04c5becf327f750e2b1b
Opcode Fuzzy Hash: b8e619fd64130e585cc782ce1e15811006b2e7373f03fc5e96561ee7c63997e7
Instruction Fuzzy Hash: 8691F171A01204EFEB14DF68D805BAEB7E8FF44324F14866DE925DB381DB75A940CBA1

Function 6CE87EB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,24641EEC,00000000,00000000,?,?,00000000,6CEC16B5,000000FF,?,6CE76B67,?,00000000), ref: 6CE87EF9
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,6CEDA1AC,00000001,?), ref: 6CE87FAD
GetLastError.KERNEL32 ref: 6CE87FB7

Strings

gkl, xrefs: 6CE87ECF, 6CE88084, 6CE87EE5

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID: gkl
API String ID: 953296794-530632152
Opcode ID: 847401d97d2f1130393dce593c969489256fca77a77fe66578a5ed83cf631617
Instruction ID: 8a69eb5cbc61936e27280002ce5560a9c4855752e33d8ff05a8b0332836ab4da
Opcode Fuzzy Hash: 847401d97d2f1130393dce593c969489256fca77a77fe66578a5ed83cf631617
Instruction Fuzzy Hash: E5519F31E05209CBDB10DFA8C884B9DFBB4EF45328F24825AE825A37D0DB759A05CB50

Function 6CE65E00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,24641EEC,00000034), ref: 6CE65E5C
GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 6CE65E7E

Strings

%08X, xrefs: 6CE65EB3
AABBCCDD, xrefs: 6CE65E9E

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: FolderInformationPathVolume
String ID: %08X$AABBCCDD
API String ID: 1564939276-726327320
Opcode ID: bf01025f9f501c3eda0dbd657c2772b12159bf0216cb5ac148e3789b4e42da22
Instruction ID: 1d9c2611abf7166152e5f17d3b2fb01666ee780ba92cfc1b538c912fd88c3bf1
Opcode Fuzzy Hash: bf01025f9f501c3eda0dbd657c2772b12159bf0216cb5ac148e3789b4e42da22
Instruction Fuzzy Hash: 8B315DB15103489FEB20CF64DD05BEA7BF8FB04708F104A2EE955DBA80E7B466088B95

Function 00CF49A0 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,D02C6D11,?,00000010,?,00CF7D90,?), ref: 00CF4A06
SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 00CF4A4F
ReadFile.KERNEL32(00000000,D02C6D11,?,?,00000000,00000078,?), ref: 00CF4A91
CloseHandle.KERNEL32(00000000), ref: 00CF4B0A

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$CloseCreateHandlePointerRead
String ID:
API String ID: 4133201480-0
Opcode ID: fcca20e603d90efcaa2eebeabaaa908e44d7da29d40c1804ccc236353ba362eb
Instruction ID: 88d3979b391435809d2dd572980d1fe66236b31a43800da731b4791aa5d62637
Opcode Fuzzy Hash: fcca20e603d90efcaa2eebeabaaa908e44d7da29d40c1804ccc236353ba362eb
Instruction Fuzzy Hash: A451DC70900609EFDB15CBA8CC48BEEFBB8EF45324F248259E521AB2D1D7709E04CB65

Function 00CFC140 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00CFC149
DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DE12D0,000000FF), ref: 00CFC158
PostMessageW.USER32(?,00000401,00000000,00000000), ref: 00CFC176
IsWindow.USER32(?), ref: 00CFC185

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$CurrentDestroyMessagePostThread
String ID:
API String ID: 3186974096-0
Opcode ID: 7e7830b43174cf4890dac8269a1c5a11583ab900a97c31e09251581b9e87d5d1
Instruction ID: 7a032b68a92ab7a0f63ebafbb7148085700441b2582e2e3efe6b469814caa3d7
Opcode Fuzzy Hash: 7e7830b43174cf4890dac8269a1c5a11583ab900a97c31e09251581b9e87d5d1
Instruction Fuzzy Hash: 28F0E270109B409ED3709B29EF88B57BFE16F58B00F104A4DE18696AD0C3B0F840CB24

Function 00CDB3A0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

PathIsUNCW.SHLWAPI(?,00000000,?,00000000,00000000,00000000,00DDC32F,000000FF), ref: 00CDB536

Strings

\\?\, xrefs: 00CDB518, 00CDB51E
\\?\UNC\, xrefs: 00CDB431, 00CDB4A9, 00CDB4AF

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$HeapPathProcess
String ID: \\?\$\\?\UNC\
API String ID: 806983814-3019864461
Opcode ID: be13a6caae0ef8293bbd37dc77a7d0b58ed560ebd308e13ab1dc2fb49f475186
Instruction ID: 31f74f718b18b3aa3c13f6e25df0940ecbf61149697d825ad7ef2529828dc42f
Opcode Fuzzy Hash: be13a6caae0ef8293bbd37dc77a7d0b58ed560ebd308e13ab1dc2fb49f475186
Instruction Fuzzy Hash: 2EC16E71A00609DBDB00DBA9C845BAEF7F8EF45314F15826AE515E7391EB749D04CBA0

Function 00BD0570 Relevance: 4.8, APIs: 3, Instructions: 345fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,?,00000000,?,D02C6D11,?), ref: 00BD05E2
MoveFileW.KERNEL32(?,00000000), ref: 00BD0835
DeleteFileW.KERNEL32(?), ref: 00BD087F

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$DeleteMoveNameTemp
String ID:
API String ID: 788073729-0
Opcode ID: a915e911d6f5ac59c687f93cbd8fcd5db4f5cd162fff85bb1426106462818718
Instruction ID: 6bd87800b033a30284abf0c0a784317237d30c8d61c9089fb47ef7883e659c79
Opcode Fuzzy Hash: a915e911d6f5ac59c687f93cbd8fcd5db4f5cd162fff85bb1426106462818718
Instruction Fuzzy Hash: 9BF17870D25269DADB24EF28CC98B9DBBB0FF54304F1042D9D409A7291EB796B84CF91

Function 00BD01A0 Relevance: 4.8, APIs: 3, Instructions: 275fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,?,00000000,?,D02C6D11,?,00000004), ref: 00BD01FB
DeleteFileW.KERNEL32(?,?,00000004), ref: 00BD023E
CreateDirectoryW.KERNEL32(?,00000000,?,00000004), ref: 00BD024D

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$CreateDeleteDirectoryNameTemp
String ID:
API String ID: 2411147693-0
Opcode ID: 374d3365764b30e0a5971bafb54fd55fbdf95010ba45765cece5d883ad1b06a9
Instruction ID: 8a736f8b1ea0fb34f98b08d496b4a99c8ec7483251afb83be14a538ff5e6cc46
Opcode Fuzzy Hash: 374d3365764b30e0a5971bafb54fd55fbdf95010ba45765cece5d883ad1b06a9
Instruction Fuzzy Hash: 4AB17B70D102489BDB14DF68C899BEEBBB4EF54314F24429EE505A7391EB786A84CF90

Function 00D2F220 Relevance: 4.7, APIs: 3, Instructions: 214synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00D2F900: OpenEventW.KERNEL32(00000000,00000000,00000000,_pbl_evt,00000008,?,?,00E1BE58,00000001,D02C6D11,00000000), ref: 00D2F9AE
Part of subcall function 00D2F900: CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 00D2F9CB

WaitForSingleObject.KERNEL32(00000000,00000000,00000001,D02C6D11,?,00000000), ref: 00D2F26E
ResetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00DEB2E9,000000FF), ref: 00D2F283

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Event$CreateObjectOpenResetSingleWait
String ID:
API String ID: 2109722436-0
Opcode ID: cfa12c66b7f70a9ea9053d7e7919ebebc8976c075713aec8527ae5436c26cd08
Instruction ID: 6ee73d500299b555769d20d49e09032052ea0aa39b53f363c878bf615ce9b371
Opcode Fuzzy Hash: cfa12c66b7f70a9ea9053d7e7919ebebc8976c075713aec8527ae5436c26cd08
Instruction Fuzzy Hash: 31810471D00244DFDB00DFA8D845B9EBBB0FF55318F24856DE408AB391D7B5AA46CBA0

Function 00D8EA0C Relevance: 4.7, APIs: 3, Instructions: 202COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 00D8EBBB

Part of subcall function 00D8CA67: RtlAllocateHeap.NTDLL(00000000,00000000,00D8A813,?,00D8E9B8,?,00000000,?,00D7E5A5,00000000,00D8A813,?,?,?,?,00D8A60D), ref: 00D8CA99

__freea.LIBCMT ref: 00D8EBD0
__freea.LIBCMT ref: 00D8EBE0

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: d8f5f2d2db9107812b4161d8e95a16d67a742d8eb5469ac66f20fe3985cfa133
Instruction ID: 78306b471123210b6f05b4f2df5862ffa3c99bcafa902b9be1e980599c63dcac
Opcode Fuzzy Hash: d8f5f2d2db9107812b4161d8e95a16d67a742d8eb5469ac66f20fe3985cfa133
Instruction Fuzzy Hash: 0051AFB260021AAFEF25AFA4CC81EBB37A9EF44754F194128FD09D6151E670ED10DB70

Function 00CFD040 Relevance: 4.7, APIs: 3, Instructions: 183fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,D02C6D11,?,00000000,?,80004005,?,00000000), ref: 00CFD0DE
GetLastError.KERNEL32 ref: 00CFD116
GetLastError.KERNEL32(?), ref: 00CFD1AF

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID:
API String ID: 1722934493-0
Opcode ID: 50d08089604745da47e1624810e2ca575806926e61301ddd5c69f5e1c50d4475
Instruction ID: 16e2e6dd6075b9a70da5a2ec313400ea1790bb9646c7470f59bcf97882b905c0
Opcode Fuzzy Hash: 50d08089604745da47e1624810e2ca575806926e61301ddd5c69f5e1c50d4475
Instruction Fuzzy Hash: BA51D371A006099FDB10DF69CC45BAAF7F2FF45320F108669EA26D7390EB31A905CB91

Function 00D2C670 Relevance: 4.7, APIs: 3, Instructions: 181fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00D2D5B6,40000000,00000001,00000000,00000002,00000080,00000000,D02C6D11,?,00000001), ref: 00D2C6D2
WriteFile.KERNEL32(00000000,0000C800,0000C800,0000C800,00000000,?,0000C800), ref: 00D2C768
CloseHandle.KERNEL32(00000000,?,0000C800), ref: 00D2C7DC

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: edb28970841733a76c735c1d34d06dcda8b0b8beac1aac4e530445c5e61af615
Instruction ID: acbf2cc6fd4cedb6b2e2a158132a9ffbc71f2fb4daa8d5dc9059a918803e926d
Opcode Fuzzy Hash: edb28970841733a76c735c1d34d06dcda8b0b8beac1aac4e530445c5e61af615
Instruction Fuzzy Hash: E4516871A10219AFDB04DFA8DD45BEEBBB9FF48314F144259E810B7290DB75AD04CBA4

Function 00CD9470 Relevance: 4.6, APIs: 3, Instructions: 142fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,0000002A,00000000,?,D02C6D11), ref: 00CD94E0
DeleteFileW.KERNEL32(?,?,00000000,0000002A,00000000,?,D02C6D11), ref: 00CD957A
FindNextFileW.KERNEL32(?,?), ref: 00CD95BB

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$Delete$FindNext
String ID:
API String ID: 1410743141-0
Opcode ID: be99443201320928177722c801854490c4c650359028451065512090a444d2bc
Instruction ID: 2ad291793df8615d701d4a5c32dd51a2fdab724c82b65233532debe8dbdd0c5d
Opcode Fuzzy Hash: be99443201320928177722c801854490c4c650359028451065512090a444d2bc
Instruction Fuzzy Hash: A551A634901218DFDF25DF58D998BADB7B5EF04320F1442EAE92AA7391EB309E45CB50

Function 00CFBF40 Relevance: 4.6, APIs: 3, Instructions: 80COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00CFB881), ref: 00CFBF40
EnableWindow.USER32(?,00000000), ref: 00CFBFD1
DestroyWindow.USER32(?,?,?), ref: 00CFBFF7

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$DestroyEnableErrorLast
String ID:
API String ID: 2755773105-0
Opcode ID: 60c05c03f8cfd394993c1cfb17da3d96a1d36e5fa769463ed92d84bb631bfe0c
Instruction ID: 8084e047c3f7dec92e9be6929672377180ff72c7ea1492f50cf6fac349b09f53
Opcode Fuzzy Hash: 60c05c03f8cfd394993c1cfb17da3d96a1d36e5fa769463ed92d84bb631bfe0c
Instruction Fuzzy Hash: 4921D1B571010D9BD7209F18EC41BBAB794EB54320F004266F915C7391DB75ED61DBE2

Function 00CC4B40 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,lD,000000FF,00000000,00000000,?,?,00E0446C,00CEDD28,InstanceId,?,?,?,?), ref: 00CC4B58
MultiByteToWideChar.KERNEL32(00000003,00000000,lD,000000FF,?,-00000001,?,?,?,?), ref: 00CC4B8A

Strings

lD, xrefs: 00CC4B41, 00CC4B53, 00CC4B85

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: lD
API String ID: 626452242-4205136096
Opcode ID: 99590138f7ae066eba5db6e4616886f42e473c38610b2af49d4332450140db84
Instruction ID: f447df944a8e0fd0828faed07f4564226086833a3b1340b2a8af5755a5f4c6b6
Opcode Fuzzy Hash: 99590138f7ae066eba5db6e4616886f42e473c38610b2af49d4332450140db84
Instruction Fuzzy Hash: 2811C135300211AFD6149B58DCA8F6AB799EF84320F20816DF224972D0CA719D11CB60

Function 00D7FD83 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00D7FD7D,?,00D79912,?,?,D02C6D11,00D79912,?), ref: 00D7FD94
TerminateProcess.KERNEL32(00000000,?,00D7FD7D,?,00D79912,?,?,D02C6D11,00D79912,?), ref: 00D7FD9B
ExitProcess.KERNEL32 ref: 00D7FDAD

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9e31dcbf6d11d1c5c4296b56f16ed3b35e5516ae15c1d7a0b83c8d7925a12870
Instruction ID: b40a3b5b2a035add7e4ad83f1a184182aa2dd58bcab5e0d387abc93d70a19ae4
Opcode Fuzzy Hash: 9e31dcbf6d11d1c5c4296b56f16ed3b35e5516ae15c1d7a0b83c8d7925a12870
Instruction Fuzzy Hash: 24D09E71400204BFCF652FA1EC1D9AD7F26EF44355B54C024B90D96131EF719992DA75

Function 00CDBB70 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,D02C6D11), ref: 00CDBD10

Part of subcall function 00CDBDD0: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,?,?,80004005), ref: 00CDBDDD

Strings

USERPROFILE, xrefs: 00CDBBBE

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$EnvironmentFolderHeapPathProcessSpecialVariable
String ID: USERPROFILE
API String ID: 1777821646-2419442777
Opcode ID: 23ccb7716e3a3fd382f33276f39c2ec8a7ba53d6ea65d8c4943f917d9232c322
Instruction ID: 501cfb7832742eb3bbfbeebb20eb25e6845518878356fd2ea9ed71d5025bb8b6
Opcode Fuzzy Hash: 23ccb7716e3a3fd382f33276f39c2ec8a7ba53d6ea65d8c4943f917d9232c322
Instruction Fuzzy Hash: EC618C71A00609DFDB14DF68C959BAEB7E5FF44310F11866EE92A9B391DB309E04CB90

Function 00D1A1A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,D02C6D11,?,00000010,?,?,00DE868E,000000FF), ref: 00D1A228

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

Part of subcall function 00D19FE0: ConnectNamedPipe.KERNEL32(?,00000000,D02C6D11,?,000000FF,?,?,00000000,00DE863E,000000FF,?,00D1A25A,000000FF,?,00000001), ref: 00D1A01C
Part of subcall function 00D19FE0: GetLastError.KERNEL32(?,?,00000000,00DE863E,000000FF,?,00D1A25A,000000FF,?,00000001), ref: 00D1A026

Strings

\\.\pipe\ToServer, xrefs: 00D1A2E4, 00D1A2F5, 00D1A2FF

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$ConnectErrorFileHeapLastNamedPipeProcessWrite
String ID: \\.\pipe\ToServer
API String ID: 3549655173-63420281
Opcode ID: 8208d786f65f989b03ccfb9ea89419ee9748b7bba26148da6b386033fe910342
Instruction ID: 7a6e0fd6b8dfaed2badd25b46d491ff762d80c972fdef52a83e81fdf3aa6bb0b
Opcode Fuzzy Hash: 8208d786f65f989b03ccfb9ea89419ee9748b7bba26148da6b386033fe910342
Instruction Fuzzy Hash: A241A171A05204EFDB04CF58D805BAEB7E8EF44714F14426EF815DB380DB76A944CBA4

Function 00D947BA Relevance: 3.2, APIs: 2, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 00D942EA: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 00D94315

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00D94601,?,00000000,?,?,?), ref: 00D9481B
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D94601,?,00000000,?,?,?), ref: 00D9485D

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: fbf291fb6ceef3bf0c070e9c8a8e4d33a67cdcb3250d745345178cd1e1931dff
Instruction ID: d4ba3a386509ffa8d354b4d7ae9de65cdcd8602b25981fcd778b1318da8ca416
Opcode Fuzzy Hash: fbf291fb6ceef3bf0c070e9c8a8e4d33a67cdcb3250d745345178cd1e1931dff
Instruction Fuzzy Hash: E551F371A007859EDF20CF75C891AABBBE9EF45300F18416ED09A9B252E6749947CBB0

Function 00D1F3D0 Relevance: 3.1, APIs: 2, Instructions: 129COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D1F421
EndDialog.USER32(00000000,00000001), ref: 00D1F430

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: DialogWindow
String ID:
API String ID: 2634769047-0
Opcode ID: 84b3f02c6b77e2c496cbba4b7aa67658a2163dbc2e5c86cd96136249f695bc41
Instruction ID: b610cc0d2b9132613582d7929b7c4b920bca6e7ade1a3ae105142776d551f7bb
Opcode Fuzzy Hash: 84b3f02c6b77e2c496cbba4b7aa67658a2163dbc2e5c86cd96136249f695bc41
Instruction Fuzzy Hash: C451AC30A01745DFD721CF68C908B8AFBF4FF45310F1886A9D459DB2A1DB70AA44CBA1

Function 6CE798C0 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,24641EEC,00000002,?,24641EEC), ref: 6CE79923
DeleteCriticalSection.KERNEL32(?,24641EEC,00000002,?,24641EEC), ref: 6CE799B1

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: CloseCriticalDeleteHandleSection
String ID:
API String ID: 1370521891-0
Opcode ID: c57de869bb9ad97790e38003e48488026ccbe50ef33662ed139ffcaef80d4b5f
Instruction ID: ff2629947a1c0fc0a51bcf64c7228408bd4946d959fa078d8a8b8fc5bac30a64
Opcode Fuzzy Hash: c57de869bb9ad97790e38003e48488026ccbe50ef33662ed139ffcaef80d4b5f
Instruction Fuzzy Hash: 4C31B330A01645DFD701CF69C944B99FBF4FF46324F208299D84497B91D775AA09CBE1

Function 6CE880B0 Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000,24641EEC,?,24641EEC,6CEC170E,000000FF), ref: 6CE88100

Part of subcall function 6CE68270: GetProcessHeap.KERNEL32 ref: 6CE682CC

FreeLibrary.KERNEL32(00000000,?,80004005), ref: 6CE881BB

Part of subcall function 6CE69680: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,6CE88135,-00000010), ref: 6CE696B8

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: FindFolderFreeHeapLibraryPathProcessResourceSpecial
String ID:
API String ID: 584424649-0
Opcode ID: 3938902baed01f47e604e61ab336fd3a3c9e5ff9086819658554ee2a2b761e19
Instruction ID: d97d04ff3a44ae72f9931674fd25b6ebe5546aa070cda170eb4e89903b78d649
Opcode Fuzzy Hash: 3938902baed01f47e604e61ab336fd3a3c9e5ff9086819658554ee2a2b761e19
Instruction Fuzzy Hash: 4531A2716112059FEB24DF68C804BEE7BF8EF05718F20452EE859DBB81DB749A08CB91

Function 00C7C500 Relevance: 3.1, APIs: 2, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 00C7C54A
DestroyWindow.USER32(00000004,?,?,?,?,?,?,?,?,000000FF), ref: 00C7C557

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Destroy
String ID:
API String ID: 3707531092-0
Opcode ID: df6ff765da5004bcac80abc2c078a2a7cc1b45c44d7a45715f4f87fe815131ae
Instruction ID: 97912d647907cef4633424f792a8b7070b9baa46dcb824360c3ab5891c5b1e7e
Opcode Fuzzy Hash: df6ff765da5004bcac80abc2c078a2a7cc1b45c44d7a45715f4f87fe815131ae
Instruction Fuzzy Hash: 6F31BF70904689EFCB01DF69C909B8EFBF4FF11320F54829DE054A7691DB74AA18DB91

Function 00CDF130 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CDE740: LoadLibraryW.KERNEL32(ComCtl32.dll,D02C6D11,?,00000000,00000000), ref: 00CDE77E
Part of subcall function 00CDE740: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00CDE7A1
Part of subcall function 00CDE740: FreeLibrary.KERNEL32(00000000), ref: 00CDE81F

Part of subcall function 00CDE740: LoadImageW.USER32(?,?,00000001,00000000,00000000,?), ref: 00CDE801

SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00CDF174
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00CDF17F

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: LibraryLoadMessageSend$AddressFreeImageProc
String ID:
API String ID: 2968665230-0
Opcode ID: 0a9d401e86994bc218ea775a19a6f76e1b85da0d06242d3d42509dff9da88755
Instruction ID: ff06fdd0b02ebb29911a5b0ac57dcd07a570ca4604a02c5b675c8fe0541d9003
Opcode Fuzzy Hash: 0a9d401e86994bc218ea775a19a6f76e1b85da0d06242d3d42509dff9da88755
Instruction Fuzzy Hash: 86F0A9327806183BF660215A5C47F27B64DDB81B64F24426AFB98AF3C2ECC27C0003E9

Function 00D8E778 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

LCMapStringEx.KERNEL32(?,00D8EAFA,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00D8E7AC
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00D8EAFA,?,?,00000000,?,00000000), ref: 00D8E7CA

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: d23f3569ed1209623e5e4214b43d74046ac027298f40bfc800ad7881411e4fac
Instruction ID: 30d6f7992ba778f3655fd43213a47a15cbdbe379c0ff84ff5ae8734cd85d8173
Opcode Fuzzy Hash: d23f3569ed1209623e5e4214b43d74046ac027298f40bfc800ad7881411e4fac
Instruction Fuzzy Hash: 96F07A3250021ABBCF126F90DC05EEE7F26EF48360F058410FA18A5120C732D831EFA4

Function 00D8CA2D Relevance: 2.5, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,00000000,?,00D9593D,?,00000000,?,?,00D95BDE,?,00000007,?,?,00D96030,?,?), ref: 00D8CA43
GetLastError.KERNEL32(?,?,00D9593D,?,00000000,?,?,00D95BDE,?,00000007,?,?,00D96030,?,?), ref: 00D8CA4E

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: af333028b1042874913c63f1d8642158ae284aaeb8b2be06dabb09f0663d7d06
Instruction ID: cc6ec786e8797c419a11a3bb35831706a113b66d08ba1bc3fba6d735110f8f16
Opcode Fuzzy Hash: af333028b1042874913c63f1d8642158ae284aaeb8b2be06dabb09f0663d7d06
Instruction Fuzzy Hash: 86E0B632500228EADB157BA5AC19B99BB99AB40761F158060F60896160EA358950DBB4

Function 00D01C20 Relevance: 1.7, APIs: 1, Instructions: 214fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,00CF676B,?), ref: 00D01C4B

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: cf31ed6cea950b61293ddd526dee96c810495a5f85c9ddc243f86f1550ef5778
Instruction ID: 18a043cf577eee9ade8620e814edda92f49749839c8c9d5269e1ed24ef192284
Opcode Fuzzy Hash: cf31ed6cea950b61293ddd526dee96c810495a5f85c9ddc243f86f1550ef5778
Instruction Fuzzy Hash: FB51D276A006159FDB10DF58D885BADF7A4FF05710F148669E919DB381EB71AC40CBB0

Function 00D1EB70 Relevance: 1.7, APIs: 1, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8fed04873abb5b82fbb4b43f6ef391d37c0d1d1438a28c72834fb5fa009178
Instruction ID: 0fa108c6e332825576fe4bc995a5b40c1eb78392ef821dbde2cbb2e9cec4959d
Opcode Fuzzy Hash: 4f8fed04873abb5b82fbb4b43f6ef391d37c0d1d1438a28c72834fb5fa009178
Instruction Fuzzy Hash: 76619171600615AFDB10DF69E884EAAB7A5FF44710F094269ED159B361DB30EC41CBB0

Function 00D943BE Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,00D9460D,00D94601,00000000), ref: 00D943F0

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 460867a7cb5cf7672239b921c41286451d0918b128647724523cfc297c676b4e
Instruction ID: b55c5d1c5e5289ec9d408ecb49500f2bbc899f06a06650a82ee247a91aa4526f
Opcode Fuzzy Hash: 460867a7cb5cf7672239b921c41286451d0918b128647724523cfc297c676b4e
Instruction Fuzzy Hash: 045136715042589BDF218A68CD80FEA7BECEB55304F2405E9E59AC7143D270AD46CF30

Function 00D02F70 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,00D030A0,?), ref: 00D02FBB

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: EnumLanguagesResource
String ID:
API String ID: 4141015960-0
Opcode ID: 1cf064fa941ee5133dab1d29d4fb81bcb130aae1e075e9c787bf8ad63b8c585c
Instruction ID: abc8a7c5ca6017bd2501a51bc8f7e4eacd4eab5efa6626fa2922324291e0089c
Opcode Fuzzy Hash: 1cf064fa941ee5133dab1d29d4fb81bcb130aae1e075e9c787bf8ad63b8c585c
Instruction Fuzzy Hash: 2941937190024A9FDB10DF58C885BDEFBF8FF48714F10465AE425A76C1DBB6AA44CBA0

Function 00D1ECE0 Relevance: 1.6, APIs: 1, Instructions: 83synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,D02C6D11,?,?,80004005,D02C6D11,?,?,00000000), ref: 00D1ECF2

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: c85f7d0be64aa762663cd4be94ca4b109f642727667b226fdaa9c025406103ed
Instruction ID: 97fb37578a1f6fedc72ddc058ace083d8a533cd901c036024d1c542f0ded8ee1
Opcode Fuzzy Hash: c85f7d0be64aa762663cd4be94ca4b109f642727667b226fdaa9c025406103ed
Instruction Fuzzy Hash: 3821D531700A36BFC720AF98F984E96F7A9EF14710B068125EE1597261DF60EC9187F1

Function 00BC92A0 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00BC90A0: FindResourceExW.KERNEL32(00000000,00000006,00000001,00000000,00000000,D02C6D11,?,00000001,00000000,00000001,00000000,00D9CB30,000000FF,?,00BC92B0), ref: 00BC90F6

FindResourceW.KERNEL32(00000000,?,00000006,?,?,00000000,8007000E,80004005,00CD06A6,00000000,00000002,00000001,?,?,80070057,?), ref: 00BC92C3

Part of subcall function 00BC9160: LoadResource.KERNEL32(00000000,00000000,D02C6D11,00000001,00000000,00000001,00000000,00D9C480,000000FF,BC9219EC,00BC910C,?,?,00000001,00000000,00000001), ref: 00BC918B
Part of subcall function 00BC9160: LockResource.KERNEL32(00000000,?,00000001,00000000,00000001,00000000,00D9CB30,000000FF,?,00BC92B0,?,?,00000000,8007000E,80004005,00CD06A6), ref: 00BC9196
Part of subcall function 00BC9160: SizeofResource.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00D9CB30,000000FF,?,00BC92B0,?,?,00000000,8007000E,80004005), ref: 00BC91A4

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Resource$Find$LoadLockSizeof
String ID:
API String ID: 3127896203-0
Opcode ID: cacafc2770dcdf9b4243ec50200743211f580f57bd35304f98d2f73b5c86bceb
Instruction ID: 854cc67fc48ac98c475564ed5438cdcfb4065c891aa2219177ff5f10d8a1ac38
Opcode Fuzzy Hash: cacafc2770dcdf9b4243ec50200743211f580f57bd35304f98d2f73b5c86bceb
Instruction Fuzzy Hash: BC118F71300165ABE7149B69D889E7BB3DDEF84310B1480AEF545DB241DB769C12C7A4

Function 00CE0100 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00CE0370: __Init_thread_footer.LIBCMT ref: 00CE03E6

Part of subcall function 00D74BA2: EnterCriticalSection.KERNEL32(00E87FD8,?,D02C6D11,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11,?,?), ref: 00D74BAD
Part of subcall function 00D74BA2: LeaveCriticalSection.KERNEL32(00E87FD8,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11,?,?,00000000), ref: 00D74BEA

__Init_thread_footer.LIBCMT ref: 00CE01E0

Part of subcall function 00D74B58: EnterCriticalSection.KERNEL32(00E87FD8,D02C6D11,?,00BC9DD7,00E88C04,00DF7520), ref: 00D74B62
Part of subcall function 00D74B58: LeaveCriticalSection.KERNEL32(00E87FD8,?,00BC9DD7,00E88C04,00DF7520), ref: 00D74B95
Part of subcall function 00D74B58: RtlWakeAllConditionVariable.NTDLL ref: 00D74C0C

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionVariableWake
String ID:
API String ID: 984842325-0
Opcode ID: 4083c58fd174de431e03005ab2f23fd64c82c877774e7eb2fa88424aa4628bb6
Instruction ID: 1d1d4fce8fd8ebf646c81ecd46bb0b75c60af43d7efb90121c5140b1ede0d75f
Opcode Fuzzy Hash: 4083c58fd174de431e03005ab2f23fd64c82c877774e7eb2fa88424aa4628bb6
Instruction Fuzzy Hash: 1D310370D40680DFD714DF02EC82B69B3E0F700714F248658E42A6B792E3B2A948CB94

Function 00BC90A0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00D73F72: EnterCriticalSection.KERNEL32(00E87F5C,?,00000001,BC9219EC,00BC90D7,00000000,D02C6D11,?,00000001,00000000,00000001,00000000,00D9CB30,000000FF,?,00BC92B0), ref: 00D73F7D
Part of subcall function 00D73F72: LeaveCriticalSection.KERNEL32(00E87F5C,?,00000001,BC9219EC,00BC90D7,00000000,D02C6D11,?,00000001,00000000,00000001,00000000,00D9CB30,000000FF,?,00BC92B0), ref: 00D73FA9

FindResourceExW.KERNEL32(00000000,00000006,00000001,00000000,00000000,D02C6D11,?,00000001,00000000,00000001,00000000,00D9CB30,000000FF,?,00BC92B0), ref: 00BC90F6

Part of subcall function 00BC9160: LoadResource.KERNEL32(00000000,00000000,D02C6D11,00000001,00000000,00000001,00000000,00D9C480,000000FF,BC9219EC,00BC910C,?,?,00000001,00000000,00000001), ref: 00BC918B
Part of subcall function 00BC9160: LockResource.KERNEL32(00000000,?,00000001,00000000,00000001,00000000,00D9CB30,000000FF,?,00BC92B0,?,?,00000000,8007000E,80004005,00CD06A6), ref: 00BC9196
Part of subcall function 00BC9160: SizeofResource.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00D9CB30,000000FF,?,00BC92B0,?,?,00000000,8007000E,80004005), ref: 00BC91A4

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Resource$CriticalSection$EnterFindLeaveLoadLockSizeof
String ID:
API String ID: 529824247-0
Opcode ID: f9216a18f14546b8b2ab9f619d3319aef0270064fa92e047a605c76a52de11d6
Instruction ID: e74d52590f7838a4253ef21941efb19bb682c0859963603af10b78bc4be93e95
Opcode Fuzzy Hash: f9216a18f14546b8b2ab9f619d3319aef0270064fa92e047a605c76a52de11d6
Instruction Fuzzy Hash: E711EB32F046146FE7254B59AC46F7AF3E8EB44760F1402BEF909E3380EA359D0082A0

Function 00CD9390 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00CD9470: DeleteFileW.KERNEL32(00000000,0000002A,00000000,?,D02C6D11), ref: 00CD94E0

RemoveDirectoryW.KERNEL32(00000000,?,D02C6D11,?,?,00000000,00000000,?,00000000,00DDBD13,000000FF,?,C000008C), ref: 00CD93EE

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: DeleteDirectoryFileRemove
String ID:
API String ID: 3325800564-0
Opcode ID: b8ecedcc2179559c2c095785e845f21dc72ebc9b04ee9d5c409d2392e21224b7
Instruction ID: 825c43825c6901afc1e8cd6384ae8ab298d0e22d9224af7b72b37ee7531d6d02
Opcode Fuzzy Hash: b8ecedcc2179559c2c095785e845f21dc72ebc9b04ee9d5c409d2392e21224b7
Instruction Fuzzy Hash: 5721B675900204CFCB24DF58C484B9EF7B4FB08320F4546AAE9396B392DB309D05CB90

Function 00CDA7B0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00CDA7E9

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: _wcsrchr
String ID:
API String ID: 1752292252-0
Opcode ID: cc2e3b468dff3ceee76da29b26a581d0404e2f406798ca723f9d865b238e6257
Instruction ID: b3536bfdf88728779e653e1ada76f1874d590272fa89a9e9db258ad9d23436b5
Opcode Fuzzy Hash: cc2e3b468dff3ceee76da29b26a581d0404e2f406798ca723f9d865b238e6257
Instruction Fuzzy Hash: ED11C471A00205EFDB10DF59CC05BAEBBE8EF44715F10456FE915D7380DBB1A9048BA5

Function 00CC0A10 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00D74BA2: EnterCriticalSection.KERNEL32(00E87FD8,?,D02C6D11,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11,?,?), ref: 00D74BAD
Part of subcall function 00D74BA2: LeaveCriticalSection.KERNEL32(00E87FD8,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11,?,?,00000000), ref: 00D74BEA

__Init_thread_footer.LIBCMT ref: 00CC0A82

Part of subcall function 00D74B58: EnterCriticalSection.KERNEL32(00E87FD8,D02C6D11,?,00BC9DD7,00E88C04,00DF7520), ref: 00D74B62
Part of subcall function 00D74B58: LeaveCriticalSection.KERNEL32(00E87FD8,?,00BC9DD7,00E88C04,00DF7520), ref: 00D74B95
Part of subcall function 00D74B58: RtlWakeAllConditionVariable.NTDLL ref: 00D74C0C

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID:
API String ID: 2296764815-0
Opcode ID: ff17b145c53bd56fb5007dad61bc64868475135bd7ec9f06df6ec09eac53fee5
Instruction ID: 4e28cae44b3e4e42820963e9d05f59fd160f8f7cf19b7ee51a057ab501b2083c
Opcode Fuzzy Hash: ff17b145c53bd56fb5007dad61bc64868475135bd7ec9f06df6ec09eac53fee5
Instruction Fuzzy Hash: FF01B1B1E44644DFC714DB58E982B58B3A4E748720F144369E83DB33C2D739A9059B22

Function 00CE0370 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00D74BA2: EnterCriticalSection.KERNEL32(00E87FD8,?,D02C6D11,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11,?,?), ref: 00D74BAD
Part of subcall function 00D74BA2: LeaveCriticalSection.KERNEL32(00E87FD8,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11,?,?,00000000), ref: 00D74BEA

Part of subcall function 00CE0410: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00CE047E
Part of subcall function 00CE0410: RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00CE04C5
Part of subcall function 00CE0410: RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00CE04E4
Part of subcall function 00CE0410: RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00CE0513
Part of subcall function 00CE0410: RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00CE0588

__Init_thread_footer.LIBCMT ref: 00CE03E6

Part of subcall function 00D74B58: EnterCriticalSection.KERNEL32(00E87FD8,D02C6D11,?,00BC9DD7,00E88C04,00DF7520), ref: 00D74B62
Part of subcall function 00D74B58: LeaveCriticalSection.KERNEL32(00E87FD8,?,00BC9DD7,00E88C04,00DF7520), ref: 00D74B95
Part of subcall function 00D74B58: RtlWakeAllConditionVariable.NTDLL ref: 00D74C0C

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalQuerySectionValue$EnterLeave$ConditionInit_thread_footerOpenVariableWake
String ID:
API String ID: 3563064969-0
Opcode ID: 8f2cc431e52bdae912e6be75cd9381602abeb0ce03171b9ef688bd28a8f2e4cd
Instruction ID: cd0ff2d44cdb483303bbafb38f81bea7d8cb0f0ebeb54b0c1e2499b4651cebd3
Opcode Fuzzy Hash: 8f2cc431e52bdae912e6be75cd9381602abeb0ce03171b9ef688bd28a8f2e4cd
Instruction Fuzzy Hash: 2201F271E44785DFC715EF69DD42B29B3A4E705B20F204369E92DA73C2D770A904CBA1

Function 00BC9980 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7641A: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,80004005,D02C6D11,?,?,00000000), ref: 00D7647A

RtlAllocateHeap.NTDLL(?,00000000,?,D02C6D11,00000000,00D9C6B0,000000FF,?,?,00E7C42C,00000000,00D1ECDB,80004005,D02C6D11,?,?), ref: 00BC99CA

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: 7d3c8fb6c464c28b6216eab87f5fe9bdecbc2e73f031d3146456f302c0318947
Instruction ID: 1b3ac0e70c4a56c11e36dcf004a25d4e2e69036238e9092f7becd51a574d7074
Opcode Fuzzy Hash: 7d3c8fb6c464c28b6216eab87f5fe9bdecbc2e73f031d3146456f302c0318947
Instruction Fuzzy Hash: 82F08271A48648BFC7059F54DC02F59BBA8E708B10F10856DB919D6690EB35A800CA54

Function 00D8CA67 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00D8A813,?,00D8E9B8,?,00000000,?,00D7E5A5,00000000,00D8A813,?,?,?,?,00D8A60D), ref: 00D8CA99

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5213d1528b3a9675478ba635973fa67e91426c0af512343f0fc65cfffd7bf3a9
Instruction ID: 0e273a27cfae3e7a0799eea47beec789e2c8ec8ac2e0aa262defac33d60bcd06
Opcode Fuzzy Hash: 5213d1528b3a9675478ba635973fa67e91426c0af512343f0fc65cfffd7bf3a9
Instruction Fuzzy Hash: 79E0ED31620629EAEA25B725AC06B6A768AEB423E0F192121BC5592080EE31CC0083B8

Function 6CE67FA0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,24641EEC,?,Function_0006ED80,000000FF), ref: 6CE67FCF

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1df09942aa56447e9d4313c3055168834f9b7754b1f43779cef2a5d8eb50f8ab
Instruction ID: 783da6c78a6d2fb1a5b9565ecb9d319326fb330216f5a8b1b78bf138f9a73a20
Opcode Fuzzy Hash: 1df09942aa56447e9d4313c3055168834f9b7754b1f43779cef2a5d8eb50f8ab
Instruction Fuzzy Hash: F5E06D71644548AFD700CF54DC41F16BBB8E709B20F10862AF815D7B80D735A8008A90

Function 00D8A77B Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D8A782

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: f06a28b445ba0da364f91f6a4a365ea337ec2994889f6f676ef58c63ae73dda6
Instruction ID: 3d2c5b8b7cc3127e9d87688f3efb4b1348c851aa1d21772019071f198aca3857
Opcode Fuzzy Hash: f06a28b445ba0da364f91f6a4a365ea337ec2994889f6f676ef58c63ae73dda6
Instruction Fuzzy Hash: 22E01A72D0020E9EEB00DFE4C442BEFBBB8EB04300F908026E608E6140EB7453848BF2

Function 6CE9DE24 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CE9DE2B

Memory Dump Source

Source File: 00000000.00000002.1918437026.000000006CE41000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CE40000, based on PE: true

Associated: 00000000.00000002.1918408888.000000006CE40000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918506888.000000006CEC4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918553052.000000006CEEF000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.1918586749.000000006CEFB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce40000_ZwmyzMxFKL.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 76809455e72407caffcf521ce920ba5e3304b78e5037cd68b25626f5d52ddeaa
Instruction ID: cac0f09d736574cf9251f35da2e263ce0e205a17a3f5a9d82908458ee6a9fecf
Opcode Fuzzy Hash: 76809455e72407caffcf521ce920ba5e3304b78e5037cd68b25626f5d52ddeaa
Instruction Fuzzy Hash: 27E09A76D4024D9ADB01DFD4C546BEFB7B8AB08304F60412A9215E7640EB789748CBA1

Function 00D199C0 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,D02C6D11,?,?,00000000,00DE83F3,000000FF,?,00CF6831,?), ref: 00D199F9

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8eae14bdee188a530b21ec459d0859ed54d05ff01a465045216389634c0848a4
Instruction ID: e51086ced5bca14eb5df463a31b3e04de80be7642a70b8db2f182f388965f430
Opcode Fuzzy Hash: 8eae14bdee188a530b21ec459d0859ed54d05ff01a465045216389634c0848a4
Instruction Fuzzy Hash: F2115A71804A45EFD710CF68C944B9AFBF8FB05730F14876AE429D76E0EB75A9048B90

Non-executed Functions

Function 00BC3010 Relevance: 435.0, Strings: 346, Instructions: 2486COMMON

Download Yara Rule

Strings

87, xrefs: 00BC4AAA
PK, xrefs: 00BC5C06
pH, xrefs: 00BC5984
InstallValidate, xrefs: 00BC398E
ODBCTranslator, xrefs: 00BC426B, 00BC5378
FileSize, xrefs: 00BC4C8E
FileCost, xrefs: 00BC35E4
TypeLib, xrefs: 00BC5484
@*, xrefs: 00BC3F42
6, xrefs: 00BC49BA
P9, xrefs: 00BC4C89
9, xrefs: 00BC4D0F
., xrefs: 00BC42B3
XH, xrefs: 00BC5971
Font, xrefs: 00BC4377, 00BC5275
P/, xrefs: 00BC43BF
PublishComponent, xrefs: 00BC3EC1, 00BC579F
., xrefs: 00BC435F
UnregisterComPlus, xrefs: 00BC40B3
File, xrefs: 00BC3668, 00BC49BF, 00BC4C4F
`E, xrefs: 00BC56EE
h', xrefs: 00BC388C
PublishComponents, xrefs: 00BC5779
Feature, xrefs: 00BC3F47, 00BC58A2
InstallServices, xrefs: 00BC55E7
0C, xrefs: 00BC5505
RemoveFolders, xrefs: 00BC4A9C
p-, xrefs: 00BC421A
MsiConfigureServices, xrefs: 00BC566D, 00BC5693
120000, xrefs: 00BC481A
1, xrefs: 00BC45FD
E, xrefs: 00BC5761
pJ, xrefs: 00BC5B33
02, xrefs: 00BC464A
Component_, xrefs: 00BC3ED4, 00BC3FE0, 00BC4075, 00BC40EC, 00BC41F8, 00BC427E, 00BC4318, 00BC4410, 00BC4496, 00BC4734, 00BC47BA, 00BC4840, 00BC48C6, 00BC494C, 00BC49D2, 00BC4AD5, 00BC4B5B, 00BC4BE1, 00BC4C67, 00BC4D73, 00BC4E76, 00BC50F6, 00BC517C, 00BC5202, 00BC5305, 00BC538B, 00BC5416, 00BC5497, 00BC559A, 00BC5620, 00BC56B5, 00BC572C, 00BC57B2
8-, xrefs: 00BC41E0
p?, xrefs: 00BC51C4
@, xrefs: 00BC525D
(+, xrefs: 00BC4015
8000, xrefs: 00BC414C, 00BC4364, 00BC5262, 00BC54F7
HN, xrefs: 00BC5E77
00, xrefs: 00BC447E
hT, xrefs: 00BC6391
AI_UninstallAccounts, xrefs: 00BC5D82
AI_XmlAttribute, xrefs: 00BC5CAE, 00BC6211
UnregisterClassInfo, xrefs: 00BC44E3
8&, xrefs: 00BC34C8
AI_GxUninstall, xrefs: 00BC5EF9
AI_UninstallTasks, xrefs: 00BC5E7C
800, xrefs: 00BC39DD
hA, xrefs: 00BC5373
N, xrefs: 00BC5EF4
%, xrefs: 00BC314D
/, xrefs: 00BC4445
ODBCDataSource, xrefs: 00BC41E5, 00BC52F2
0O, xrefs: 00BC5F35
H:, xrefs: 00BC4D5B
8., xrefs: 00BC42C6
RemoveODBC, xrefs: 00BC41BF, 00BC4245, 00BC42CB
H<, xrefs: 00BC4F15
8B, xrefs: 00BC5433
InstallInitialize, xrefs: 00BC58F9
AI_UserGroups, xrefs: 00BC5E25, 00BC6019
@H, xrefs: 00BC595E
P%, xrefs: 00BC3220
AI_UninstallGroups, xrefs: 00BC5DFF
RegisterFonts, xrefs: 00BC524F
/, xrefs: 00BC4385
HE, xrefs: 00BC56DB
12000, xrefs: 00BC41D2, 00BC4258, 00BC42DE, 00BC4926, 00BC49AC, 00BC4A32, 00BC4AAF, 00BC4B35, 00BC4E50, 00BC52DF, 00BC5365, 00BC53EB
InstallFiles, xrefs: 00BC4C2E
`F, xrefs: 00BC57D4
XQ, xrefs: 00BC60FB
Feature_, xrefs: 00BC3DF0, 00BC45A2, 00BC4F77, 00BC5836, 00BC5A2C, 00BC5AB2, 00BC5B38, 00BC5BBE
Environment, xrefs: 00BC48B3, 00BC51EF
p5, xrefs: 00BC4921
(4, xrefs: 00BC4802
RemoveIniFile, xrefs: 00BC4721
', xrefs: 00BC3A13
CostFinalize, xrefs: 00BC37AC
T, xrefs: 00BC635D
SelfRegModules, xrefs: 00BC54E4
0N, xrefs: 00BC5E64
p7, xrefs: 00BC4AD0
:, xrefs: 00BC4DE1
BindImage, xrefs: 00BC4DC0, 00BC4DE6
RemoveRegistry, xrefs: 00BC4483
8%, xrefs: 00BC319B
x<, xrefs: 00BC4F3B
hM, xrefs: 00BC5DBE
WriteRegistryValues, xrefs: 00BC50BD
H;, xrefs: 00BC4E38
0, xrefs: 00BC4517
8@, xrefs: 00BC5270
~, xrefs: 00BC5B69
A, xrefs: 00BC533A
X>, xrefs: 00BC50CB
AI_InstallPostPrerequisite, xrefs: 00BC5B85
A, xrefs: 00BC53E6
h:, xrefs: 00BC4D6E
`2, xrefs: 00BC4670
DuplicateFile, xrefs: 00BC4939, 00BC4D60
0', xrefs: 00BC37E2
J, xrefs: 00BC5BA6
RegisterProgIdInfo, xrefs: 00BC4FBD
@R, xrefs: 00BC61C5
$, xrefs: 00BC30A6
Complus, xrefs: 00BC40D9, 00BC5587
SelfReg, xrefs: 00BC415F, 00BC550A
8S, xrefs: 00BC6297
8, xrefs: 00BC4C29
P&, xrefs: 00BC3514
P., xrefs: 00BC42D9
RemoveExistingProducts, xrefs: 00BC3034
UnregisterProgIdInfo, xrefs: 00BC45EF
RemoveRegistryValues, xrefs: 00BC43D7, 00BC445D
X6, xrefs: 00BC49F4
;, xrefs: 00BC4EBE
@?, xrefs: 00BC519E
@6, xrefs: 00BC49CD
p,, xrefs: 00BC4134
Extension, xrefs: 00BC458F, 00BC4F66
5000, xrefs: 00BC4DD3
B, xrefs: 00BC54CC
`N, xrefs: 00BC5E8A
(R, xrefs: 00BC619E
UnpublishFeatures, xrefs: 00BC3F1C
`<, xrefs: 00BC4F28
X?, xrefs: 00BC51B1
PC, xrefs: 00BC5520
(5, xrefs: 00BC48E8
StartServices, xrefs: 00BC56F3
C, xrefs: 00BC5595
3000000, xrefs: 00BC51DC
Location, xrefs: 00BC5A53, 00BC5AD9
0), xrefs: 00BC3E31
6000, xrefs: 00BC50D0
RemoveFile, xrefs: 00BC4A45
XS, xrefs: 00BC62B2
0E, xrefs: 00BC56C8
PL, xrefs: 00BC5CDA
(Q, xrefs: 00BC60D5
@I, xrefs: 00BC5A27
8J, xrefs: 00BC5B0D
(,, xrefs: 00BC40E7
P8, xrefs: 00BC4BA3
h9, xrefs: 00BC4C9C
(=, xrefs: 00BC4FCB
X,, xrefs: 00BC4121
CreateFolders, xrefs: 00BC4B22
P0, xrefs: 00BC4491
x(, xrefs: 00BC3BF5
AI_PreRequisite, xrefs: 00BC5A19, 00BC5A9F, 00BC5B25, 00BC5BAB
Component, xrefs: 00BC3486, 00BC384A, 00BC3A2C, 00BC3C0E
1500000, xrefs: 00BC55FA
100, xrefs: 00BC4CC7, 00BC4FD0, 00BC5F0C
7, xrefs: 00BC4A97
O, xrefs: 00BC5FC8
p+, xrefs: 00BC404E
AI_GxInstall, xrefs: 00BC5D05
10000, xrefs: 00BC578C, 00BC6383
89, xrefs: 00BC4C62
h/, xrefs: 00BC43D2
8L, xrefs: 00BC5CC4
AI_AppSearchEx, xrefs: 00BC5F76, 00BC5F9C
P7, xrefs: 00BC4ABD
xG, xrefs: 00BC58B8
UnpublishComponents, xrefs: 00BC3E9B
MsiPublishAssemblies, xrefs: 00BC57FF
&, xrefs: 00BC36F6
PB, xrefs: 00BC5446
MoveFiles, xrefs: 00BC4BA8
pQ, xrefs: 00BC610E
PA, xrefs: 00BC5360
(, xrefs: 00BC3D39
J, xrefs: 00BC5AFA
`P, xrefs: 00BC602F
(3, xrefs: 00BC471C
UnregisterExtensionInfo, xrefs: 00BC4569
xE, xrefs: 00BC5701
AI_DefaultActionCost, xrefs: 00BC6370
RemoveShortcuts, xrefs: 00BC4807
Options, xrefs: 00BC5B5F, 00BC5BE0
InstallODBC, xrefs: 00BC52CC, 00BC5352, 00BC53D8
AI_ProcessGroups, xrefs: 00BC5FF3
0<, xrefs: 00BC4EFF
RegisterComPlus, xrefs: 00BC555C
HF, xrefs: 00BC57AD
CostInitialize, xrefs: 00BC33FD
SelfUnregModules, xrefs: 00BC4139
RemoveIniValues, xrefs: 00BC46FB, 00BC4781
X+, xrefs: 00BC403B
MsiUnpublishAssemblies, xrefs: 00BC3D52
(P, xrefs: 00BC6001
H3, xrefs: 00BC472F
(F, xrefs: 00BC579A
AI_InstallPrerequisite, xrefs: 00BC5AFF
AI_ProcessAccounts, xrefs: 00BC6070
xP, xrefs: 00BC6045
1500, xrefs: 00BC4709, 00BC4794, 00BC5C9B, 00BC6203
UnregisterMIMEInfo, xrefs: 00BC4675
xO, xrefs: 00BC5F71
x*, xrefs: 00BC3F7C
UnregisterFonts, xrefs: 00BC4351
@+, xrefs: 00BC4028
3, xrefs: 00BC47B5
B, xrefs: 00BC541B
(H, xrefs: 00BC594B
@=, xrefs: 00BC4FDE
H1, xrefs: 00BC4577
@G, xrefs: 00BC588A
hB, xrefs: 00BC5459
xF, xrefs: 00BC57E7
(?, xrefs: 00BC5177
IniFile, xrefs: 00BC47A7, 00BC5169
x;, xrefs: 00BC4E5E
RegisterExtensionInfo, xrefs: 00BC4F40
AI_CountRowAction, xrefs: 00BC62F3
200000, xrefs: 00BC590C
(>, xrefs: 00BC50A2
HD, xrefs: 00BC55F5
88, xrefs: 00BC4B90
Shortcut, xrefs: 00BC482D, 00BC4E63
30000, xrefs: 00BC3DA1, 00BC5156, 00BC5812
(*, xrefs: 00BC3F2F
PublishFeatures, xrefs: 00BC587C
2000, xrefs: 00BC3255, 00BC5D18, 00BC5D95, 00BC5E12, 00BC5E8F, 00BC6006, 00BC6083, 00BC6100
h., xrefs: 00BC42EC
AI_UserAccounts, xrefs: 00BC5DA8, 00BC6096
M, xrefs: 00BC5E20
AI_XmlInstall, xrefs: 00BC5C0B, 00BC5C88
@,, xrefs: 00BC410E
InstallFinalize, xrefs: 00BC5976
K, xrefs: 00BC5C83
AppId, xrefs: 00BC4509, 00BC4EE9
pI, xrefs: 00BC5A61
XI, xrefs: 00BC5A4E
RegisterTypeLibraries, xrefs: 00BC545E
Registry, xrefs: 00BC43FD, 00BC50E3
AI_XmlUninstall, xrefs: 00BC616A, 00BC61F0
X-, xrefs: 00BC41F3
p6, xrefs: 00BC4A07
`;, xrefs: 00BC4E4B
AI_ProcessTasks, xrefs: 00BC60ED
%, xrefs: 00BC3402
RemoveDuplicateFiles, xrefs: 00BC4913
Patch, xrefs: 00BC4CDA
p>, xrefs: 00BC50DE
hK, xrefs: 00BC5C19
100000, xrefs: 00BC5989
AI_XmlElement, xrefs: 00BC5C31, 00BC6190
x2, xrefs: 00BC4683
I, xrefs: 00BC5A14
RegisterClassInfo, xrefs: 00BC4EC3
h&, xrefs: 00BC3562
F, xrefs: 00BC583B
CreateShortcuts, xrefs: 00BC4E3D
ServiceControl, xrefs: 00BC3FCD, 00BC4053, 00BC5719
1800, xrefs: 00BC5C1E, 00BC617D
`O, xrefs: 00BC5F5E
RemoveFiles, xrefs: 00BC4999, 00BC4A1F
0;, xrefs: 00BC4E25
p@, xrefs: 00BC52A1
`D, xrefs: 00BC5608
hL, xrefs: 00BC5CED
X@, xrefs: 00BC528B
h%, xrefs: 00BC323C
StopServices, xrefs: 00BC3FA7, 00BC402D
AI_ChainProductsPseudo, xrefs: 00BC6276
(G, xrefs: 00BC5877
PatchSize, xrefs: 00BC4D14
PatchFiles, xrefs: 00BC4CB4
ODBCDriver, xrefs: 00BC42F1, 00BC53FE
`), xrefs: 00BC3E83
8T, xrefs: 00BC636B
H', xrefs: 00BC3831
S, xrefs: 00BC6284
xN, xrefs: 00BC5E9D
CreateFolder, xrefs: 00BC4AC2, 00BC4B48
AI_DownloadPrereq, xrefs: 00BC59F3
HM, xrefs: 00BC5DA3
`*, xrefs: 00BC3F55
pR, xrefs: 00BC61EB
8K, xrefs: 00BC5BF3
3000, xrefs: 00BC3BBF, 00BC3EAE, 00BC3F34, 00BC40C6, 00BC43EA, 00BC4470, 00BC44F6, 00BC457C, 00BC4602, 00BC4688, 00BC48A0, 00BC4ED6, 00BC504D, 00BC5471, 00BC5574
AI_Game, xrefs: 00BC5D2B, 00BC5F1F
H2, xrefs: 00BC465D
`3, xrefs: 00BC4756
PJ, xrefs: 00BC5B20
XR, xrefs: 00BC61D8
-, xrefs: 00BC41CD
7, xrefs: 00BC4B43
x3, xrefs: 00BC4769
DuplicateFiles, xrefs: 00BC4D3A
RemoveEnvironmentStrings, xrefs: 00BC488D
HO, xrefs: 00BC5F4B
20000, xrefs: 00BC5706
XG, xrefs: 00BC589D
`(, xrefs: 00BC3BB0
WriteEnvironmentStrings, xrefs: 00BC51C9
AppSearch, xrefs: 00BC321B, 00BC32A4
AI_ExtractPrereq, xrefs: 00BC5A79
x4, xrefs: 00BC483B
@4, xrefs: 00BC4815
hC, xrefs: 00BC5536
ProgId, xrefs: 00BC4615, 00BC4FE3
x), xrefs: 00BC3E96
0M, xrefs: 00BC5D90
), xrefs: 00BC3EF6
K, xrefs: 00BC5BE5
01, xrefs: 00BC4564
X4, xrefs: 00BC4828
RegisterMIMEInfo, xrefs: 00BC503A
<, xrefs: 00BC4F92
8/, xrefs: 00BC43AC
MoveFile, xrefs: 00BC4BCE
MsiAssembly, xrefs: 00BC5825
MIME, xrefs: 00BC469B, 00BC5060
@P, xrefs: 00BC6014
0(, xrefs: 00BC3B08
15000, xrefs: 00BC3FBA, 00BC4040, 00BC4BBB, 00BC4D4D, 00BC4F53, 00BC5680, 00BC588F
0D, xrefs: 00BC55E2
`1, xrefs: 00BC458A
X5, xrefs: 00BC490E
PT, xrefs: 00BC637E
0:, xrefs: 00BC4D48
8A, xrefs: 00BC534D
500, xrefs: 00BC5F89
ServiceInstall, xrefs: 00BC560D
`=, xrefs: 00BC4FF9
ProcessComponents, xrefs: 00BC3B70
D, xrefs: 00BC567B
H), xrefs: 00BC3E70
AI_ScheduledTasks, xrefs: 00BC6113
@>, xrefs: 00BC50B8
x=, xrefs: 00BC500F
@Q, xrefs: 00BC60E8
8, xrefs: 00BC4B7D
L, xrefs: 00BC5D57
pS, xrefs: 00BC62C8
h0, xrefs: 00BC44B8
2, xrefs: 00BC46E3
h8, xrefs: 00BC4BB6
WriteIniValues, xrefs: 00BC5143
@5, xrefs: 00BC48FB
H(, xrefs: 00BC3B57

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: %$ -$ .$ /$ 6$ 7$ 8$ @$ A$ B$ I$ J$ K$ S$ T$(*$(+$(,$(3$(4$(5$(=$(>$(?$(F$(G$(H$(P$(Q$(R$0'$0($0)$00$01$02$0:$0;$0<$0C$0D$0E$0M$0N$0O$100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$8%$8&$8-$8.$8/$800$8000$87$88$89$8@$8A$8B$8J$8K$8L$8S$8T$@*$@+$@,$@4$@5$@6$@=$@>$@?$@G$@H$@I$@P$@Q$@R$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$H'$H($H)$H1$H2$H3$H:$H;$H<$HD$HE$HF$HM$HN$HO$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$P%$P&$P.$P/$P0$P7$P8$P9$PA$PB$PC$PJ$PK$PL$PT$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$X+$X,$X-$X4$X5$X6$X>$X?$X@$XG$XH$XI$XQ$XR$XS$`($`)$`*$`1$`2$`3$`;$`<$`=$`D$`E$`F$`N$`O$`P$h%$h&$h'$h.$h/$h0$h8$h9$h:$hA$hB$hC$hK$hL$hM$hT$p+$p,$p-$p5$p6$p7$p>$p?$p@$pH$pI$pJ$pQ$pR$pS$x($x)$x*$x2$x3$x4$x;$x<$x=$xE$xF$xG$xN$xO$xP$~$$$%$&$'$($)$.$/$0$1$2$3$7$8$9$:$;$<$A$B$C$D$E$F$J$K$L$M$N$O
API String ID: 0-659361337
Opcode ID: 825060e8d1724a180130242e810f2f0e5dac9bb9a5259cd59bc64ce8bbbf3408
Instruction ID: 8b40c299391a9515f08c8384bea5e5bca0d8f4de49568eea199b23e0bc924d26
Opcode Fuzzy Hash: 825060e8d1724a180130242e810f2f0e5dac9bb9a5259cd59bc64ce8bbbf3408
Instruction Fuzzy Hash: BB33C6F0689389BDD706EBB4A917B2D29A09F91704F1072DCF25D3B2D2CFB40A489756

Function 00BC45FE Relevance: 334.0, Strings: 266, Instructions: 1545COMMON

Download Yara Rule

Strings

87, xrefs: 00BC4AAA
PK, xrefs: 00BC5C06
pH, xrefs: 00BC5984
ODBCTranslator, xrefs: 00BC5378
FileSize, xrefs: 00BC4C8E
TypeLib, xrefs: 00BC5484
6, xrefs: 00BC49BA
P9, xrefs: 00BC4C89
9, xrefs: 00BC4D0F
XH, xrefs: 00BC5971
Font, xrefs: 00BC5275
PublishComponent, xrefs: 00BC579F
File, xrefs: 00BC49BF, 00BC4C4F
`E, xrefs: 00BC56EE
PublishComponents, xrefs: 00BC5779
Feature, xrefs: 00BC58A2
InstallServices, xrefs: 00BC55E7
0C, xrefs: 00BC5505
RemoveFolders, xrefs: 00BC4A9C
MsiConfigureServices, xrefs: 00BC566D, 00BC5693
120000, xrefs: 00BC481A
E, xrefs: 00BC5761
pJ, xrefs: 00BC5B33
02, xrefs: 00BC464A
Component_, xrefs: 00BC4734, 00BC47BA, 00BC4840, 00BC48C6, 00BC494C, 00BC49D2, 00BC4AD5, 00BC4B5B, 00BC4BE1, 00BC4C67, 00BC4D73, 00BC4E76, 00BC50F6, 00BC517C, 00BC5202, 00BC5305, 00BC538B, 00BC5416, 00BC5497, 00BC559A, 00BC5620, 00BC56B5, 00BC572C, 00BC57B2
p?, xrefs: 00BC51C4
@, xrefs: 00BC525D
8000, xrefs: 00BC5262, 00BC54F7
HN, xrefs: 00BC5E77
hT, xrefs: 00BC6391
AI_UninstallAccounts, xrefs: 00BC5D82
AI_XmlAttribute, xrefs: 00BC5CAE, 00BC6211
AI_GxUninstall, xrefs: 00BC5EF9
AI_UninstallTasks, xrefs: 00BC5E7C
hA, xrefs: 00BC5373
N, xrefs: 00BC5EF4
ODBCDataSource, xrefs: 00BC52F2
0O, xrefs: 00BC5F35
H:, xrefs: 00BC4D5B
H<, xrefs: 00BC4F15
8B, xrefs: 00BC5433
InstallInitialize, xrefs: 00BC58F9
AI_UserGroups, xrefs: 00BC5E25, 00BC6019
@H, xrefs: 00BC595E
AI_UninstallGroups, xrefs: 00BC5DFF
RegisterFonts, xrefs: 00BC524F
HE, xrefs: 00BC56DB
12000, xrefs: 00BC4926, 00BC49AC, 00BC4A32, 00BC4AAF, 00BC4B35, 00BC4E50, 00BC52DF, 00BC5365, 00BC53EB
InstallFiles, xrefs: 00BC4C2E
`F, xrefs: 00BC57D4
XQ, xrefs: 00BC60FB
Feature_, xrefs: 00BC4F77, 00BC5836, 00BC5A2C, 00BC5AB2, 00BC5B38, 00BC5BBE
Environment, xrefs: 00BC48B3, 00BC51EF
p5, xrefs: 00BC4921
(4, xrefs: 00BC4802
RemoveIniFile, xrefs: 00BC4721
T, xrefs: 00BC635D
SelfRegModules, xrefs: 00BC54E4
0N, xrefs: 00BC5E64
p7, xrefs: 00BC4AD0
:, xrefs: 00BC4DE1
BindImage, xrefs: 00BC4DC0, 00BC4DE6
x<, xrefs: 00BC4F3B
hM, xrefs: 00BC5DBE
WriteRegistryValues, xrefs: 00BC50BD
H;, xrefs: 00BC4E38
8@, xrefs: 00BC5270
~, xrefs: 00BC5B69
A, xrefs: 00BC533A
X>, xrefs: 00BC50CB
AI_InstallPostPrerequisite, xrefs: 00BC5B85
A, xrefs: 00BC53E6
h:, xrefs: 00BC4D6E
`2, xrefs: 00BC4670
DuplicateFile, xrefs: 00BC4939, 00BC4D60
J, xrefs: 00BC5BA6
RegisterProgIdInfo, xrefs: 00BC4FBD
@R, xrefs: 00BC61C5
Complus, xrefs: 00BC5587
SelfReg, xrefs: 00BC550A
8S, xrefs: 00BC6297
8, xrefs: 00BC4C29
X6, xrefs: 00BC49F4
;, xrefs: 00BC4EBE
@?, xrefs: 00BC519E
@6, xrefs: 00BC49CD
Extension, xrefs: 00BC4F66
5000, xrefs: 00BC4DD3
B, xrefs: 00BC54CC
`N, xrefs: 00BC5E8A
(R, xrefs: 00BC619E
`<, xrefs: 00BC4F28
X?, xrefs: 00BC51B1
PC, xrefs: 00BC5520
(5, xrefs: 00BC48E8
StartServices, xrefs: 00BC56F3
C, xrefs: 00BC5595
3000000, xrefs: 00BC51DC
Location, xrefs: 00BC5A53, 00BC5AD9
6000, xrefs: 00BC50D0
RemoveFile, xrefs: 00BC4A45
XS, xrefs: 00BC62B2
0E, xrefs: 00BC56C8
PL, xrefs: 00BC5CDA
(Q, xrefs: 00BC60D5
@I, xrefs: 00BC5A27
8J, xrefs: 00BC5B0D
P8, xrefs: 00BC4BA3
h9, xrefs: 00BC4C9C
(=, xrefs: 00BC4FCB
CreateFolders, xrefs: 00BC4B22
AI_PreRequisite, xrefs: 00BC5A19, 00BC5A9F, 00BC5B25, 00BC5BAB
1500000, xrefs: 00BC55FA
100, xrefs: 00BC4CC7, 00BC4FD0, 00BC5F0C
7, xrefs: 00BC4A97
O, xrefs: 00BC5FC8
AI_GxInstall, xrefs: 00BC5D05
10000, xrefs: 00BC578C, 00BC6383
89, xrefs: 00BC4C62
8L, xrefs: 00BC5CC4
AI_AppSearchEx, xrefs: 00BC5F76, 00BC5F9C
P7, xrefs: 00BC4ABD
xG, xrefs: 00BC58B8
MsiPublishAssemblies, xrefs: 00BC57FF
PB, xrefs: 00BC5446
MoveFiles, xrefs: 00BC4BA8
pQ, xrefs: 00BC610E
PA, xrefs: 00BC5360
J, xrefs: 00BC5AFA
`P, xrefs: 00BC602F
(3, xrefs: 00BC471C
xE, xrefs: 00BC5701
AI_DefaultActionCost, xrefs: 00BC6370
RemoveShortcuts, xrefs: 00BC4807
Options, xrefs: 00BC5B5F, 00BC5BE0
InstallODBC, xrefs: 00BC52CC, 00BC5352, 00BC53D8
AI_ProcessGroups, xrefs: 00BC5FF3
0<, xrefs: 00BC4EFF
RegisterComPlus, xrefs: 00BC555C
HF, xrefs: 00BC57AD
RemoveIniValues, xrefs: 00BC46FB, 00BC4781
(P, xrefs: 00BC6001
H3, xrefs: 00BC472F
(F, xrefs: 00BC579A
AI_InstallPrerequisite, xrefs: 00BC5AFF
AI_ProcessAccounts, xrefs: 00BC6070
xP, xrefs: 00BC6045
1500, xrefs: 00BC4709, 00BC4794, 00BC5C9B, 00BC6203
UnregisterMIMEInfo, xrefs: 00BC4675
xO, xrefs: 00BC5F71
3, xrefs: 00BC47B5
B, xrefs: 00BC541B
(H, xrefs: 00BC594B
@=, xrefs: 00BC4FDE
@G, xrefs: 00BC588A
hB, xrefs: 00BC5459
xF, xrefs: 00BC57E7
(?, xrefs: 00BC5177
IniFile, xrefs: 00BC47A7, 00BC5169
x;, xrefs: 00BC4E5E
RegisterExtensionInfo, xrefs: 00BC4F40
AI_CountRowAction, xrefs: 00BC62F3
200000, xrefs: 00BC590C
(>, xrefs: 00BC50A2
HD, xrefs: 00BC55F5
88, xrefs: 00BC4B90
Shortcut, xrefs: 00BC482D, 00BC4E63
30000, xrefs: 00BC5156, 00BC5812
PublishFeatures, xrefs: 00BC587C
2000, xrefs: 00BC5D18, 00BC5D95, 00BC5E12, 00BC5E8F, 00BC6006, 00BC6083, 00BC6100
AI_UserAccounts, xrefs: 00BC5DA8, 00BC6096
M, xrefs: 00BC5E20
AI_XmlInstall, xrefs: 00BC5C0B, 00BC5C88
InstallFinalize, xrefs: 00BC5976
K, xrefs: 00BC5C83
AppId, xrefs: 00BC4EE9
pI, xrefs: 00BC5A61
XI, xrefs: 00BC5A4E
RegisterTypeLibraries, xrefs: 00BC545E
Registry, xrefs: 00BC50E3
AI_XmlUninstall, xrefs: 00BC616A, 00BC61F0
p6, xrefs: 00BC4A07
`;, xrefs: 00BC4E4B
AI_ProcessTasks, xrefs: 00BC60ED
RemoveDuplicateFiles, xrefs: 00BC4913
Patch, xrefs: 00BC4CDA
p>, xrefs: 00BC50DE
hK, xrefs: 00BC5C19
100000, xrefs: 00BC5989
AI_XmlElement, xrefs: 00BC5C31, 00BC6190
x2, xrefs: 00BC4683
I, xrefs: 00BC5A14
RegisterClassInfo, xrefs: 00BC4EC3
F, xrefs: 00BC583B
CreateShortcuts, xrefs: 00BC4E3D
ServiceControl, xrefs: 00BC5719
1800, xrefs: 00BC5C1E, 00BC617D
`O, xrefs: 00BC5F5E
RemoveFiles, xrefs: 00BC4999, 00BC4A1F
0;, xrefs: 00BC4E25
p@, xrefs: 00BC52A1
`D, xrefs: 00BC5608
hL, xrefs: 00BC5CED
X@, xrefs: 00BC528B
AI_ChainProductsPseudo, xrefs: 00BC6276
(G, xrefs: 00BC5877
PatchSize, xrefs: 00BC4D14
PatchFiles, xrefs: 00BC4CB4
ODBCDriver, xrefs: 00BC53FE
8T, xrefs: 00BC636B
S, xrefs: 00BC6284
xN, xrefs: 00BC5E9D
CreateFolder, xrefs: 00BC4AC2, 00BC4B48
AI_DownloadPrereq, xrefs: 00BC59F3
HM, xrefs: 00BC5DA3
pR, xrefs: 00BC61EB
8K, xrefs: 00BC5BF3
3000, xrefs: 00BC4688, 00BC48A0, 00BC4ED6, 00BC504D, 00BC5471, 00BC5574
AI_Game, xrefs: 00BC5D2B, 00BC5F1F
H2, xrefs: 00BC465D
`3, xrefs: 00BC4756
PJ, xrefs: 00BC5B20
XR, xrefs: 00BC61D8
7, xrefs: 00BC4B43
x3, xrefs: 00BC4769
DuplicateFiles, xrefs: 00BC4D3A
RemoveEnvironmentStrings, xrefs: 00BC488D
HO, xrefs: 00BC5F4B
20000, xrefs: 00BC5706
XG, xrefs: 00BC589D
WriteEnvironmentStrings, xrefs: 00BC51C9
AI_ExtractPrereq, xrefs: 00BC5A79
x4, xrefs: 00BC483B
@4, xrefs: 00BC4815
hC, xrefs: 00BC5536
ProgId, xrefs: 00BC4615, 00BC4FE3
0M, xrefs: 00BC5D90
K, xrefs: 00BC5BE5
X4, xrefs: 00BC4828
RegisterMIMEInfo, xrefs: 00BC503A
<, xrefs: 00BC4F92
MoveFile, xrefs: 00BC4BCE
MsiAssembly, xrefs: 00BC5825
MIME, xrefs: 00BC469B, 00BC5060
@P, xrefs: 00BC6014
15000, xrefs: 00BC4BBB, 00BC4D4D, 00BC4F53, 00BC5680, 00BC588F
0D, xrefs: 00BC55E2
X5, xrefs: 00BC490E
PT, xrefs: 00BC637E
0:, xrefs: 00BC4D48
8A, xrefs: 00BC534D
500, xrefs: 00BC5F89
ServiceInstall, xrefs: 00BC560D
`=, xrefs: 00BC4FF9
D, xrefs: 00BC567B
AI_ScheduledTasks, xrefs: 00BC6113
@>, xrefs: 00BC50B8
x=, xrefs: 00BC500F
@Q, xrefs: 00BC60E8
8, xrefs: 00BC4B7D
L, xrefs: 00BC5D57
pS, xrefs: 00BC62C8
2, xrefs: 00BC46E3
h8, xrefs: 00BC4BB6
WriteIniValues, xrefs: 00BC5143
@5, xrefs: 00BC48FB

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: 6$ 7$ 8$ @$ A$ B$ I$ J$ K$ S$ T$(3$(4$(5$(=$(>$(?$(F$(G$(H$(P$(Q$(R$02$0:$0;$0<$0C$0D$0E$0M$0N$0O$100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$8000$87$88$89$8@$8A$8B$8J$8K$8L$8S$8T$@4$@5$@6$@=$@>$@?$@G$@H$@I$@P$@Q$@R$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$BindImage$Complus$Component_$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileSize$Font$H2$H3$H:$H;$H<$HD$HE$HF$HM$HN$HO$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$P7$P8$P9$PA$PB$PC$PJ$PK$PL$PT$Patch$PatchFiles$PatchSize$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveShortcuts$SelfReg$SelfRegModules$ServiceControl$ServiceInstall$Shortcut$StartServices$TypeLib$UnregisterMIMEInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$X4$X5$X6$X>$X?$X@$XG$XH$XI$XQ$XR$XS$`2$`3$`;$`<$`=$`D$`E$`F$`N$`O$`P$h8$h9$h:$hA$hB$hC$hK$hL$hM$hT$p5$p6$p7$p>$p?$p@$pH$pI$pJ$pQ$pR$pS$x2$x3$x4$x;$x<$x=$xE$xF$xG$xN$xO$xP$~$2$3$7$8$9$:$;$<$A$B$C$D$E$F$J$K$L$M$N$O
API String ID: 0-2236961450
Opcode ID: 6a9896b9554c13514f8ddecf61041afbea7f893b05c8672607789a4253ca9248
Instruction ID: fa52a5e162fbed8cc5323064491cec80eb741a102b5ff13033c9dc8f30faddec
Opcode Fuzzy Hash: 6a9896b9554c13514f8ddecf61041afbea7f893b05c8672607789a4253ca9248
Instruction Fuzzy Hash: 72E2D8D0AC978AB9C706F7F46917B6D59918FD2711F1472ECF1AA3B2D2CEA00B005762

Function 00BC4736 Relevance: 322.7, Strings: 257, Instructions: 1479COMMON

Download Yara Rule

Strings

87, xrefs: 00BC4AAA
PK, xrefs: 00BC5C06
pH, xrefs: 00BC5984
ODBCTranslator, xrefs: 00BC5378
FileSize, xrefs: 00BC4C8E
TypeLib, xrefs: 00BC5484
6, xrefs: 00BC49BA
P9, xrefs: 00BC4C89
9, xrefs: 00BC4D0F
XH, xrefs: 00BC5971
Font, xrefs: 00BC5275
PublishComponent, xrefs: 00BC579F
File, xrefs: 00BC49BF, 00BC4C4F
`E, xrefs: 00BC56EE
PublishComponents, xrefs: 00BC5779
Feature, xrefs: 00BC58A2
InstallServices, xrefs: 00BC55E7
0C, xrefs: 00BC5505
RemoveFolders, xrefs: 00BC4A9C
MsiConfigureServices, xrefs: 00BC566D, 00BC5693
120000, xrefs: 00BC481A
E, xrefs: 00BC5761
pJ, xrefs: 00BC5B33
Component_, xrefs: 00BC47BA, 00BC4840, 00BC48C6, 00BC494C, 00BC49D2, 00BC4AD5, 00BC4B5B, 00BC4BE1, 00BC4C67, 00BC4D73, 00BC4E76, 00BC50F6, 00BC517C, 00BC5202, 00BC5305, 00BC538B, 00BC5416, 00BC5497, 00BC559A, 00BC5620, 00BC56B5, 00BC572C, 00BC57B2
p?, xrefs: 00BC51C4
@, xrefs: 00BC525D
8000, xrefs: 00BC5262, 00BC54F7
HN, xrefs: 00BC5E77
hT, xrefs: 00BC6391
AI_UninstallAccounts, xrefs: 00BC5D82
AI_XmlAttribute, xrefs: 00BC5CAE, 00BC6211
AI_GxUninstall, xrefs: 00BC5EF9
AI_UninstallTasks, xrefs: 00BC5E7C
hA, xrefs: 00BC5373
N, xrefs: 00BC5EF4
ODBCDataSource, xrefs: 00BC52F2
0O, xrefs: 00BC5F35
H:, xrefs: 00BC4D5B
H<, xrefs: 00BC4F15
8B, xrefs: 00BC5433
InstallInitialize, xrefs: 00BC58F9
AI_UserGroups, xrefs: 00BC5E25, 00BC6019
@H, xrefs: 00BC595E
AI_UninstallGroups, xrefs: 00BC5DFF
RegisterFonts, xrefs: 00BC524F
HE, xrefs: 00BC56DB
12000, xrefs: 00BC4926, 00BC49AC, 00BC4A32, 00BC4AAF, 00BC4B35, 00BC4E50, 00BC52DF, 00BC5365, 00BC53EB
InstallFiles, xrefs: 00BC4C2E
`F, xrefs: 00BC57D4
XQ, xrefs: 00BC60FB
Feature_, xrefs: 00BC4F77, 00BC5836, 00BC5A2C, 00BC5AB2, 00BC5B38, 00BC5BBE
Environment, xrefs: 00BC48B3, 00BC51EF
p5, xrefs: 00BC4921
(4, xrefs: 00BC4802
T, xrefs: 00BC635D
SelfRegModules, xrefs: 00BC54E4
0N, xrefs: 00BC5E64
p7, xrefs: 00BC4AD0
:, xrefs: 00BC4DE1
BindImage, xrefs: 00BC4DC0, 00BC4DE6
x<, xrefs: 00BC4F3B
hM, xrefs: 00BC5DBE
WriteRegistryValues, xrefs: 00BC50BD
H;, xrefs: 00BC4E38
8@, xrefs: 00BC5270
~, xrefs: 00BC5B69
A, xrefs: 00BC533A
X>, xrefs: 00BC50CB
AI_InstallPostPrerequisite, xrefs: 00BC5B85
A, xrefs: 00BC53E6
h:, xrefs: 00BC4D6E
DuplicateFile, xrefs: 00BC4939, 00BC4D60
J, xrefs: 00BC5BA6
RegisterProgIdInfo, xrefs: 00BC4FBD
@R, xrefs: 00BC61C5
Complus, xrefs: 00BC5587
SelfReg, xrefs: 00BC550A
8S, xrefs: 00BC6297
8, xrefs: 00BC4C29
X6, xrefs: 00BC49F4
;, xrefs: 00BC4EBE
@?, xrefs: 00BC519E
@6, xrefs: 00BC49CD
Extension, xrefs: 00BC4F66
5000, xrefs: 00BC4DD3
B, xrefs: 00BC54CC
`N, xrefs: 00BC5E8A
(R, xrefs: 00BC619E
`<, xrefs: 00BC4F28
X?, xrefs: 00BC51B1
PC, xrefs: 00BC5520
(5, xrefs: 00BC48E8
StartServices, xrefs: 00BC56F3
C, xrefs: 00BC5595
3000000, xrefs: 00BC51DC
Location, xrefs: 00BC5A53, 00BC5AD9
6000, xrefs: 00BC50D0
RemoveFile, xrefs: 00BC4A45
XS, xrefs: 00BC62B2
0E, xrefs: 00BC56C8
PL, xrefs: 00BC5CDA
(Q, xrefs: 00BC60D5
@I, xrefs: 00BC5A27
8J, xrefs: 00BC5B0D
P8, xrefs: 00BC4BA3
h9, xrefs: 00BC4C9C
(=, xrefs: 00BC4FCB
CreateFolders, xrefs: 00BC4B22
AI_PreRequisite, xrefs: 00BC5A19, 00BC5A9F, 00BC5B25, 00BC5BAB
1500000, xrefs: 00BC55FA
100, xrefs: 00BC4CC7, 00BC4FD0, 00BC5F0C
7, xrefs: 00BC4A97
O, xrefs: 00BC5FC8
AI_GxInstall, xrefs: 00BC5D05
10000, xrefs: 00BC578C, 00BC6383
89, xrefs: 00BC4C62
8L, xrefs: 00BC5CC4
AI_AppSearchEx, xrefs: 00BC5F76, 00BC5F9C
P7, xrefs: 00BC4ABD
xG, xrefs: 00BC58B8
MsiPublishAssemblies, xrefs: 00BC57FF
PB, xrefs: 00BC5446
MoveFiles, xrefs: 00BC4BA8
pQ, xrefs: 00BC610E
PA, xrefs: 00BC5360
J, xrefs: 00BC5AFA
`P, xrefs: 00BC602F
xE, xrefs: 00BC5701
AI_DefaultActionCost, xrefs: 00BC6370
RemoveShortcuts, xrefs: 00BC4807
Options, xrefs: 00BC5B5F, 00BC5BE0
InstallODBC, xrefs: 00BC52CC, 00BC5352, 00BC53D8
AI_ProcessGroups, xrefs: 00BC5FF3
0<, xrefs: 00BC4EFF
RegisterComPlus, xrefs: 00BC555C
HF, xrefs: 00BC57AD
RemoveIniValues, xrefs: 00BC4781
(P, xrefs: 00BC6001
(F, xrefs: 00BC579A
AI_InstallPrerequisite, xrefs: 00BC5AFF
AI_ProcessAccounts, xrefs: 00BC6070
xP, xrefs: 00BC6045
1500, xrefs: 00BC4794, 00BC5C9B, 00BC6203
xO, xrefs: 00BC5F71
3, xrefs: 00BC47B5
B, xrefs: 00BC541B
(H, xrefs: 00BC594B
@=, xrefs: 00BC4FDE
@G, xrefs: 00BC588A
hB, xrefs: 00BC5459
xF, xrefs: 00BC57E7
(?, xrefs: 00BC5177
IniFile, xrefs: 00BC47A7, 00BC5169
x;, xrefs: 00BC4E5E
RegisterExtensionInfo, xrefs: 00BC4F40
AI_CountRowAction, xrefs: 00BC62F3
200000, xrefs: 00BC590C
(>, xrefs: 00BC50A2
HD, xrefs: 00BC55F5
88, xrefs: 00BC4B90
Shortcut, xrefs: 00BC482D, 00BC4E63
30000, xrefs: 00BC5156, 00BC5812
PublishFeatures, xrefs: 00BC587C
2000, xrefs: 00BC5D18, 00BC5D95, 00BC5E12, 00BC5E8F, 00BC6006, 00BC6083, 00BC6100
AI_UserAccounts, xrefs: 00BC5DA8, 00BC6096
M, xrefs: 00BC5E20
AI_XmlInstall, xrefs: 00BC5C0B, 00BC5C88
InstallFinalize, xrefs: 00BC5976
K, xrefs: 00BC5C83
AppId, xrefs: 00BC4EE9
pI, xrefs: 00BC5A61
XI, xrefs: 00BC5A4E
RegisterTypeLibraries, xrefs: 00BC545E
Registry, xrefs: 00BC50E3
AI_XmlUninstall, xrefs: 00BC616A, 00BC61F0
p6, xrefs: 00BC4A07
`;, xrefs: 00BC4E4B
AI_ProcessTasks, xrefs: 00BC60ED
RemoveDuplicateFiles, xrefs: 00BC4913
Patch, xrefs: 00BC4CDA
p>, xrefs: 00BC50DE
hK, xrefs: 00BC5C19
100000, xrefs: 00BC5989
AI_XmlElement, xrefs: 00BC5C31, 00BC6190
I, xrefs: 00BC5A14
RegisterClassInfo, xrefs: 00BC4EC3
F, xrefs: 00BC583B
CreateShortcuts, xrefs: 00BC4E3D
ServiceControl, xrefs: 00BC5719
1800, xrefs: 00BC5C1E, 00BC617D
`O, xrefs: 00BC5F5E
RemoveFiles, xrefs: 00BC4999, 00BC4A1F
0;, xrefs: 00BC4E25
p@, xrefs: 00BC52A1
`D, xrefs: 00BC5608
hL, xrefs: 00BC5CED
X@, xrefs: 00BC528B
AI_ChainProductsPseudo, xrefs: 00BC6276
(G, xrefs: 00BC5877
PatchSize, xrefs: 00BC4D14
PatchFiles, xrefs: 00BC4CB4
ODBCDriver, xrefs: 00BC53FE
8T, xrefs: 00BC636B
S, xrefs: 00BC6284
xN, xrefs: 00BC5E9D
CreateFolder, xrefs: 00BC4AC2, 00BC4B48
AI_DownloadPrereq, xrefs: 00BC59F3
HM, xrefs: 00BC5DA3
pR, xrefs: 00BC61EB
8K, xrefs: 00BC5BF3
3000, xrefs: 00BC48A0, 00BC4ED6, 00BC504D, 00BC5471, 00BC5574
AI_Game, xrefs: 00BC5D2B, 00BC5F1F
`3, xrefs: 00BC4756
PJ, xrefs: 00BC5B20
XR, xrefs: 00BC61D8
7, xrefs: 00BC4B43
x3, xrefs: 00BC4769
DuplicateFiles, xrefs: 00BC4D3A
RemoveEnvironmentStrings, xrefs: 00BC488D
HO, xrefs: 00BC5F4B
20000, xrefs: 00BC5706
XG, xrefs: 00BC589D
WriteEnvironmentStrings, xrefs: 00BC51C9
AI_ExtractPrereq, xrefs: 00BC5A79
x4, xrefs: 00BC483B
@4, xrefs: 00BC4815
hC, xrefs: 00BC5536
ProgId, xrefs: 00BC4FE3
0M, xrefs: 00BC5D90
K, xrefs: 00BC5BE5
X4, xrefs: 00BC4828
RegisterMIMEInfo, xrefs: 00BC503A
<, xrefs: 00BC4F92
MoveFile, xrefs: 00BC4BCE
MsiAssembly, xrefs: 00BC5825
MIME, xrefs: 00BC5060
@P, xrefs: 00BC6014
15000, xrefs: 00BC4BBB, 00BC4D4D, 00BC4F53, 00BC5680, 00BC588F
0D, xrefs: 00BC55E2
X5, xrefs: 00BC490E
PT, xrefs: 00BC637E
0:, xrefs: 00BC4D48
8A, xrefs: 00BC534D
500, xrefs: 00BC5F89
ServiceInstall, xrefs: 00BC560D
`=, xrefs: 00BC4FF9
D, xrefs: 00BC567B
AI_ScheduledTasks, xrefs: 00BC6113
@>, xrefs: 00BC50B8
x=, xrefs: 00BC500F
@Q, xrefs: 00BC60E8
8, xrefs: 00BC4B7D
L, xrefs: 00BC5D57
pS, xrefs: 00BC62C8
h8, xrefs: 00BC4BB6
WriteIniValues, xrefs: 00BC5143
@5, xrefs: 00BC48FB

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: 6$ 7$ 8$ @$ A$ B$ I$ J$ K$ S$ T$(4$(5$(=$(>$(?$(F$(G$(H$(P$(Q$(R$0:$0;$0<$0C$0D$0E$0M$0N$0O$100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$8000$87$88$89$8@$8A$8B$8J$8K$8L$8S$8T$@4$@5$@6$@=$@>$@?$@G$@H$@I$@P$@Q$@R$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$BindImage$Complus$Component_$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileSize$Font$H:$H;$H<$HD$HE$HF$HM$HN$HO$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$P7$P8$P9$PA$PB$PC$PJ$PK$PL$PT$Patch$PatchFiles$PatchSize$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniValues$RemoveShortcuts$SelfReg$SelfRegModules$ServiceControl$ServiceInstall$Shortcut$StartServices$TypeLib$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$X4$X5$X6$X>$X?$X@$XG$XH$XI$XQ$XR$XS$`3$`;$`<$`=$`D$`E$`F$`N$`O$`P$h8$h9$h:$hA$hB$hC$hK$hL$hM$hT$p5$p6$p7$p>$p?$p@$pH$pI$pJ$pQ$pR$pS$x3$x4$x;$x<$x=$xE$xF$xG$xN$xO$xP$~$3$7$8$9$:$;$<$A$B$C$D$E$F$J$K$L$M$N$O
API String ID: 0-1310056262
Opcode ID: 2589ef37b65c913a48ba70247217c9e58138a137cd8d0e5de48583f05fa745ba
Instruction ID: 6a2caa63f0e3dec028d0e748d575900593ec260227252e45c8a6f4a07c615637
Opcode Fuzzy Hash: 2589ef37b65c913a48ba70247217c9e58138a137cd8d0e5de48583f05fa745ba
Instruction Fuzzy Hash: 36D2D9D0AC978AB9C706F7F46917B6D59918FD2711F1472ECF1AA3B2D2CEA00B005762

Function 00BEB461 Relevance: 64.6, APIs: 25, Strings: 11, Instructions: 1644memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

VariantClear.OLEAUT32 ref: 00BEB70F
VariantClear.OLEAUT32(?), ref: 00BEB86A
VariantClear.OLEAUT32(?), ref: 00BEB892
VariantClear.OLEAUT32(?), ref: 00BEBA1E
SysAllocString.OLEAUT32(00000000), ref: 00BEBA2F
VariantClear.OLEAUT32(?), ref: 00BEBA79
VariantClear.OLEAUT32(?), ref: 00BEBAA2
SysFreeString.OLEAUT32(00000000), ref: 00BEBAAD
VariantClear.OLEAUT32(?), ref: 00BEBBBB
VariantClear.OLEAUT32(?), ref: 00BEBBEC
VariantClear.OLEAUT32(?), ref: 00BEBC45
VariantClear.OLEAUT32(?), ref: 00BEBCF4
VariantClear.OLEAUT32(?), ref: 00BEB73D

Part of subcall function 00BC92A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,00000000,8007000E,80004005,00CD06A6,00000000,00000002,00000001,?,?,80070057,?), ref: 00BC92C3

VariantClear.OLEAUT32(?), ref: 00BEB80E
VariantClear.OLEAUT32(?), ref: 00BEB836
VariantClear.OLEAUT32(?), ref: 00BEBE38
SysAllocString.OLEAUT32(00000000), ref: 00BEBE49
VariantClear.OLEAUT32(?), ref: 00BEBE93
VariantClear.OLEAUT32(?), ref: 00BEBEBC
SysFreeString.OLEAUT32(00000000), ref: 00BEBEC7
VariantClear.OLEAUT32(?), ref: 00BEBFD5
SysAllocString.OLEAUT32(00000000), ref: 00BEBFE2
VariantClear.OLEAUT32(?), ref: 00BEC02A
VariantClear.OLEAUT32(?), ref: 00BEC052
SysFreeString.OLEAUT32(00000000), ref: 00BEC05C

Part of subcall function 00BC9980: RtlAllocateHeap.NTDLL(?,00000000,?,D02C6D11,00000000,00D9C6B0,000000FF,?,?,00E7C42C,00000000,00D1ECDB,80004005,D02C6D11,?,?), ref: 00BC99CA

Strings

GetFontHeight, xrefs: 00BEC8E0
MsiGetBinaryPathIndirect, xrefs: 00BEC4F3
MsiResolveFormatted, xrefs: 00BEC361
MsiSetProperty, xrefs: 00BEC10D
MsiGetFormattedError, xrefs: 00BEC817
MessageBox, xrefs: 00BEC685
MsiGetBinaryPath, xrefs: 00BEC42A
MsiEvaluateCondition, xrefs: 00BEC298
MsiGetBytesCountText, xrefs: 00BEC74E
MsiPublishEvents, xrefs: 00BEC5BC
MsiGetProperty, xrefs: 00BEC1CF

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ClearVariant$String$AllocFree$HeapInit_thread_footer$AllocateFindProcessResource
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
API String ID: 3540692479-3153392536
Opcode ID: b874a7fc11ea77e30866fcdf918d5f752eab6e410eaedaca1d6f0ed05069cbd0
Instruction ID: 238b5e834e657e778d25e45bfb0de4319035089bc8df0cc84ca380f9fd9fdfba
Opcode Fuzzy Hash: b874a7fc11ea77e30866fcdf918d5f752eab6e410eaedaca1d6f0ed05069cbd0
Instruction Fuzzy Hash: 70E27D71D00248DFDB14DFA9C885B9EBBF4FF48314F248299E415AB391EB74AA45CB90

Function 00D0D260 Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 517fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00E893A8,C0000000,00000003,00000000,00000004,00000080,00000000,D02C6D11,00E89384,00E8939C), ref: 00D0D2E0
GetLastError.KERNEL32 ref: 00D0D2FD
OutputDebugStringW.KERNEL32(00000000), ref: 00D0D376
OutputDebugStringW.KERNEL32(00000000), ref: 00D0D47A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00D0D4EB
WriteFile.KERNEL32(00000000,00E88C20,00000000,00000000,00000000), ref: 00D0D51B
WriteFile.KERNEL32(00000000,000000B7,?,00000000,00000000,00E06D60,00000002), ref: 00D0D5C6
FlushFileBuffers.KERNEL32(00000000), ref: 00D0D5CF
FlushFileBuffers.KERNEL32(00000000), ref: 00D0D520

Part of subcall function 00BC92A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,00000000,8007000E,80004005,00CD06A6,00000000,00000002,00000001,?,?,80070057,?), ref: 00BC92C3

OutputDebugStringW.KERNEL32(00000000), ref: 00D0D6C3
WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 00D0D749
FlushFileBuffers.KERNEL32(00000000), ref: 00D0D754
WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,00E06D60,00000002,?,0000001B,CPU: ,00000005), ref: 00D0D7C8
FlushFileBuffers.KERNEL32(00000000), ref: 00D0D7D1
WriteFile.KERNEL32(00000000,000000B7,?,00000000,00000000,00E06D60,00000002), ref: 00D0D856
FlushFileBuffers.KERNEL32(00000000), ref: 00D0D85F

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

Strings

x86, xrefs: 00D0D557
OS Version: %u.%u.%u SP%u (%s) [%s], xrefs: 00D0D596
x64, xrefs: 00D0D560, 00D0D56C
server, xrefs: 00D0D572, 00D0D57A
LOGGER->Reusing LOG file at:, xrefs: 00D0D422, 00D0D434, 00D0D43E
LOGGER->failed to create LOG at:, xrefs: 00D0D331, 00D0D343, 00D0D34D
LOGGER->Creating LOG file at:, xrefs: 00D0D66B, 00D0D67D, 00D0D687
workstation, xrefs: 00D0D56D
CPU: , xrefs: 00D0D617, 00D0D62D, 00D0D75D

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$BuffersFlushWrite$DebugOutputString$Init_thread_footer$CreateErrorFindHeapLastPointerProcessResource
String ID: CPU: $LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
API String ID: 4051163352-1312762833
Opcode ID: c757e072c01216bc1245b2be541154dd1903731126f59ee42ad561a09d9c8736
Instruction ID: 2e827b4fa5691b877a89a01fc46a3755530415b5fd05fbd330dd8b9c42d028a9
Opcode Fuzzy Hash: c757e072c01216bc1245b2be541154dd1903731126f59ee42ad561a09d9c8736
Instruction Fuzzy Hash: 78124170901605DFEB10DFA8CD49BAEBBB5EF44314F1481A9E819AB2D1DB74DD44CBA0

Function 00BDEAF0 Relevance: 26.1, APIs: 17, Instructions: 608COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00BDEB28
GetWindowLongW.USER32(?,000000EB), ref: 00BDEBA3
ShowWindow.USER32(00000000,?), ref: 00BDEBC2
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00BDEBD0
GetWindowRect.USER32(00000000,?), ref: 00BDEBE7
ShowWindow.USER32(00000000,?), ref: 00BDEC08
SetWindowLongW.USER32(?,000000EB,?), ref: 00BDEC1F

Part of subcall function 00BD8590: RaiseException.KERNEL32(?,?,00000000,00000000,00D1ED87,C000008C,00000001), ref: 00BD859C

GetClientRect.USER32(?,?), ref: 00BDECD8
ShowWindow.USER32(?,?), ref: 00BDED5D
GetWindowLongW.USER32(?,000000EB), ref: 00BDED8C
ShowWindow.USER32(?,?), ref: 00BDEDA9
GetWindowRect.USER32(?,?), ref: 00BDEDCE

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$LongRectShow$Client$ExceptionRaise
String ID:
API String ID: 3804784045-0
Opcode ID: 8081498b3ff2ae76d7138ef9e2fbb20c1846267b15cb0eba71aaad248ffa9e81
Instruction ID: d0d71eed32ea3768ec0969154bc3a17aec944fa36e923c32aabbd6a525222aa6
Opcode Fuzzy Hash: 8081498b3ff2ae76d7138ef9e2fbb20c1846267b15cb0eba71aaad248ffa9e81
Instruction Fuzzy Hash: 17423671A046099FCB24DFA8D884AADFBF5FF88304F14456EE45AAB360E730E945CB50

Function 00BE0880 Relevance: 25.2, APIs: 10, Strings: 4, Instructions: 694fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,?,00DD0D6D,000000FF), ref: 00BE09BF
PathIsUNCW.SHLWAPI(?,*.*,00000000), ref: 00BE0A77
FindFirstFileW.KERNEL32(?,00000000,*.*,00000000), ref: 00BE0BCC
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 00BE0BE6
GetFullPathNameW.KERNEL32(?,00000000,?,00000000), ref: 00BE0C19
FindClose.KERNEL32(00000000), ref: 00BE0C88
SetLastError.KERNEL32(0000007B), ref: 00BE0C96
_wcsrchr.LIBVCRUNTIME ref: 00BE0CEC
_wcsrchr.LIBVCRUNTIME ref: 00BE0D0C
PathIsUNCW.SHLWAPI(?,?,D02C6D11), ref: 00BE0EE3

Strings

*.*, xrefs: 00BE09EA, 00BE0A47, 00BE0A48, 00BE0DD4
\\?\, xrefs: 00BE0B61, 00BE0BB6, 00BE0FCC, 00BE1020
UxTheme.dll, xrefs: 00BE0885
\\?\UNC\, xrefs: 00BE0A97, 00BE0B4E, 00BE0F03, 00BE0FB9

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Path$Find$CloseFullName_wcsrchr$ErrorFileFirstLast
String ID: *.*$UxTheme.dll$\\?\$\\?\UNC\
API String ID: 1241272779-769350991
Opcode ID: c0d66da6925e49ffa626e05cf35277adeeecfffd2c8ee06efbd35a4401a239e4
Instruction ID: b666277967e9e4af3605757c506b9d03527f6040876778f2b6d15efbbf6bbe1c
Opcode Fuzzy Hash: c0d66da6925e49ffa626e05cf35277adeeecfffd2c8ee06efbd35a4401a239e4
Instruction Fuzzy Hash: 5C42E430600646DFDB14EF69C889B6EF7E5FF50314F1486ACE815DB291EBB5A980CB90

Function 00BD4BC0 Relevance: 22.9, APIs: 15, Instructions: 390memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD5050: EnterCriticalSection.KERNEL32(00E8957C,D02C6D11,00000000,?,?,?,?,?,?,00BD487E,00D9F9CD,000000FF), ref: 00BD508D
Part of subcall function 00BD5050: LoadCursorW.USER32(00000000,00007F00), ref: 00BD5108
Part of subcall function 00BD5050: LoadCursorW.USER32(00000000,00007F00), ref: 00BD51AE

SysFreeString.OLEAUT32(00000000), ref: 00BD4C63
SysAllocString.OLEAUT32(00000000), ref: 00BD4C94
GetWindowLongW.USER32(?,000000EC), ref: 00BD4D6B
GetWindowLongW.USER32(?,000000EC), ref: 00BD4D7B
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BD4D86
NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 00BD4D94
GetWindowLongW.USER32(?,000000EB), ref: 00BD4DA2
SetWindowTextW.USER32(?,00E0446C), ref: 00BD4E41
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00BD4E76
GlobalLock.KERNEL32(00000000), ref: 00BD4E84
GlobalUnlock.KERNEL32(?), ref: 00BD4ED8
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00BD4F63
SysFreeString.OLEAUT32(00000000), ref: 00BD4F7C
NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 00BD4FC3
SysFreeString.OLEAUT32(00000000), ref: 00BD4FE5

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Long$String$FreeGlobal$AllocCursorLoadNtdllProc_$CriticalEnterLockSectionTextUnlock
String ID:
API String ID: 4180125975-0
Opcode ID: fbc7c62cbff9256bc5d19663248742900918e3fa59f885690121af7c8cb97875
Instruction ID: c5068a93577b5ffb24c2871b3ae48f47ad659b620be737a985b10267c230a37c
Opcode Fuzzy Hash: fbc7c62cbff9256bc5d19663248742900918e3fa59f885690121af7c8cb97875
Instruction Fuzzy Hash: 7FD1CE71904209AFDB11DFA4CC88BAFBBF8EF45314F244199F815AB391E7759A04CBA1

Function 00CBA2A0 Relevance: 19.7, APIs: 13, Instructions: 155windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001036,00010000,00000000), ref: 00CBA30B
GetParent.USER32(00000000), ref: 00CBA35E
GetWindowRect.USER32(00000000), ref: 00CBA361
GetParent.USER32(00000000), ref: 00CBA370
GetDC.USER32(00000000), ref: 00CBA373
CreateCompatibleDC.GDI32(00000000), ref: 00CBA3A0
CreateCompatibleBitmap.GDI32(00000000), ref: 00CBA3DF
SelectObject.GDI32(?,00000000), ref: 00CBA3F0
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00CBA406

Part of subcall function 00C739A0: IsWindowVisible.USER32(?), ref: 00C73A1A
Part of subcall function 00C739A0: GetWindowRect.USER32(?,?), ref: 00C73A32
Part of subcall function 00C739A0: GetWindowRect.USER32(?,?), ref: 00C73A4A
Part of subcall function 00C739A0: IntersectRect.USER32(?,?,?), ref: 00C73A67
Part of subcall function 00C739A0: EqualRect.USER32(?,?), ref: 00C73A77
Part of subcall function 00C739A0: GetSysColorBrush.USER32(0000000F), ref: 00C73A8D

FillRect.USER32(?,?,00000000), ref: 00CBA41C
DeleteDC.GDI32(?), ref: 00CBA43C
SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 00CBA460
SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 00CBA473

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Rect$Window$MessageSend$CompatibleCreateParent$BitmapBrushColorDeleteEqualFillIntersectObjectPointsSelectVisible
String ID:
API String ID: 2161025992-0
Opcode ID: e1d71d5e86a0bd6b84398b7d1a9d87ad10a9179cd4844fc8468d8bb06bbd2a5c
Instruction ID: 270e96e6f7af57916e0c3e17c4aaef3d2afcbb71d9f98438a48858044919d290
Opcode Fuzzy Hash: e1d71d5e86a0bd6b84398b7d1a9d87ad10a9179cd4844fc8468d8bb06bbd2a5c
Instruction Fuzzy Hash: 92515871D04648AFDB11CFA9CD44BDEBBF8EF59710F20431AE859B7290EB70A9848B50

Function 00CBAA20 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 373windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00CBACDA
RedrawWindow.USER32(?,00000000,00000000,00000541), ref: 00CBACEC
SendMessageW.USER32(?,00000443,00000000), ref: 00CBAD44
GetDC.USER32(00000000), ref: 00CBAD68
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CBAD73
MulDiv.KERNEL32(?,00000000), ref: 00CBAD7B
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 00CBADA0

Strings

NumberValidationTipMsg, xrefs: 00CBABA1
Segoe UI, xrefs: 00CBAD52
NumberValidationTipTitle, xrefs: 00CBAA94

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$CapsCreateDeviceFontMessageRedrawSend
String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
API String ID: 367477953-2319862951
Opcode ID: 9dfab98e7cc4ac588885178aff749fa9f2227df6343727e7d27613e02350b570
Instruction ID: 6cc8b5a4fb19da9852ce4901a852a9e70953fb24a6fbbd8c7ba869f4d71072f3
Opcode Fuzzy Hash: 9dfab98e7cc4ac588885178aff749fa9f2227df6343727e7d27613e02350b570
Instruction Fuzzy Hash: 6EE1BF71A00705AFEB14CF64CC55BEEB7B1EF89300F108259E599A72D0DB74AA45CF91

Function 00BD44A0 Relevance: 16.9, APIs: 11, Instructions: 417nativememoryCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00BD46CB
GetWindowLongW.USER32(00000000,000000EC), ref: 00BD46DB
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00BD46E6
NtdllDefWindowProc_W.NTDLL(00000000,00000000,00000001,?), ref: 00BD46F4
GetWindowLongW.USER32(00000000,000000EB), ref: 00BD4702
SetWindowTextW.USER32(00000000,00E0446C), ref: 00BD47A1
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00BD47D6
GlobalLock.KERNEL32(00000000), ref: 00BD47E4
GlobalUnlock.KERNEL32(?), ref: 00BD4838
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BD489D
NtdllDefWindowProc_W.NTDLL(00000000,00000000,D02C6D11,00000000), ref: 00BD48EF

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Long$Global$NtdllProc_$AllocLockTextUnlock
String ID:
API String ID: 3555041256-0
Opcode ID: 64e066f0a488b25983b6ea59903c50a5374feaf38c1ba391cfafb6c30d45d163
Instruction ID: d104e327f36b0e8eb26f4c7919a844fbc75e32b236c9a8049148089e6b704b8b
Opcode Fuzzy Hash: 64e066f0a488b25983b6ea59903c50a5374feaf38c1ba391cfafb6c30d45d163
Instruction Fuzzy Hash: 52E1CE71A012069FDB10DFA8DC49BAFBBE8EF45314F1445AAE815E7391EB35D904CBA0

Function 00BEC116 Relevance: 13.1, Strings: 10, Instructions: 592COMMON

Download Yara Rule

Strings

GetFontHeight, xrefs: 00BEC8E0
MsiGetBinaryPathIndirect, xrefs: 00BEC4F3
MsiResolveFormatted, xrefs: 00BEC361
MsiGetFormattedError, xrefs: 00BEC817
MessageBox, xrefs: 00BEC685
MsiGetBinaryPath, xrefs: 00BEC42A
MsiEvaluateCondition, xrefs: 00BEC298
MsiGetBytesCountText, xrefs: 00BEC74E
MsiPublishEvents, xrefs: 00BEC5BC
MsiGetProperty, xrefs: 00BEC1CF

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted
API String ID: 0-2027876840
Opcode ID: 46a51800687cd3398b8097b63f0bbf8a8b12585b9c3f787eb9f278871a595d2b
Instruction ID: 15f07b2f22befc7a2f14270f1d1a18567430a0b8a28d09642242e01642984ff6
Opcode Fuzzy Hash: 46a51800687cd3398b8097b63f0bbf8a8b12585b9c3f787eb9f278871a595d2b
Instruction Fuzzy Hash: 86422AB1D102898FDB14CFA8C885BDEBBB1FF48314F20825AE015BB791E7746686CB54

Function 00BEC127 Relevance: 13.1, Strings: 10, Instructions: 591COMMON

Download Yara Rule

Strings

GetFontHeight, xrefs: 00BEC8E0
MsiGetBinaryPathIndirect, xrefs: 00BEC4F3
MsiResolveFormatted, xrefs: 00BEC361
MsiGetFormattedError, xrefs: 00BEC817
MessageBox, xrefs: 00BEC685
MsiGetBinaryPath, xrefs: 00BEC42A
MsiEvaluateCondition, xrefs: 00BEC298
MsiGetBytesCountText, xrefs: 00BEC74E
MsiPublishEvents, xrefs: 00BEC5BC
MsiGetProperty, xrefs: 00BEC1CF

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted
API String ID: 0-2027876840
Opcode ID: b793a41507571ce4c941aacde785baca0a9bbf63c82337f69be371d097bd959e
Instruction ID: 1bf64b0dc784634dacc974763365abe922dc47d6909b773ea16f2bb74a6f34cf
Opcode Fuzzy Hash: b793a41507571ce4c941aacde785baca0a9bbf63c82337f69be371d097bd959e
Instruction Fuzzy Hash: E44229B1D102898FDB15CFA8C885BDEBBB1FF48314F20825AE015BB791E7746686CB54

Function 00D09310 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 410COMMON

Download Yara Rule

APIs

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

_wcsrchr.LIBVCRUNTIME ref: 00D0949D
_wcsrchr.LIBVCRUNTIME ref: 00D094C5
GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 00D0951E
GetDriveTypeW.KERNEL32(?), ref: 00D0953A
Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00D095C1
Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00D09821

Strings

]%!, xrefs: 00D094B9

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Wow64$DriveInit_thread_footerRedirection_wcsrchr$DisableHeapLogicalProcessRevertStringsType
String ID: ]%!
API String ID: 139206881-1069524040
Opcode ID: 02b6cb03dbb0c6023d457496f218d69a811cf592cb918d422ad41747b4e1b0b7
Instruction ID: b6dde7db30f2a05a2749bb7a484ac931bab4fb699a441b7e6ad2eda0c70d9913
Opcode Fuzzy Hash: 02b6cb03dbb0c6023d457496f218d69a811cf592cb918d422ad41747b4e1b0b7
Instruction Fuzzy Hash: DFF1A171900259CBDB25DF68C858BADF7B5AF45310F1482E8E51DA7292DB709E84CFA0

Function 00D97AA7 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00D97C8B

Strings

1#QNAN, xrefs: 00D97BBA
1#SNAN, xrefs: 00D97BB3
1#IND, xrefs: 00D97BAC
1#INF, xrefs: 00D97BDD

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 011f35ce1fe8962dbef76f4b37d15d2be3dbaba0006ee3575db8bcab6627355f
Instruction ID: 12b179dafaf2f662b36e27f42ac55838745436541e8dd4feb514bffef8644c1e
Opcode Fuzzy Hash: 011f35ce1fe8962dbef76f4b37d15d2be3dbaba0006ee3575db8bcab6627355f
Instruction Fuzzy Hash: 85D22671E082298FDF65CE28DC407EAB7B5EB45704F1841EAD44DE7240EB38AE819F60

Function 00D741D9 Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00D740F5,00000000,?,00D7428D,?,?,?,?,?,?,?), ref: 00D741DB
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,00D7428D,?,?,?,?,?,?,?), ref: 00D74202
HeapAlloc.KERNEL32(00000000,?,00D7428D,?,?,?,?,?,?,?), ref: 00D74209
InitializeSListHead.KERNEL32(00000000,?,00D7428D,?,?,?,?,?,?,?), ref: 00D74216
GetProcessHeap.KERNEL32(00000000,00000000,?,00D7428D,?,?,?,?,?,?,?), ref: 00D7422B
HeapFree.KERNEL32(00000000,?,00D7428D,?,?,?,?,?,?,?), ref: 00D74232

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 24b75ae605ee36b507a001333f3355cb330aeab1dc0210497001c5e9305f4709
Instruction ID: 2b70a127436e9965c8f8602d2708499313e3bef90acfa6de1f50295b2ff9d278
Opcode Fuzzy Hash: 24b75ae605ee36b507a001333f3355cb330aeab1dc0210497001c5e9305f4709
Instruction Fuzzy Hash: BAF03C35A40301ABD7119F69AC18B26B7A8FB99712F148428FA8AD7350EF30D841CA70

Function 00CDA850 Relevance: 7.7, APIs: 5, Instructions: 240fileCOMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00CDA8A8

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00CDA9A8
FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000,?,?,00000000), ref: 00CDAA45
FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00CDAA6B
FindClose.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00CDAAB5

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Find$CloseFileFirstInit_thread_footer$HeapProcess_wcsrchr
String ID:
API String ID: 352340201-0
Opcode ID: 9d35e29bcc76e5d921cd3ee007abbd26987c7b4f7873ccc40e3792395c801c2c
Instruction ID: ea2c83b96890e20ccfb499ae9d8cefa896d29eaaa1552c2def117bb263ff51db
Opcode Fuzzy Hash: 9d35e29bcc76e5d921cd3ee007abbd26987c7b4f7873ccc40e3792395c801c2c
Instruction Fuzzy Hash: 9E71E031A002059FDB10DF69CD49BAAB7F4FF44324F10825AEA29D7380E7749A44DB62

Function 00D8CBBA Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D8CC47

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 0781543e342e03978754d4ce8ae367fb3031908136b70c6f409504ad44061446
Instruction ID: 79e2967c6262d379d8c1ca03433e8f8b37686b6e8a446b53504152c06811199b
Opcode Fuzzy Hash: 0781543e342e03978754d4ce8ae367fb3031908136b70c6f409504ad44061446
Instruction Fuzzy Hash: C0B15632914245DFDB26EF68C881BFEBBA5EF55310F19916AE905EB241D234DD01CBB0

Function 00D0A4B0 Relevance: 6.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6c4e31d53326c81823c572986c1e6ad13544540c5104a37e1096c775ca5b02
Instruction ID: 5d71ea00473c0da00bb9c136f743977c148a1849ae8783abd597ee217fd10bb1
Opcode Fuzzy Hash: 3a6c4e31d53326c81823c572986c1e6ad13544540c5104a37e1096c775ca5b02
Instruction Fuzzy Hash: 64816C71901218DFDB60DF68CC49B99B7B4EF45314F1882D9E81CAB292DB719E84CFA1

Function 00BE2390 Relevance: 6.1, APIs: 4, Instructions: 87timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00000003,00000001,D02C6D11,?,?,?,?,00DA1D64,000000FF), ref: 00BE23D1
GetWindowLongW.USER32(00000003,000000FC), ref: 00BE23E6
SetWindowLongW.USER32(00000003,000000FC,?), ref: 00BE23F8
DeleteCriticalSection.KERNEL32(?,D02C6D11,?,?,?,?,00DA1D64,000000FF), ref: 00BE2423

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: LongWindow$CriticalDeleteKillSectionTimer
String ID:
API String ID: 1032004442-0
Opcode ID: 779d10cc014d432fe5649f6291334826b28ca5a2ca34a502c63f6389adfcb25a
Instruction ID: d1bd566c0ce7288778f108cca276972d18c5699942f1f225fce00fd63bdd1e1f
Opcode Fuzzy Hash: 779d10cc014d432fe5649f6291334826b28ca5a2ca34a502c63f6389adfcb25a
Instruction Fuzzy Hash: AD31C0B0A04646AFCB11DF69CC05B99BBF8FF05310F148259E828A37D1E771E914DBA0

Function 00BEDAC0 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 656COMMON

Download Yara Rule

APIs

Part of subcall function 00D74BA2: EnterCriticalSection.KERNEL32(00E87FD8,?,D02C6D11,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11,?,?), ref: 00D74BAD
Part of subcall function 00D74BA2: LeaveCriticalSection.KERNEL32(00E87FD8,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11,?,?,00000000), ref: 00D74BEA

__Init_thread_footer.LIBCMT ref: 00BEDB5E

Part of subcall function 00D74B58: EnterCriticalSection.KERNEL32(00E87FD8,D02C6D11,?,00BC9DD7,00E88C04,00DF7520), ref: 00D74B62
Part of subcall function 00D74B58: LeaveCriticalSection.KERNEL32(00E87FD8,?,00BC9DD7,00E88C04,00DF7520), ref: 00D74B95
Part of subcall function 00D74B58: RtlWakeAllConditionVariable.NTDLL ref: 00D74C0C

Strings

AiFeatIco, xrefs: 00BEDE4B
Icon, xrefs: 00BEDF23

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: AiFeatIco$Icon
API String ID: 2296764815-1280411655
Opcode ID: c460a63341d27cb7ccbce4177d642bc705e26000231ffe701fb5acf6930d4d45
Instruction ID: c77b65339f4d2d78e9bea03511d2170d88fc0b7aed9c61643ec63797a9284de5
Opcode Fuzzy Hash: c460a63341d27cb7ccbce4177d642bc705e26000231ffe701fb5acf6930d4d45
Instruction Fuzzy Hash: FC525870A00658DFDB24DF68CC59BEDBBF5EB49304F1442D9E419AB291DB70AA84CF90

Function 00BE4200 Relevance: 5.7, Strings: 4, Instructions: 720COMMON

Download Yara Rule

Strings

AI_CONTROL_VISUAL_STYLE_EX, xrefs: 00BE46F2
AI_NO_BORDER_NORMAL, xrefs: 00BE430E
AI_NO_BORDER_HOVER, xrefs: 00BE43CF
AI_CONTROL_VISUAL_STYLE, xrefs: 00BE426E

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
API String ID: 0-932585912
Opcode ID: c313934f052f8a43df5cf56ec1e4327023f9c56ce0c7f47d087181cdf9e7519f
Instruction ID: af2fe44e87a8bd2b59a5cafc67d3afd0ee294b19d85c74d0165cd9fa9ce3dde9
Opcode Fuzzy Hash: c313934f052f8a43df5cf56ec1e4327023f9c56ce0c7f47d087181cdf9e7519f
Instruction Fuzzy Hash: 0342E071D002688FDB18CF69C899BAEB7F1FF85300F14829DE455AB781D778A905CBA1

Function 00D0A8B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?), ref: 00D0A96C
FindClose.KERNEL32(00000000), ref: 00D0AAB7

Part of subcall function 00BC9980: RtlAllocateHeap.NTDLL(?,00000000,?,D02C6D11,00000000,00D9C6B0,000000FF,?,?,00E7C42C,00000000,00D1ECDB,80004005,D02C6D11,?,?), ref: 00BC99CA

Strings

%d.%d.%d.%d, xrefs: 00D0AA49

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: %d.%d.%d.%d
API String ID: 1673784098-3491811756
Opcode ID: dd6105a3caef53559384c2e50505e391b29e2bd6e6950daa50dfe5b4ca6fbaf8
Instruction ID: 6136fc80b8ed5ce12447bdd4b3d4b6bb440c362e27cea3a46f3bb1db250a6710
Opcode Fuzzy Hash: dd6105a3caef53559384c2e50505e391b29e2bd6e6950daa50dfe5b4ca6fbaf8
Instruction Fuzzy Hash: 7B617C70A05219DFDF20DF28CD48B9DBBB4EF44314F1482D9E818AB291DB759A84CFA1

Function 00BE8080 Relevance: 5.4, Strings: 4, Instructions: 371COMMON

Download Yara Rule

Strings

MultipleInstancesProps, xrefs: 00BE829D
MultipleInstances, xrefs: 00BE81B9
ProductCode, xrefs: 00BE83F0
OldProductCode, xrefs: 00BE8460

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: MultipleInstances$MultipleInstancesProps$OldProductCode$ProductCode
API String ID: 0-469785651
Opcode ID: 32bb245fc376c4439ae2012487a995613647914fad9b55036205555671419b7b
Instruction ID: 3a9635a7d5f8915be351ab7a3f2a2c45a1c2fb6f08a27843f3130a84804b5030
Opcode Fuzzy Hash: 32bb245fc376c4439ae2012487a995613647914fad9b55036205555671419b7b
Instruction Fuzzy Hash: ADD1F575A00A41CBDB18CF59C895BAEB3F5FF54714F14829DE90AAB390EB30AD41CB90

Function 00D030D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

GetLocaleInfoW.KERNEL32(?,00000002,00E0446C,00000000), ref: 00D03141
GetLocaleInfoW.KERNEL32(?,00000002,00D02CC5,-00000001,00000078,-00000001), ref: 00D0317D

Strings

%d-%s, xrefs: 00D03187

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: InfoInit_thread_footerLocale$HeapProcess
String ID: %d-%s
API String ID: 1688948774-1781338863
Opcode ID: abdfbeef16b1cc44f55ec10ca9836b5f612570cbaa7b844f30380d2506f7de57
Instruction ID: c4f61774464f088ec0958b5942a9c15f23182a8aabb50808c97f8ac841cddbb8
Opcode Fuzzy Hash: abdfbeef16b1cc44f55ec10ca9836b5f612570cbaa7b844f30380d2506f7de57
Instruction Fuzzy Hash: F3317AB1A00605AFDB00DF98CC4ABAEFBB8EF44714F10856DE11AAB2D1DB755904CBA0

Function 00D719D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00D71916,0000001C,00D71B0B,00000000,?,?,?,?,?,?,?,00D71916,00000004,00E87A44,00D71B9B), ref: 00D719E2
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00D71916,00000004,00E87A44,00D71B9B), ref: 00D719FD

Strings

D, xrefs: 00D719F1

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: fb1f3edafca2d384d5f3606c1d2be41aa1374ca5df2ca22c10bbd1d1254bb683
Instruction ID: ad2fc7774415c8a7c02facf64a40ad48ec81aeca3d9cea9ab5e400fa01113e03
Opcode Fuzzy Hash: fb1f3edafca2d384d5f3606c1d2be41aa1374ca5df2ca22c10bbd1d1254bb683
Instruction Fuzzy Hash: 4C01F736A00209ABCF14DE29CC05BEE7BA9AFC4324F0CC221ED59D7244EA34D842C690

Function 00BDE6B0 Relevance: 4.6, APIs: 3, Instructions: 93COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 00BDE6FE
GetWindowLongW.USER32(00000004,000000FC), ref: 00BDE717
SetWindowLongW.USER32(00000004,000000FC,?), ref: 00BDE729

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: bf4bc824871e7b5827355c0e5d2e7a4008f66fb0e18e5ff8042f792b16e60855
Instruction ID: 998210fb047bf63c212e7b76067f63197746728184725c17da177b785b3af66a
Opcode Fuzzy Hash: bf4bc824871e7b5827355c0e5d2e7a4008f66fb0e18e5ff8042f792b16e60855
Instruction Fuzzy Hash: 2D415EB0605646EFDB10DF69C948B59FBE4FF04314F1042A9E428DBB90E776E924CBA0

Function 00D79913 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00D79A0B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00D79A15
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00D79A22

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 380d5305404c6450c993a49dce39144b07060b5fa72062bffd97363caa7fd16d
Instruction ID: 959ba8e2e300e430828daffbfc836e392f305bd26408701f55c480d5ea7cf8bd
Opcode Fuzzy Hash: 380d5305404c6450c993a49dce39144b07060b5fa72062bffd97363caa7fd16d
Instruction Fuzzy Hash: 3431C475901229ABCB21DF28D9897DDBBB8FF18310F5081EAE41CA7250E7709F858F55

Function 00BC9160 Relevance: 4.6, APIs: 3, Instructions: 65COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,D02C6D11,00000001,00000000,00000001,00000000,00D9C480,000000FF,BC9219EC,00BC910C,?,?,00000001,00000000,00000001), ref: 00BC918B
LockResource.KERNEL32(00000000,?,00000001,00000000,00000001,00000000,00D9CB30,000000FF,?,00BC92B0,?,?,00000000,8007000E,80004005,00CD06A6), ref: 00BC9196
SizeofResource.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00D9CB30,000000FF,?,00BC92B0,?,?,00000000,8007000E,80004005), ref: 00BC91A4

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 6c11c58119c00991160ce9cffcebf97a0ffcdc79e7285d6a29578a7f5e961df9
Instruction ID: 83ed78e8123a279d5aff71b757e379c9693a240b57e59d8d0f505d7ec7bc108b
Opcode Fuzzy Hash: 6c11c58119c00991160ce9cffcebf97a0ffcdc79e7285d6a29578a7f5e961df9
Instruction Fuzzy Hash: 77119436E04655ABD7359F69DC49F76F7E8E788B21F04496EEC1AE3240EA359800C690

Function 00BD7190 Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(0000001B,000000FC), ref: 00BD71A9
SetWindowLongW.USER32(0000001B,000000FC,?), ref: 00BD71B7
DestroyWindow.USER32(0000001B), ref: 00BD71E3

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Long$Destroy
String ID:
API String ID: 3055081903-0
Opcode ID: 34a16a482b53d8de2af7f540ee169408a8584aa622c201af4816ba0ce0d45c14
Instruction ID: 775df0aa69c295fe55364ce26013adaa079e01127c78d36f22dc7b05debd57dc
Opcode Fuzzy Hash: 34a16a482b53d8de2af7f540ee169408a8584aa622c201af4816ba0ce0d45c14
Instruction Fuzzy Hash: 36F0303000CF119FD7615F29ED05B82BBE0FF04721B108759E4EAA26E0EB30E844EB00

Function 00D0D180 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,D02C6D11), ref: 00D0D1DE

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

Strings

%04d-%02d-%02d %02d-%02d-%02d, xrefs: 00D0D220

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$HeapLocalProcessTime
String ID: %04d-%02d-%02d %02d-%02d-%02d
API String ID: 219929307-3768011868
Opcode ID: ca1b6850e93db62ef5024784b3681d31e9b9120063818db67ea05ae98670f065
Instruction ID: 0000000f1be296757b6c6b496dd9564f2bdfe3592e91638f82519ee28fade64c
Opcode Fuzzy Hash: ca1b6850e93db62ef5024784b3681d31e9b9120063818db67ea05ae98670f065
Instruction Fuzzy Hash: 68216BB1D00208AFDB14DF99D941BBEB7F8EB0C710F10426EF955A6280EB749940CBB5

Function 00BEF4E0 Relevance: 3.3, APIs: 2, Instructions: 257windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000102B,00000000,00000001), ref: 00BEF60B
SendMessageW.USER32(?,0000102B,?,-00000002), ref: 00BEF7F5

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 10802876bc2bbe224f23df1a6dda03b79ecca0fcb08a4b44b2c8bda4f0c056dd
Instruction ID: 89814a3809342260594d0de31d13effc571d6111193156831c6df4e33f4f3298
Opcode Fuzzy Hash: 10802876bc2bbe224f23df1a6dda03b79ecca0fcb08a4b44b2c8bda4f0c056dd
Instruction Fuzzy Hash: 3CB1CF71A00286AFDB18CF29C995BB9FBF5FB58304F1482A9E459DB291D730E940CB90

Function 00CDE5B0 Relevance: 3.1, APIs: 2, Instructions: 134windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,D02C6D11,?,?,?), ref: 00CDE5FB
GetLastError.KERNEL32(?,?,?), ref: 00CDE605

Part of subcall function 00BC9980: RtlAllocateHeap.NTDLL(?,00000000,?,D02C6D11,00000000,00D9C6B0,000000FF,?,?,00E7C42C,00000000,00D1ECDB,80004005,D02C6D11,?,?), ref: 00BC99CA

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AllocateErrorFormatHeapLastMessage
String ID:
API String ID: 4114510652-0
Opcode ID: af84429146716c159508aaeeef32c7603564cd5a92d599ade9b9dd6b74b6d5bb
Instruction ID: 71b8cbaadd544cc9d71643eca5e1a6bc09d1a4ccc7c9b335b081187790db824d
Opcode Fuzzy Hash: af84429146716c159508aaeeef32c7603564cd5a92d599ade9b9dd6b74b6d5bb
Instruction Fuzzy Hash: A741E172A012199FEB14DF98C805BBEFBF8EB54714F14426EE915EB380D7B59A00CB91

Function 00C310D0 Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 00C3113F
SetWindowLongW.USER32(00000000,000000FC,?), ref: 00C3114D

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ea9d5f37e535f1db5d29ff356011e19eb2d02d72bcd4f05621ccae32568d0461
Instruction ID: 7e079133faba36e2d9941d12fbc6572394b5ed4263104b563c10f20d95eb40a4
Opcode Fuzzy Hash: ea9d5f37e535f1db5d29ff356011e19eb2d02d72bcd4f05621ccae32568d0461
Instruction Fuzzy Hash: 24315971905605EFCB10DF69D984B9AFBB4FF05320F248269E824A76D1D731AA54CBA0

Function 00BFD8C0 Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00BFD8C5
SetUnhandledExceptionFilter.KERNEL32(Function_0011A060), ref: 00BFD8DB

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: d3149049c30da9b8dfbcfe0341da19d38f84ca9a6229fcb10ea8c74854d93c5e
Instruction ID: cb8086a69c113c85da13c90a0040a3853383d9fa9bea9106112da971be8e93a4
Opcode Fuzzy Hash: d3149049c30da9b8dfbcfe0341da19d38f84ca9a6229fcb10ea8c74854d93c5e
Instruction Fuzzy Hash: EFD0C960D442885ED7015764D85AB342AE0E75570CF0880A9D54F12297E7B1A948E723

Function 00D8F711 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000000), ref: 00D8F93E

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5526f944c19fef83fceb60ed1e40148bea3a0e91dafe3ff92ae2ca5db274a9eb
Instruction ID: ba20735b13913a204ab77506528f1398bba53adbb6eb11ed09ea10b973d72665
Opcode Fuzzy Hash: 5526f944c19fef83fceb60ed1e40148bea3a0e91dafe3ff92ae2ca5db274a9eb
Instruction Fuzzy Hash: 6FB13B72610608DFD715EF28C486B697BA0FF45364F298668E8D9CF2A1C335E992CF50

Function 00C345B0 Relevance: 1.8, Strings: 1, Instructions: 521COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 00C34795, 00C34982

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ExceptionRaise__floor_pentium4
String ID: unordered_map/set too long
API String ID: 996205981-306623848
Opcode ID: 25279507a333e02f28c800c2bfca3f49bcbb63a3825710b6e1aefcda07793ec2
Instruction ID: 48d7df2f81812d58e104d6dc07cd64c3c4aa51674f2d315786dec6ecdcf259e8
Opcode Fuzzy Hash: 25279507a333e02f28c800c2bfca3f49bcbb63a3825710b6e1aefcda07793ec2
Instruction Fuzzy Hash: FF12D571A106099FCB19DF69C881AADF7F5FF48310F14826AE819EB391E735E941CB90

Function 00BE7AC0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,00BE60F7,?,?,?,?,?,?,?,?,00BE5F68,?,?), ref: 00BE7B10

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: e533e2e4ba8f9cf6ac48ffd74667c93449eb96b2fa16d2cb1cfa9b838dc9c52a
Instruction ID: 57a123ed96ac0f2f7c0ddfc61ca2f7c3e04eb2136b3020c3970e13c3a6c00f14
Opcode Fuzzy Hash: e533e2e4ba8f9cf6ac48ffd74667c93449eb96b2fa16d2cb1cfa9b838dc9c52a
Instruction Fuzzy Hash: 54F05E7004C1C1DED3119B69E8A8A69BBE6FB44306F5545F5E048CA160CB35CE85DB10

Function 00D91639 Relevance: .6, Instructions: 637COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5450c4532f2518c2d6e60402260440218dfc6abf276f860bcc4bfaa2d82ddb35
Instruction ID: 26d7eaaeede7fe26bc9799ffe42304d4355a6a69b07c9b625073ec689aef00c7
Opcode Fuzzy Hash: 5450c4532f2518c2d6e60402260440218dfc6abf276f860bcc4bfaa2d82ddb35
Instruction Fuzzy Hash: 38320425D29F424DDB239635C822336A38DAFB73C5F15D727F81AB5AA5EB29C4C34110

Function 00D7D24E Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25449c13d3e0b6ab8dc5af14b6fe67c1eae0926d239191d51921a16e5aba3b9e
Instruction ID: 6a1dc74998252c619ba6bfdc4fb7f28a32489a6f3bd63bbfa8afe93ea6a9acec
Opcode Fuzzy Hash: 25449c13d3e0b6ab8dc5af14b6fe67c1eae0926d239191d51921a16e5aba3b9e
Instruction Fuzzy Hash: A9E19D70A006058FCB24DF68C580AAEB7F2FF49314B28C659D49E9B291E730ED46CB75

Function 00BD5220 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1a292c9074e8f3ad43f0aaeb75a1f8ed3d2bea91d8b98820ddf71cfbda4b37
Instruction ID: 1fa0d4f6a6c042eb0565e4d3b30cb10deabab63fc2712a284bb96e694567f938
Opcode Fuzzy Hash: 6d1a292c9074e8f3ad43f0aaeb75a1f8ed3d2bea91d8b98820ddf71cfbda4b37
Instruction Fuzzy Hash: 5C7106B1801B48CFE761CF68C94478ABBF0BB15324F148A5DD4A99B3D1D3B9A648CB91

Function 00C7C330 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34ebfefba5dee1010bea64f825926128338549dfaa3a02ea68bd5e717389c62
Instruction ID: a01bfcfec1f7985700235c6e9984c436cc5f034cfe6aa2a0c857e0abe1f9139a
Opcode Fuzzy Hash: a34ebfefba5dee1010bea64f825926128338549dfaa3a02ea68bd5e717389c62
Instruction Fuzzy Hash: 594102B0905A49EED704CF69C50978AFBF0BB18318F20829DC4589B781C3BAA658CF95

Function 00BDE540 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a67ce0883cdb46397f7e81d590903b1ab1f062162d86c44898afc7161d12ab
Instruction ID: 71e1b9be6c514ce69b152b08afb8ef014801cd7c12f5a9c80e579b904b8a9fd2
Opcode Fuzzy Hash: e8a67ce0883cdb46397f7e81d590903b1ab1f062162d86c44898afc7161d12ab
Instruction Fuzzy Hash: EE31EEB0405B84CEE321CF29C658347BFF0AB05718F108A4DD4A69BB91D3BAA148CB91

Function 00BD78B0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69445873855bae0780beee7a3b75dbb3f09ebde6af1b8dd149be650770f94e41
Instruction ID: 24c6f822751b701a457ccedbd0d5f79959226a985f2d73a603d4ff6a9c062a0d
Opcode Fuzzy Hash: 69445873855bae0780beee7a3b75dbb3f09ebde6af1b8dd149be650770f94e41
Instruction Fuzzy Hash: 082158B0804788CFD710CF69C90478ABBF4FF19314F1186AED455AB791E3B9AA48CB90

Function 00BF58F0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0e8fd240882943e50863a948bb6fa7887c503df4d17fcab2198344c17d3062
Instruction ID: 4611ef2e7ff2b8b85d1190e9979835009ee419a5df56a3a7dd3d061126bce4fc
Opcode Fuzzy Hash: 4f0e8fd240882943e50863a948bb6fa7887c503df4d17fcab2198344c17d3062
Instruction Fuzzy Hash: 031100B1905648DFC740CF58D544749BBF4FB09328F20829EE8589B381D3769A0ACF84

Function 00D8E8FB Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7871ab521024230df33042c282f47fad6692079f1d464b2380a95c50054ea99e
Instruction ID: 4ae6b9c9b5008c25ab281dd3e7de75c8c58ff3dd18a5cb13e93d6d547a774844
Opcode Fuzzy Hash: 7871ab521024230df33042c282f47fad6692079f1d464b2380a95c50054ea99e
Instruction Fuzzy Hash: CCF0A932A11220EFCB66FB48C905A9873A8EB45F21F1510A6E404EB291C6B0DE00CFE0

Function 00D8E93F Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
Instruction ID: cf23967752ba5cbf9bb0c12a7e4d89c75f2aa1d1869851dd0f7e5d18a9126296
Opcode Fuzzy Hash: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
Instruction Fuzzy Hash: D3E0EC72911228EBCB25EB99C94498AF3ECEB45B51B154996F501E3211D2B0DE41CFE0

Function 00BD71F0 Relevance: 33.7, APIs: 17, Strings: 2, Instructions: 460stringCOMMON

Download Yara Rule

APIs

RedrawWindow.USER32(?,00000000,00000000,00000507,D02C6D11), ref: 00BD727E
IsWindow.USER32(?), ref: 00BD7290
GetParent.USER32(?), ref: 00BD72D1
lstrcmpW.KERNEL32(?,#32770), ref: 00BD72F1

Strings

#32770, xrefs: 00BD72E8
h, xrefs: 00BDA512

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$ParentRedrawlstrcmp
String ID: #32770$h
API String ID: 3033045798-2263804114
Opcode ID: b51fe709115219b45a0e60ea14c39af1ec5401bc9732175e845cb8ebb6745ec6
Instruction ID: 8d64263bb06b8590385c7540e70331b07e8f5b6bba15f48520cf5974c0f7fb1b
Opcode Fuzzy Hash: b51fe709115219b45a0e60ea14c39af1ec5401bc9732175e845cb8ebb6745ec6
Instruction Fuzzy Hash: 9E026D70A442099FDB11CFA4D848BEEBBF5EF49314F24859AE415A7390FB35E944CB21

Function 00D14100 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 335COMMON

Download Yara Rule

Strings

Unable to find file , xrefs: 00D14133
powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 00D1425F
Unable to retrieve PowerShell output from file: , xrefs: 00D1445E
Unable to get a temp file for script output, temp path: , xrefs: 00D1420F
Unable to retrieve exit code from process., xrefs: 00D14481
Unable to create process: , xrefs: 00D14304
ps1, xrefs: 00D141A6, 00D141B8, 00D141C2
txt, xrefs: 00D141D3

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
API String ID: 0-4129021124
Opcode ID: 1e69738ab73f26600d619e04f3554ecda5be465c952309a547397bc7406f4c97
Instruction ID: 4d6c47d9d67c3bdf158bf6ff8ed809e2fe91ada42da3e38edd7fd846bee7e713
Opcode Fuzzy Hash: 1e69738ab73f26600d619e04f3554ecda5be465c952309a547397bc7406f4c97
Instruction Fuzzy Hash: 6FC1AE71D01649EBDB10DFA8DD49BEEFBF4AF05320F148259F514A7291DB74AA80CBA0

Function 00CE6CC0 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 259COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000001F6), ref: 00CE6D0E
GetDlgItem.USER32(?,000001F8), ref: 00CE6D1B
GetDlgItem.USER32(?,000001F7), ref: 00CE6D6C
SetWindowTextW.USER32(00000000,00000000), ref: 00CE6D7B
ShowWindow.USER32(?,00000005), ref: 00CE6DE1
GetDlgItem.USER32(?,000001F7), ref: 00CE6E03
SetWindowTextW.USER32(00000000,00000000), ref: 00CE6E12
ShowWindow.USER32(?,00000000), ref: 00CE6E77
ShowWindow.USER32(?,00000000), ref: 00CE6E7E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000616), ref: 00CE6EC7
GetDlgItem.USER32(?,00000000), ref: 00CE6EF9
IsWindow.USER32(00000000), ref: 00CE6F03
SetWindowPos.USER32(?,00000000,10C25DE5,01F66800,76FF0000,E815FF24,00000014,?,00000000,?,?,00000616), ref: 00CE6F50

Strings

Details <<, xrefs: 00CE6D53
Details >>, xrefs: 00CE6DEA

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Item$Show$Text
String ID: Details <<$Details >>
API String ID: 2476474966-3763984547
Opcode ID: 430441012899184a5511a458805b8344119a5887c305d7bd69799ad4d58fc49f
Instruction ID: 91634416d679af3174f0f206bb40440de2911378b456215831ed65f8267c78c0
Opcode Fuzzy Hash: 430441012899184a5511a458805b8344119a5887c305d7bd69799ad4d58fc49f
Instruction Fuzzy Hash: A791AE71E10245AFDF049FA9DC95BAEBBB1EF18310F248219F515B7690D730A990CBA0

Function 00CE69C0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CDE740: LoadLibraryW.KERNEL32(ComCtl32.dll,D02C6D11,?,00000000,00000000), ref: 00CDE77E
Part of subcall function 00CDE740: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00CDE7A1
Part of subcall function 00CDE740: FreeLibrary.KERNEL32(00000000), ref: 00CDE81F

GetDlgItem.USER32(?,000001F4), ref: 00CE6A01
SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 00CE6A12
GetDC.USER32(00000000), ref: 00CE6A1A
GetDeviceCaps.GDI32(00000000), ref: 00CE6A21
MulDiv.KERNEL32(00000009,00000000), ref: 00CE6A2A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Courier New), ref: 00CE6A53
GetDlgItem.USER32(?,000001F6), ref: 00CE6A64
IsWindow.USER32(00000000), ref: 00CE6A6D
SendMessageW.USER32(00000000,00000030,?,00000000), ref: 00CE6A84
GetDlgItem.USER32(?,000001F8), ref: 00CE6A8E
GetWindowRect.USER32(?,?), ref: 00CE6A9F
GetWindowRect.USER32(?,?), ref: 00CE6AB2
GetWindowRect.USER32(00000000,?), ref: 00CE6AC2

Strings

Courier New, xrefs: 00CE6A30

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$ItemRect$LibraryMessageSend$AddressCapsCreateDeviceFontFreeLoadProc
String ID: Courier New
API String ID: 1731048342-2572734833
Opcode ID: 59eaee69b245a3bbedca2c8a34cd256f6d67bb35ff2c79c759270fc148af3802
Instruction ID: 1da0e4256caf6fd982f3bf7294e9b789e35f84419095054db6e98ac1d62c7d62
Opcode Fuzzy Hash: 59eaee69b245a3bbedca2c8a34cd256f6d67bb35ff2c79c759270fc148af3802
Instruction Fuzzy Hash: 8841D771B843047FEB14AF25CC46FAE7BA9EF48B04F110529BB09BA1C1DAB0AC448B55

Function 00D20BB0 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 390libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll,D02C6D11), ref: 00D20C41
GetLastError.KERNEL32 ref: 00D20C6F

Part of subcall function 00BC9980: RtlAllocateHeap.NTDLL(?,00000000,?,D02C6D11,00000000,00D9C6B0,000000FF,?,?,00E7C42C,00000000,00D1ECDB,80004005,D02C6D11,?,?), ref: 00BC99CA

GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00D20C85
FreeLibrary.KERNEL32(00000000), ref: 00D20C9E
GetLastError.KERNEL32 ref: 00D20CAB
GetLastError.KERNEL32 ref: 00D20E99
GetLastError.KERNEL32 ref: 00D20EFE

Strings

ConvertStringSidToSidW, xrefs: 00D20C7F
Advapi32.dll, xrefs: 00D20C3C

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorLast$Library$AddressAllocateFreeHeapLoadProc
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 3460774402-1129428314
Opcode ID: 4a3374796e18f20be2dbfd248d197d0b9efc9244a90f95e75046e4f70980d0a9
Instruction ID: 4296696888ae840c8096b8ea30cf37e30d88b48a63961fb1b5770b2c179c83b8
Opcode Fuzzy Hash: 4a3374796e18f20be2dbfd248d197d0b9efc9244a90f95e75046e4f70980d0a9
Instruction Fuzzy Hash: 0CF16BB1C01219ABDB10CF94D945BEEFBB4FF28314F248219E914B7291E771AA45CBB1

Function 00D0E0A0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D20BB0: LoadLibraryW.KERNEL32(Advapi32.dll,D02C6D11), ref: 00D20C41
Part of subcall function 00D20BB0: GetLastError.KERNEL32 ref: 00D20C6F

LocalFree.KERNEL32(00000000,Everyone,10000000,00000000,D02C6D11), ref: 00D0E152
LocalFree.KERNEL32(00000000,Everyone,10000000,00000000,D02C6D11), ref: 00D0E163
LocalAlloc.KERNEL32(00000040,00000014), ref: 00D0E1D8
GetLastError.KERNEL32 ref: 00D0E1F6
LocalFree.KERNEL32(00000000), ref: 00D0E207
GetLastError.KERNEL32 ref: 00D0E226
LocalFree.KERNEL32(00000000), ref: 00D0E237
CreateDirectoryW.KERNEL32(?,?), ref: 00D0E260
LocalFree.KERNEL32(00000000,Everyone,10000000,00000000,D02C6D11), ref: 00D0E2B4
LocalFree.KERNEL32(00000000,Everyone,10000000,00000000,D02C6D11), ref: 00D0E317
LocalFree.KERNEL32(00000000,Everyone,10000000,00000000,D02C6D11), ref: 00D0E321

Strings

Everyone, xrefs: 00D0E13A

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Local$Free$ErrorLast$AllocCreateDirectoryLibraryLoad
String ID: Everyone
API String ID: 1481213927-3285609282
Opcode ID: a260756a76b24f8138fe2959535d57744b3854a6f1ad214c23ef644c70fd9ad4
Instruction ID: 2e8f12ca2d4c84c68c3529897894f235d8749be2e9d8fa9a0d71b3188e7d631a
Opcode Fuzzy Hash: a260756a76b24f8138fe2959535d57744b3854a6f1ad214c23ef644c70fd9ad4
Instruction Fuzzy Hash: 91911AB1E00249ABEF24DFE5D958B9EFBB8AF04704F144519E405EB290DB759904CFA1

Function 00BF64D0 Relevance: 22.7, APIs: 15, Instructions: 178windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000318,00000000,00000004), ref: 00BF6537
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00BF6545
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00BF655F
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BF6577
SendMessageW.USER32(?,0000130A,00000000,?), ref: 00BF65A8
CreateRectRgn.GDI32(?,?,?,?), ref: 00BF65E2
DeleteObject.GDI32(00000000), ref: 00BF65F9
GetClientRect.USER32(?,?), ref: 00BF6615
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 00BF6640
CreateRectRgn.GDI32(?,?,?,?), ref: 00BF665D
SelectClipRgn.GDI32(00000000,00000000), ref: 00BF6674
GetParent.USER32(?), ref: 00BF6684
SendMessageW.USER32(00000000,00000136,?,?), ref: 00BF6695
DeleteObject.GDI32(00000000), ref: 00BF66AB
DeleteObject.GDI32(?), ref: 00BF66B0

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageRectSend$Create$DeleteObject$ClientClipParentSelect
String ID:
API String ID: 1236051970-0
Opcode ID: 808dacabb92810b01c32a3cad4b18287f63876c59e1b8f331461dbb494dc3c65
Instruction ID: 72be50fcf9f55b118e09cc8398272b82e90d211fd6dd97fa0e3fb7c99faf0e95
Opcode Fuzzy Hash: 808dacabb92810b01c32a3cad4b18287f63876c59e1b8f331461dbb494dc3c65
Instruction Fuzzy Hash: 5C611A71904618AFDB129FE5CD49FAEBBB9FF48710F240119FA19BB2A0D770A905CB50

Function 00CF8270 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 439COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,D02C6D11), ref: 00CF82D9
IsWow64Process.KERNEL32(00000000), ref: 00CF82E0

Part of subcall function 00CDAB00: _wcsrchr.LIBVCRUNTIME ref: 00CDAB39

_wcsrchr.LIBVCRUNTIME ref: 00CF8361
_wcsrchr.LIBVCRUNTIME ref: 00CF83F7

Strings

/i //, xrefs: 00CF84AF
TRANSFORMS=":%d", xrefs: 00CF8450
/fvomus //, xrefs: 00CF84AA, 00CF84FF, 00CF8500
.x64, xrefs: 00CF8342
"%s" , xrefs: 00CF859D
EXE_CMD_LINE="%s ", xrefs: 00CF8682
/p //, xrefs: 00CF84A1
%s AI_SETUPEXEPATH="%s" SETUPEXEDIR="%s", xrefs: 00CF862F

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: _wcsrchr$Process$CurrentWow64
String ID: "%s" $ /fvomus //$ /i //$ /p //$ EXE_CMD_LINE="%s "$ TRANSFORMS=":%d"$%s AI_SETUPEXEPATH="%s" SETUPEXEDIR="%s"$.x64
API String ID: 657290924-2074823060
Opcode ID: 7180437b454416a7982feacee5c57dd033b6419f50d3b554c2e77247ca1205f4
Instruction ID: 388453374f554fe75b771e661f3de654c7af1b751900fbdfe8872f7475a76a02
Opcode Fuzzy Hash: 7180437b454416a7982feacee5c57dd033b6419f50d3b554c2e77247ca1205f4
Instruction Fuzzy Hash: A0F1B231A006099FEB14DF68C849BAEB7E5FF45310F14826DE925AB2D1DB74DE04CBA1

Function 00C36CB0 Relevance: 21.2, APIs: 14, Instructions: 170COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00C36CF7
GetParent.USER32 ref: 00C36D0D
GetWindowRect.USER32(?,?), ref: 00C36D18
GetParent.USER32(?), ref: 00C36D20
GetClientRect.USER32(00000000,?), ref: 00C36D2F
GetClientRect.USER32(?,?), ref: 00C36D38
MapWindowPoints.USER32(00000002,00000000,?,00000002), ref: 00C36D44
GetWindow.USER32(?,00000004), ref: 00C36D52
GetWindowRect.USER32(?,?), ref: 00C36D60
GetWindowLongW.USER32(00000000,000000F0), ref: 00C36D6D
MonitorFromWindow.USER32(?,00000002), ref: 00C36D85
GetMonitorInfoW.USER32(00000000,00000004), ref: 00C36D9F
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 00C36E4D

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Rect$ClientLongMonitorParent$FromInfoPoints
String ID:
API String ID: 3127921553-0
Opcode ID: e5b661e181b3451854a2653bf90822c4c966cb339d96cdbdc4e4289f93bd5931
Instruction ID: 78e4a94d703320a2361b444a278b389fc7369f2f438cdfe88b5cb57361afed42
Opcode Fuzzy Hash: e5b661e181b3451854a2653bf90822c4c966cb339d96cdbdc4e4289f93bd5931
Instruction Fuzzy Hash: 93517272E04519AFDB21CFA9CD45AEDBBB9FB48710F244229E815F3294DB30AD05CB90

Function 00CE9470 Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 410libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00D03C70: GetSystemDefaultLangID.KERNEL32(D02C6D11,?,?,?,?), ref: 00D03CA6

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 00CE95D3
GetProcAddress.KERNEL32(00000000), ref: 00CE95DA
__Init_thread_footer.LIBCMT ref: 00CE95F1
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000000), ref: 00CE9610

Strings

An acceptable version was found., xrefs: 00CE98C3, 00CE98C4
kernel32, xrefs: 00CE95CE
Searching for:, xrefs: 00CE96C9
Search result:, xrefs: 00CE9849
Undefined, xrefs: 00CE98AA
Wrong OS or Os language for:, xrefs: 00CE993B
IsWow64Process2, xrefs: 00CE95C9

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddressCurrentDefaultHandleInit_thread_footerLangModuleProcProcessSystem
String ID: An acceptable version was found.$IsWow64Process2$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$kernel32
API String ID: 52476621-1658165007
Opcode ID: 9d5495be60075df415ffda9d94fdce148d22a5ac0cbb3640b6c89d81e5b4a076
Instruction ID: 7d56ff500381ac5d6fc927670f18b22081be46c2d12f0e74f94b07da813fac25
Opcode Fuzzy Hash: 9d5495be60075df415ffda9d94fdce148d22a5ac0cbb3640b6c89d81e5b4a076
Instruction Fuzzy Hash: 9EF1B070A00644CFDB20DFAAC885BAEB7F5FF44314F14825DE46AAB2D2DB34A945CB50

Function 00CE4730 Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 340threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00E8944C,D02C6D11,?,?,00000000), ref: 00CE4852
EnterCriticalSection.KERNEL32(?,D02C6D11,?,?,00000000,?,?,?,?,?,00000000,00DDD8F7,000000FF), ref: 00CE4864
GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,00DDD8F7,000000FF), ref: 00CE4871
GetCurrentThread.KERNEL32 ref: 00CE487C
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,00E0446C,00000000), ref: 00CE4AAE
LeaveCriticalSection.KERNEL32(?,00000000), ref: 00CE4BDC

Strings

*** Stack Trace (x86) ***, xrefs: 00CE49AD
rw, xrefs: 00CE4BDC
<--------------------MORE--FRAMES-------------------->, xrefs: 00CE4A52
MODULE_BASE_ADDRESS, xrefs: 00CE4AFB
[0x%.8Ix] , xrefs: 00CE4550, 00CE4AB5

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
String ID: *** Stack Trace (x86) ***$ rw$<--------------------MORE--FRAMES-------------------->$MODULE_BASE_ADDRESS$[0x%.8Ix]
API String ID: 3051236879-1326870248
Opcode ID: 50dafd7753fa13a2f97d4aa7847d81eb37137f07ea4a5a0fda728341f6dbccb1
Instruction ID: 19037e7f99021efaacdc1b6d79af54606569e7a04f97ccd465055f2050500976
Opcode Fuzzy Hash: 50dafd7753fa13a2f97d4aa7847d81eb37137f07ea4a5a0fda728341f6dbccb1
Instruction Fuzzy Hash: 1BD19B71A003889FDF29DF64CC55BEE7BB8EF45308F104158E959AB281DB759B09CBA0

Function 00CE47E0 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 265threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00E8944C,D02C6D11,?,?,00000000), ref: 00CE4852
EnterCriticalSection.KERNEL32(?,D02C6D11,?,?,00000000,?,?,?,?,?,00000000,00DDD8F7,000000FF), ref: 00CE4864
GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,00DDD8F7,000000FF), ref: 00CE4871
GetCurrentThread.KERNEL32 ref: 00CE487C
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,00E0446C,00000000), ref: 00CE4AAE
LeaveCriticalSection.KERNEL32(?,00000000), ref: 00CE4BDC

Strings

*** Stack Trace (x86) ***, xrefs: 00CE49AD
rw, xrefs: 00CE4BDC
<--------------------MORE--FRAMES-------------------->, xrefs: 00CE4A52
MODULE_BASE_ADDRESS, xrefs: 00CE4AFB
[0x%.8Ix] , xrefs: 00CE4AB5

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
String ID: *** Stack Trace (x86) ***$ rw$<--------------------MORE--FRAMES-------------------->$MODULE_BASE_ADDRESS$[0x%.8Ix]
API String ID: 3051236879-1326870248
Opcode ID: a0b5d6eba83714853ecb417ce64b9adcff1a6f1bcffe915970f3d80afa479c43
Instruction ID: 4008b81562fce83238aac812ed7d955732ed60b657b733121ea7adbb55e43a89
Opcode Fuzzy Hash: a0b5d6eba83714853ecb417ce64b9adcff1a6f1bcffe915970f3d80afa479c43
Instruction Fuzzy Hash: 00B1BB719003889FDF2ADF64CC59BEE7BB8EF44308F104158E959AB281DB755B08CB60

Function 00BF4DB0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,D02C6D11), ref: 00BF4E38

Part of subcall function 00BD68F0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00BD6926

SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00BF4F3B
SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00BF4F4F
SendMessageW.USER32(00000000,00000421,00000003,?), ref: 00BF4F64
SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00BF4F79
SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00BF4F90
ClientToScreen.USER32(?,?), ref: 00BF4FB0
GetWindowRect.USER32(?,?), ref: 00BF4FC2
SendMessageW.USER32(00000000,00000412,00000000), ref: 00BF5024
SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00BF5034

Strings

tooltips_class32, xrefs: 00BF4E32

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend$Window$ClientCreateLongRectScreen
String ID: tooltips_class32
API String ID: 1468030502-1918224756
Opcode ID: c5a6734ca5217be1651ff237b2d532a67a83dde9022da083d511aebc08534ba9
Instruction ID: db677df2496501de6be954bea04ba4802e5e940339b04c0f9a9f94d46f607668
Opcode Fuzzy Hash: c5a6734ca5217be1651ff237b2d532a67a83dde9022da083d511aebc08534ba9
Instruction Fuzzy Hash: C1913F71A00648AFDB14CFA5CD95FAEBBF9FB48300F14452AF656EB290D774A908CB50

Function 00BDF8C0 Relevance: 18.3, APIs: 12, Instructions: 336windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BDF914
GetWindowRect.USER32(?,?), ref: 00BDF9F3
GetClientRect.USER32(?,?), ref: 00BDFA05
GetWindowDC.USER32(?), ref: 00BDFA17
CreateCompatibleDC.GDI32(00000000), ref: 00BDFA44
CreateCompatibleBitmap.GDI32(00000000), ref: 00BDFA86
SelectObject.GDI32(00000000,00000000), ref: 00BDFA95

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: RectWindow$CompatibleCreate$BitmapClientObjectSelect
String ID:
API String ID: 2032541772-0
Opcode ID: 8cb12c18bd158c45155b8065a23b1d6da436145d9ea1e8ef41c8d34535ed55ed
Instruction ID: a25af0dfd0c279bb47812ea7a00909fbc5edb418522e6706a85021d350fa49a0
Opcode Fuzzy Hash: 8cb12c18bd158c45155b8065a23b1d6da436145d9ea1e8ef41c8d34535ed55ed
Instruction Fuzzy Hash: 5BE12A71D04219DFDB21CFA5CD48BAEFBF8EF19700F2442AAE849A7251E7709A44CB51

Function 00D19380 Relevance: 18.3, APIs: 12, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067982d9dd01f7e330295fc4557f7818684c38e705236cf9b2651c6d386ad1dc
Instruction ID: 7df7158d5cd2e550e589f33707bf7e0e67e9b00e103be8170dc210bf44293f26
Opcode Fuzzy Hash: 067982d9dd01f7e330295fc4557f7818684c38e705236cf9b2651c6d386ad1dc
Instruction Fuzzy Hash: BCA11471604205EFEB10AF65ECA5FEABBA4EF44310F244169F909AB2D1DB71D840CB74

Function 00D1D8D0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,00D0098B,?,?,?,?,?), ref: 00D1D8E5

Strings

tB, xrefs: 00D1D8F7, 00D1D8FD
InitExtraction, xrefs: 00D1D91D
ExtractAllFiles, xrefs: 00D1D937
EndExtraction, xrefs: 00D1D949
GetTotalFilesSize, xrefs: 00D1D925

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: LibraryLoad
String ID: EndExtraction$ExtractAllFiles$GetTotalFilesSize$InitExtraction$tB
API String ID: 1029625771-137316502
Opcode ID: 0acde38dd10a6b977757212c08e057d6d308e05a023e9be0376afad9a9b9c68b
Instruction ID: d4387b1c7eb43746d19dd151b44ab61784c7c96eabee47a1cc9b01cacfc1c12e
Opcode Fuzzy Hash: 0acde38dd10a6b977757212c08e057d6d308e05a023e9be0376afad9a9b9c68b
Instruction Fuzzy Hash: 4401B1B9D05361AFCB10EFA2FC0C9657FA1F758315305611AEA1AB3362CB314849CFA4

Function 00BD54B0 Relevance: 16.6, APIs: 11, Instructions: 139windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00BD54EE
FillRect.USER32(00000000,?,00000000), ref: 00BD550D
DeleteObject.GDI32(00000000), ref: 00BD5514
GetClientRect.USER32(?,?), ref: 00BD556F
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00BD5588
CreateCompatibleDC.GDI32(00000000), ref: 00BD5595
SelectObject.GDI32(00000000,00000000), ref: 00BD55A7
FillRect.USER32(00000000,?,00000000), ref: 00BD55D0
DeleteObject.GDI32(?), ref: 00BD55DA
SelectObject.GDI32(00000000,?), ref: 00BD5622
DeleteDC.GDI32(00000000), ref: 00BD5629

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ObjectRect$Delete$ClientCompatibleCreateFillSelect$Bitmap
String ID:
API String ID: 441990398-0
Opcode ID: ef2c530ecb8af65faf77d984ee1c9e2afddbf214c80a7c1633ba624005915140
Instruction ID: 8ea89ceba5c84a3f84514e75ab8344353d09a44a7427cc232fcbb3c335b642f3
Opcode Fuzzy Hash: ef2c530ecb8af65faf77d984ee1c9e2afddbf214c80a7c1633ba624005915140
Instruction Fuzzy Hash: AA418772104701AFD3229F65DC49F6BBBE9FB88701F10496DF99AD2160EB71E804DB21

Function 00D0EAB0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 319synchronizationfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

DeleteFileW.KERNEL32(?,00CF21E0,?,?,00000000,?,?,00CF21E0), ref: 00D0EDBA

Part of subcall function 00BC92A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,00000000,8007000E,80004005,00CD06A6,00000000,00000002,00000001,?,?,80070057,?), ref: 00BC92C3

Part of subcall function 00BC9980: RtlAllocateHeap.NTDLL(?,00000000,?,D02C6D11,00000000,00D9C6B0,000000FF,?,?,00E7C42C,00000000,00D1ECDB,80004005,D02C6D11,?,?), ref: 00BC99CA

ResetEvent.KERNEL32(00000000,D02C6D11,?,?,00000000,00DE614D,000000FF,?,80004005), ref: 00D0EE4F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00DE614D,000000FF,?,80004005), ref: 00D0EE6F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00DE614D,000000FF,?,80004005), ref: 00D0EE7A

Strings

http://www.example.com, xrefs: 00D0EC1F
tin9999.tmp, xrefs: 00D0EC09
http://www.google.com, xrefs: 00D0EC0E
http://www.yahoo.com, xrefs: 00D0EC18
TEST, xrefs: 00D0EC02

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: HeapInit_thread_footerObjectSingleWait$AllocateDeleteEventFileFindProcessResetResource
String ID: TEST$http://www.example.com$http://www.google.com$http://www.yahoo.com$tin9999.tmp
API String ID: 3248508590-625802988
Opcode ID: 7c34ab08ecf4aefeb3c7d8a69a0fe08ae149b21f79de5409c4f2c4a6a6698ec1
Instruction ID: f1f9b88206c882d3d67adb69b522f73a29fabfbffb46ea461863ae60c290a8b3
Opcode Fuzzy Hash: 7c34ab08ecf4aefeb3c7d8a69a0fe08ae149b21f79de5409c4f2c4a6a6698ec1
Instruction Fuzzy Hash: 56C1D371901249DFDB14DF68CD19BEEB7B4EF45310F1486ADE81AA72D1DB70AA04CBA0

Function 00D0E730 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 302libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97A10: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00C97A51

GetLastError.KERNEL32(D02C6D11,?,?,?,?,?,00DE602D,000000FF), ref: 00D0E79D
GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 00D0E92D
GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 00D0E986
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00DE602D,000000FF), ref: 00D0EA74

Strings

Kernel32.dll, xrefs: 00D0E771
x86, xrefs: 00D0E7E5
x64, xrefs: 00D0E816
GetPackagePath, xrefs: 00D0E927, 00D0E980
neutral, xrefs: 00D0E832

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddressProc$DirectoryErrorFreeLastLibrarySystem
String ID: GetPackagePath$Kernel32.dll$neutral$x64$x86
API String ID: 2155880084-4043905686
Opcode ID: 5b85744f18ad7627a6e51c37e1e91d84db7f47d9e71f151d0aa78830faf1b011
Instruction ID: e6e75aa25726a9072532eb8d6329ed0824a5ce0fa80e2c99fcb09a29a35e79a6
Opcode Fuzzy Hash: 5b85744f18ad7627a6e51c37e1e91d84db7f47d9e71f151d0aa78830faf1b011
Instruction Fuzzy Hash: E2C15A70A01209DFDB14CFA8C988B9DBBF1FF48314F18856DE409EB291EB719945CBA0

Function 00CF06D0 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 00CE5290: LoadLibraryW.KERNEL32(Shlwapi.dll,?,?,?,?,00CF0731,?,D02C6D11,?,?), ref: 00CE52AB
Part of subcall function 00CE5290: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00CE52C1
Part of subcall function 00CE5290: FreeLibrary.KERNEL32(00000000), ref: 00CE52FA

GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104,D02C6D11,?,?), ref: 00CF0910

Strings

APPDATA, xrefs: 00CF0907, 00CF090F
PROGRAMFILES, xrefs: 00CF08ED
Shell32.dll, xrefs: 00CF0753
ProgramFilesFolder, xrefs: 00CF0797
AppDataFolder, xrefs: 00CF0878, 00CF08B5
ProgramFiles, xrefs: 00CF0810, 00CF0825, 00CF082D
AI_BOOTSTRAPPERLANGS, xrefs: 00CF09E2, 00CF0A2A
Shlwapi.dll, xrefs: 00CF0727

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Library$AddressEnvironmentFreeLoadProcVariable
String ID: AI_BOOTSTRAPPERLANGS$APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFilesFolder$Shell32.dll$Shlwapi.dll
API String ID: 788177547-1020860216
Opcode ID: faa564ac7486cc1e1df2e99e966c0fe3bbb4487a329f8dfa4dc85ee2c20806ad
Instruction ID: 539e38c46e10ced15ee3610929efd22edc40bf0b8ed2be890dc4a3fde720b600
Opcode Fuzzy Hash: faa564ac7486cc1e1df2e99e966c0fe3bbb4487a329f8dfa4dc85ee2c20806ad
Instruction Fuzzy Hash: C09118716002099BDB54EF24CC45BFAB3A5FF60B50F2045AAE926D7292E731DE44CB91

Function 00BF3970 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 00BF39E5
lstrcpynW.KERNEL32(?,?,00000020), ref: 00BF3A5B
GetDC.USER32(?), ref: 00BF3A7E
GetDeviceCaps.GDI32(00000000), ref: 00BF3A85
MulDiv.KERNEL32(?,00000048,00000000), ref: 00BF3A98
SendMessageW.USER32(?,00000444,00000000,00000074), ref: 00BF3ACA
DeleteObject.GDI32(?), ref: 00BF3B06

Strings

?, xrefs: 00BF3A9E
t, xrefs: 00BF3AA6

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend$CapsDeleteDeviceObjectlstrcpyn
String ID: ?$t
API String ID: 2619291461-1995845436
Opcode ID: 7d56524b78bc3b26bd9ab8ff87d95a83daaf9dbd65108172413c29af918fe44b
Instruction ID: c939ae817acf21ed7fac0a312e66d34c1798b15653b824c54cbffa2834bc1ab7
Opcode Fuzzy Hash: 7d56524b78bc3b26bd9ab8ff87d95a83daaf9dbd65108172413c29af918fe44b
Instruction Fuzzy Hash: 31512D71508340AFE721DF65DC49BABBBE8EB88701F00492DF6D9D6191E774E608CB62

Function 00BD5050 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 119COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00E8957C,D02C6D11,00000000,?,?,?,?,?,?,00BD487E,00D9F9CD,000000FF), ref: 00BD508D
LoadCursorW.USER32(00000000,00007F00), ref: 00BD5108
LoadCursorW.USER32(00000000,00007F00), ref: 00BD51AE
LeaveCriticalSection.KERNEL32(00E8957C), ref: 00BD5203

Strings

AtlAxWinLic140, xrefs: 00BD516F, 00BD51C5
AtlAxWin140, xrefs: 00BD50BF, 00BD5123
WM_ATLGETHOST, xrefs: 00BD5099
WM_ATLGETCONTROL, xrefs: 00BD50A4
rw, xrefs: 00BD5203

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalCursorLoadSection$EnterLeave
String ID: rw$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 3727441302-2892086221
Opcode ID: bbec46317277f22efd40dfe5c6ff83fd0a25cf3b044cabe8611e4952c26ab7d8
Instruction ID: 99c31a88159228a3434b9843abaa75a2a601e2fe66c3ba05457d7ef216eb9126
Opcode Fuzzy Hash: bbec46317277f22efd40dfe5c6ff83fd0a25cf3b044cabe8611e4952c26ab7d8
Instruction Fuzzy Hash: 745126B1C45219AFDB11DF99DC4579EBBF8EB08304F14015AE408B7380EBB49A488FA0

Function 00CE6800 Relevance: 15.2, APIs: 10, Instructions: 155COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00CE6811
DeleteObject.GDI32(?), ref: 00CE6869
EndDialog.USER32(?,00000000), ref: 00CE68E9

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: DeleteDialogLongObjectWindow
String ID:
API String ID: 1328495006-0
Opcode ID: 5290ae5a0be261824c73dcd7467964377b3b9b988ee33eaba5bdcb63e45e85ce
Instruction ID: 302d267a4a6554b38616ca3db92e3d345165233f0821226611bfdfe3b45dfa61
Opcode Fuzzy Hash: 5290ae5a0be261824c73dcd7467964377b3b9b988ee33eaba5bdcb63e45e85ce
Instruction Fuzzy Hash: 1B4135333242145BCB34AE2EAC49B7B3798DB95370F00072AFD66D72D1C672D911A3A1

Function 00C739A0 Relevance: 15.1, APIs: 10, Instructions: 127windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C73A1A
GetWindowRect.USER32(?,?), ref: 00C73A32
GetWindowRect.USER32(?,?), ref: 00C73A4A
IntersectRect.USER32(?,?,?), ref: 00C73A67
EqualRect.USER32(?,?), ref: 00C73A77
GetSysColorBrush.USER32(0000000F), ref: 00C73A8D
GetWindowRect.USER32(?,?), ref: 00C73AB6
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00C73ACB
GetWindowLongW.USER32(?,000000EC), ref: 00C73ADA
SetBrushOrgEx.GDI32(?,?,?,00000000), ref: 00C73AF8

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Rect$Brush$ColorEqualIntersectLongPointsVisible
String ID:
API String ID: 2158939716-0
Opcode ID: 6a6cdbe0b43ed139b1585f87d00f2ff60ecff10fed8670c183fcefd7cd7e706e
Instruction ID: 4e6e7a2d36b96cf97b75ddaa0180abd6edecf289483feb4fc974ac8a48b5508c
Opcode Fuzzy Hash: 6a6cdbe0b43ed139b1585f87d00f2ff60ecff10fed8670c183fcefd7cd7e706e
Instruction Fuzzy Hash: 1D41A032A083459FC710CF25D884AABB7E8FF99714F14861DF989E7210E730EE458B62

Function 00BD32F0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00BD3335
SysAllocString.OLEAUT32(?), ref: 00BD3349
VariantInit.OLEAUT32(?), ref: 00BD3384
VariantClear.OLEAUT32(?), ref: 00BD33DA
VariantClear.OLEAUT32(?), ref: 00BD33E4
VariantClear.OLEAUT32(?), ref: 00BD33EE
VariantClear.OLEAUT32(?), ref: 00BD33FB

Part of subcall function 00BC9980: RtlAllocateHeap.NTDLL(?,00000000,?,D02C6D11,00000000,00D9C6B0,000000FF,?,?,00E7C42C,00000000,00D1ECDB,80004005,D02C6D11,?,?), ref: 00BC99CA

Strings

<body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>, xrefs: 00BD347B

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Variant$Clear$AllocAllocateHeapInitString
String ID: <body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>
API String ID: 1547307772-1571955069
Opcode ID: d9f73c1ada4a3b7d94f3945ad0ff405caa14aaa27901995bf5551bae1069286b
Instruction ID: d9044a9b42e4e53cfca7df39a1ff527420a99a1b116ce7ec8c00eac7940cf2ca
Opcode Fuzzy Hash: d9f73c1ada4a3b7d94f3945ad0ff405caa14aaa27901995bf5551bae1069286b
Instruction Fuzzy Hash: 01917A71900249DFDB01CFA8C844BDEFBF8EF49724F14826AE414E7291E774AA04CBA1

Function 00D9A63F Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000,811C9DC5,?,?,?,?,?,?,?,00D9AD6A), ref: 00D9A658

Strings

acos, xrefs: 00D9A78E
log, xrefs: 00D9A6B5, 00D9A6C4
log10, xrefs: 00D9A69A, 00D9A6A9
pow, xrefs: 00D9A6F6, 00D9A7A0, 00D9A7ED
sqrt, xrefs: 00D9A797
asin, xrefs: 00D9A785
exp, xrefs: 00D9A6D7, 00D9A73C

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 0f25d51290012997c72670347ed39b887a1899146cf46a65396a46ae86661f7f
Instruction ID: cea663b6781b93a4e286ada1e90845cfc8ffbfc37061c77bcbb193715b636d75
Opcode Fuzzy Hash: 0f25d51290012997c72670347ed39b887a1899146cf46a65396a46ae86661f7f
Instruction Fuzzy Hash: D2519A7690060EDBCF009FADE84D5BDBFB1FF45304F1A8085D480A6264CB348A25CBB6

Function 00D02DC0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 00D02DFC
GetUserDefaultLangID.KERNEL32 ref: 00D02E09
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00D02E1B
GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 00D02E2F
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00D02E44

Strings

kernel32.dll, xrefs: 00D02E12
GetUserDefaultUILanguage, xrefs: 00D02E3E
GetSystemDefaultUILanguage, xrefs: 00D02E29

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddressDefaultLangProc$LibraryLoadSystemUser
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
API String ID: 667524283-3528650308
Opcode ID: bd2a5d63693d89631b042859fa795a5be2a0f88af5da214503a81e79cc3b1125
Instruction ID: 4021284ab5296d690992e657dcd487f2917e3d12dddf139a95fe515197c4e466
Opcode Fuzzy Hash: bd2a5d63693d89631b042859fa795a5be2a0f88af5da214503a81e79cc3b1125
Instruction Fuzzy Hash: 2F41B530A093519FC744EF25D8587BAB7E1EFA8351F54091EF889D7280EB30D945CB62

Function 00BCD970 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 139COMMON

Download Yara Rule

Strings

DllGetActivationFactory, xrefs: 00BCD7C2
lD, xrefs: 00BCD91B, 00BCD925
Windows.Foundation.Uri, xrefs: 00BCDA3A
combase.dll, xrefs: 00BCD608, 00BCD63E
CoIncrementMTAUsage, xrefs: 00BCD639
.dll, xrefs: 00BCD766
RoGetActivationFactory, xrefs: 00BCD603

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID:
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$Windows.Foundation.Uri$combase.dll$lD
API String ID: 0-3109780881
Opcode ID: 909157988e34b3d29bab39f6d94e0abc04aef9a18eab059d242a249426c96a75
Instruction ID: a15c40cea0590cb64fe95adb69baf76dcfa10e2c1868b8d1d0014cc831a37f6a
Opcode Fuzzy Hash: 909157988e34b3d29bab39f6d94e0abc04aef9a18eab059d242a249426c96a75
Instruction Fuzzy Hash: C5519CB5901219EFCB00DF94C945BAEBBB4FB04314F10456EE915AB390CBB56A08CBA1

Function 00D78400 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D78437
___except_validate_context_record.LIBVCRUNTIME ref: 00D7843F
_ValidateLocalCookies.LIBCMT ref: 00D784C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00D784F3
_ValidateLocalCookies.LIBCMT ref: 00D78548
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00D7855E
___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00D78573

Strings

csm, xrefs: 00D784DD

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
String ID: csm
API String ID: 1385549066-1018135373
Opcode ID: 55a166f888598a28da3532d49850b6b0e7d901b3386aa44e43c714736377fbff
Instruction ID: 3310d6d9e87d6f494e85cb6e27b295f43ffe1309e0bcac6a6086c9d305ff98ae
Opcode Fuzzy Hash: 55a166f888598a28da3532d49850b6b0e7d901b3386aa44e43c714736377fbff
Instruction Fuzzy Hash: 7241E534A002099FCF10DF68C849AAEBBB5EF45328F14C195E81C9B392EB71D905DBB1

Function 00C05820 Relevance: 13.9, APIs: 9, Instructions: 431memorysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

CreateThread.KERNEL32(00000000,00000000,00C05970,00E08DD8,00000000,?), ref: 00C058EA
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00C05903
CloseHandle.KERNEL32(00000000), ref: 00C05919
CoInitializeEx.COMBASE(00000000,00000000), ref: 00C059C9
GetProcessHeap.KERNEL32(?,00000000), ref: 00C05ACB
HeapFree.KERNEL32(00000000,?,00000000), ref: 00C05AD1
GetProcessHeap.KERNEL32(?,00000000), ref: 00C05B4A
HeapFree.KERNEL32(00000000,?,00000000), ref: 00C05B50
CoUninitialize.COMBASE ref: 00C05CA7

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Heap$Process$FreeInit_thread_footer$CloseCreateHandleInitializeObjectSingleThreadUninitializeWait
String ID:
API String ID: 1993118014-0
Opcode ID: 021e1db3838c95f6e93c69ff700a1aef4dbf4b9869b8a0291729ba7926059e54
Instruction ID: 88bad47438ae9d3ceaa91bbf244cbcccead789869214327caf99b0878e3e5a09
Opcode Fuzzy Hash: 021e1db3838c95f6e93c69ff700a1aef4dbf4b9869b8a0291729ba7926059e54
Instruction Fuzzy Hash: C2025DB0D00348DFDB14CFA8C945BAEBBB8EF44314F10815DE515AB291DB749A45CFA1

Function 00BD8680 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 151threadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,D02C6D11,?,?,00000000,?), ref: 00BD86BE
GetCurrentThreadId.KERNEL32 ref: 00BD86FF
EnterCriticalSection.KERNEL32(00E8957C), ref: 00BD871F
LeaveCriticalSection.KERNEL32(00E8957C), ref: 00BD8743
CreateWindowExW.USER32(00000000,00000000,00000000,00E8957C,?,80000000,00000000,80000000,00000000,00000000,00000000), ref: 00BD879E

Part of subcall function 00D74245: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00D035FE,?,?,?,?,?,?), ref: 00D7424A
Part of subcall function 00D74245: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D74251

Strings

rw, xrefs: 00BD8743
AXWIN UI Window, xrefs: 00BD8815

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalHeapSection$AllocCreateCurrentEnterErrorLastLeaveProcessThreadWindow
String ID: rw$AXWIN UI Window
API String ID: 213679520-2317855928
Opcode ID: d7e2a2aea25f46c5ce72c5c9015b37e4965871080a8fb944792a782d5240e378
Instruction ID: 4f7abfd3e5c5a316e8b3c394873a28645c2e24a2418599f36d04badbf15233d7
Opcode Fuzzy Hash: d7e2a2aea25f46c5ce72c5c9015b37e4965871080a8fb944792a782d5240e378
Instruction Fuzzy Hash: 1F51B571A00305AFDB11DF55DD05BAAFBF8FB48711F10815AF908A7390E771A814CBA1

Function 00BDC6D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 150fileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00BDC7BF

Part of subcall function 00D74B58: EnterCriticalSection.KERNEL32(00E87FD8,D02C6D11,?,00BC9DD7,00E88C04,00DF7520), ref: 00D74B62
Part of subcall function 00D74B58: LeaveCriticalSection.KERNEL32(00E87FD8,?,00BC9DD7,00E88C04,00DF7520), ref: 00D74B95
Part of subcall function 00D74B58: RtlWakeAllConditionVariable.NTDLL ref: 00D74C0C

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,D02C6D13), ref: 00BDC813
CloseHandle.KERNEL32(00000000), ref: 00BDC870

Part of subcall function 00D74BA2: EnterCriticalSection.KERNEL32(00E87FD8,?,D02C6D11,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11,?,?), ref: 00D74BAD
Part of subcall function 00D74BA2: LeaveCriticalSection.KERNEL32(00E87FD8,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11,?,?,00000000), ref: 00D74BEA

WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,?), ref: 00BDC8D4
CloseHandle.KERNEL32(00000000,75C0E610), ref: 00BDC8FA

Strings

html, xrefs: 00BDC7CC
aix, xrefs: 00BDC7D1

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
String ID: aix$html
API String ID: 2030708724-2369804267
Opcode ID: 10369e431c7c6de3d1e04e09ba8d9983a53df0288bae734cda1b72b32ae560d9
Instruction ID: da27c80350cc783b6c3f61b01b52ab86d6d1ce26bf8e357db194de5429dd5c8e
Opcode Fuzzy Hash: 10369e431c7c6de3d1e04e09ba8d9983a53df0288bae734cda1b72b32ae560d9
Instruction Fuzzy Hash: 0D6168B0900248DFDB11CFA4DD59BAEBBF4EB44318F14415DE105AB391EBB66908CF65

Function 00BC2860 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00E89358,00000000,D02C6D11,00000000,00DD84A3,000000FF,?,D02C6D11), ref: 00BC29D3
GetLastError.KERNEL32(?,D02C6D11), ref: 00BC29DD

Strings

VolumeCostSize, xrefs: 00BC2897
VolumeCostAvailable, xrefs: 00BC28A0
VolumeCostRequired, xrefs: 00BC28A9
VolumeCostDifference, xrefs: 00BC28B3
VolumeCostVolume, xrefs: 00BC288D, 00BC2945

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: VolumeCostAvailable$VolumeCostDifference$VolumeCostRequired$VolumeCostSize$VolumeCostVolume
API String ID: 439134102-34576578
Opcode ID: 791bea329d17f1d0f804411693e186ed77e74e719e14c6ba0bcde7eff4bbb2e5
Instruction ID: 3a09d70cf81cbf051abf11f08284cc65e6758a1ff27f1c37cd37f19388b89d0d
Opcode Fuzzy Hash: 791bea329d17f1d0f804411693e186ed77e74e719e14c6ba0bcde7eff4bbb2e5
Instruction Fuzzy Hash: 13519EB1D002489FCB10DFA5DD06BEEBBF4EB48714F144269E819A7391E7B55908CB61

Function 00D20940 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?), ref: 00D20950
LoadLibraryW.KERNEL32(Shell32.dll), ref: 00D20963
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00D20973
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 00D209FC
SHGetMalloc.SHELL32(?), ref: 00D20A3E

Strings

Shell32.dll, xrefs: 00D2095E
SHGetSpecialFolderPathW, xrefs: 00D2096D

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
String ID: SHGetSpecialFolderPathW$Shell32.dll
API String ID: 2352187698-2988203397
Opcode ID: 151ee41e60aa61d1641d33919398a21c22e1086ae964eff1634469816b4be02f
Instruction ID: 4400f591b49b1e5a9826eb5d0b42dfcfde3ef6968d485b12a6eb1eb5b08ffa40
Opcode Fuzzy Hash: 151ee41e60aa61d1641d33919398a21c22e1086ae964eff1634469816b4be02f
Instruction Fuzzy Hash: 4931E671A007115FEB209F18EC05B6BBBF5AFA4714F5C841CE48A97192EBB19885CBA1

Function 00CBA4D0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderwindowCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00CBA560

Part of subcall function 00D74B58: EnterCriticalSection.KERNEL32(00E87FD8,D02C6D11,?,00BC9DD7,00E88C04,00DF7520), ref: 00D74B62
Part of subcall function 00D74B58: LeaveCriticalSection.KERNEL32(00E87FD8,?,00BC9DD7,00E88C04,00DF7520), ref: 00D74B95
Part of subcall function 00D74B58: RtlWakeAllConditionVariable.NTDLL ref: 00D74C0C

GetProcAddress.KERNEL32(SetWindowTheme), ref: 00CBA59D
__Init_thread_footer.LIBCMT ref: 00CBA5B4
SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 00CBA5DF

Part of subcall function 00D74BA2: EnterCriticalSection.KERNEL32(00E87FD8,?,D02C6D11,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11,?,?), ref: 00D74BAD
Part of subcall function 00D74BA2: LeaveCriticalSection.KERNEL32(00E87FD8,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11,?,?,00000000), ref: 00D74BEA

Part of subcall function 00C97A10: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00C97A51

Strings

UxTheme.dll, xrefs: 00CBA531
explorer, xrefs: 00CBA5C7
SetWindowTheme, xrefs: 00CBA592

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$AddressConditionDirectoryMessageProcSendSystemVariableWake
String ID: SetWindowTheme$UxTheme.dll$explorer
API String ID: 3410024541-3123591815
Opcode ID: 0e0497687b8a5900ccb07250424a8ae9550a7628e364220d3b1effd48536f743
Instruction ID: 7a57b947ada9f0d0e58887d920a3505d19fb3702318cbc0f535dbd10e8879baf
Opcode Fuzzy Hash: 0e0497687b8a5900ccb07250424a8ae9550a7628e364220d3b1effd48536f743
Instruction Fuzzy Hash: 5B21D2B0E40702AFC724EF55EC02BA9B7A0E742B20F144225E53CB73D1D774AA48CB61

Function 00D7191C Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00D71997,00D718FA,00D71B9B), ref: 00D71933
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00D71949
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00D7195E

Strings

KERNEL32.DLL, xrefs: 00D7192E
0z, xrefs: 00D7196F
ReleaseSRWLockExclusive, xrefs: 00D71953
AcquireSRWLockExclusive, xrefs: 00D71943

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: 0z$AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-61002706
Opcode ID: 586057183b1625b6b867d0ca4552b269fc8fdc3850cc5593dc99ca0e8f0bf9db
Instruction ID: c7436b1d249c9c600167939ccddeea7b3a1ee0ca7a8bbac81e89f12d095b1e09
Opcode Fuzzy Hash: 586057183b1625b6b867d0ca4552b269fc8fdc3850cc5593dc99ca0e8f0bf9db
Instruction Fuzzy Hash: 01F0AF79A052326F4F215EA85CB177AA2DA5A01750319C279EBAAE3650FB10C906CFF1

Function 00BDF720 Relevance: 12.1, APIs: 8, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BDF74A
GetWindow.USER32(?,00000005), ref: 00BDF757
GetWindow.USER32(00000000,00000002), ref: 00BDF892

Part of subcall function 00BDF5A0: GetWindowRect.USER32(?,?), ref: 00BDF5CC
Part of subcall function 00BDF5A0: GetWindowRect.USER32(?,?), ref: 00BDF5DC

GetWindowRect.USER32(?,?), ref: 00BDF7EB
GetWindowRect.USER32(00000000,?), ref: 00BDF7FB
GetWindowRect.USER32(00000000,?), ref: 00BDF815

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$Rect
String ID:
API String ID: 3200805268-0
Opcode ID: d9c2f027255494c128183beeb5fe3109a60bddf07e59239a3b3d338b4162d7bd
Instruction ID: 18f9dd956fe6f381b6a16f42e8b889e3cd89fb9f2ec6e453f076170df8e6131d
Opcode Fuzzy Hash: d9c2f027255494c128183beeb5fe3109a60bddf07e59239a3b3d338b4162d7bd
Instruction Fuzzy Hash: 87419E319087429FC325DF25C98097BF7E9FF96704F504A6EF08692621EB31E988CB52

Function 00D740E3 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00D7428D,?,?,?,?,?,?,?), ref: 00D74107
HeapAlloc.KERNEL32(00000000,?,00D7428D,?,?,?,?,?,?,?), ref: 00D7410E

Part of subcall function 00D741D9: IsProcessorFeaturePresent.KERNEL32(0000000C,00D740F5,00000000,?,00D7428D,?,?,?,?,?,?,?), ref: 00D741DB

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,00D7428D,?,?,?,?,?,?,?), ref: 00D7411E
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00D7428D,?,?,?,?,?,?,?), ref: 00D74145
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,00D7428D,?,?,?,?,?,?,?), ref: 00D74159
InterlockedPopEntrySList.KERNEL32(00000000,?,00D7428D,?,?,?,?,?,?,?), ref: 00D7416C
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00D7428D,?,?,?,?,?,?,?), ref: 00D7417F

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: a47c6c66308a475d72c371ca3949c670866bf94151941fc8d110d435b149c112
Instruction ID: 840618790625f41328778615efede0c18b5f96d66d418c55eb04c2b79135f5ec
Opcode Fuzzy Hash: a47c6c66308a475d72c371ca3949c670866bf94151941fc8d110d435b149c112
Instruction Fuzzy Hash: 56118271B017217BE7226B65AC58F7AB66CEF54791F958020FE4DE6250EB20DC80C7B4

Function 00CDEA80 Relevance: 10.9, APIs: 7, Instructions: 413fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,D02C6D11), ref: 00CDEBC9
ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 00CDEC3B
ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,00000000,00000000), ref: 00CDEEDC
CloseHandle.KERNEL32(?), ref: 00CDEF3A

Part of subcall function 00CDEA80: LoadStringW.USER32(000000A1,?,00000514,D02C6D11), ref: 00CDE9E6

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$Init_thread_footerRead$CloseCreateHandleHeapLoadProcessString
String ID:
API String ID: 1714711150-0
Opcode ID: 6449dae8585885fe7d28983232757e7b5f1b797e8c850f1e9e28e041075d2eb0
Instruction ID: dce91c03423edf1237b238c75ba9a1ba773fd611bd027370fd6935363a2ad7f3
Opcode Fuzzy Hash: 6449dae8585885fe7d28983232757e7b5f1b797e8c850f1e9e28e041075d2eb0
Instruction Fuzzy Hash: 26F18E71E00318DBDB10DFA8C849BAEBBB5FF45314F24825EE515AB381D774AA45CB90

Function 00BDC940 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 284registryCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,D02C6D11), ref: 00BDC9CE
GetLastError.KERNEL32 ref: 00BDC9ED
RegCloseKey.ADVAPI32(?,Function_0024446C,00000000,Function_0024446C,00000000,00000000,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 00BDCC7D
CloseHandle.KERNEL32(00000005,D02C6D11,?,?,00000000,00DA0F5D,000000FF,?,Function_0024446C,00000000,Function_0024446C,00000000,00000000,80000001,00000001,00000000), ref: 00BDCD0E

Strings

Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00BDC9C3
AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00BDCA35

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Close$CreateErrorEventHandleLast
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
API String ID: 1253123496-2079760225
Opcode ID: 49408378cdabb49abdf7af1e6ad1befae9cf6a4b27fb3771d3d020ada43242d6
Instruction ID: debe6176e1f28454122e6243c6bc8bd7b5b852a5de1680574e2f1197da405413
Opcode Fuzzy Hash: 49408378cdabb49abdf7af1e6ad1befae9cf6a4b27fb3771d3d020ada43242d6
Instruction Fuzzy Hash: D1C18D70A00349DFDB14CFA8C999BAEBBF4EF44704F14429DE549A7381E7746A48CBA1

Function 00BDAAC0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00E89338,D02C6D11,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00DA0855), ref: 00BDAB2A
GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00DA0855), ref: 00BDABAA
EnterCriticalSection.KERNEL32(00E89354,?,?,?,?,?,?,?,?,?,?,?,00000000,00DA0855,000000FF), ref: 00BDAD63
LeaveCriticalSection.KERNEL32(00E89354,?,?,?,?,?,?,?,?,?,?,00000000,00DA0855,000000FF), ref: 00BDAD84

Strings

rw, xrefs: 00BDAD7D

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$Enter$FileLeaveModuleName
String ID: rw
API String ID: 1807155316-1192573183
Opcode ID: b814dd72381525e8d5552d497f8fc5d1a6f0a4f8321f536bf688b3a769b30769
Instruction ID: 1570da519ab06df55459ec9143e3a2a90ea30557439ce27d1e368a2999edc6e8
Opcode Fuzzy Hash: b814dd72381525e8d5552d497f8fc5d1a6f0a4f8321f536bf688b3a769b30769
Instruction Fuzzy Hash: D7B14F74904248DFDB11CFA4D884BAEFBF9FF08314F14419AE404AB391EB75A945CB61

Function 00CD88D0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 212registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,D02C6D11), ref: 00CD8ACE
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00CD8ADE
RegOpenKeyExW.ADVAPI32(?,?,00000000,000000FF,00000000,?,D02C6D11), ref: 00CD8B13
RegCloseKey.ADVAPI32(00000000), ref: 00CD8B27

Strings

Advapi32.dll, xrefs: 00CD8AC9
RegOpenKeyTransactedW, xrefs: 00CD8AD8

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: 8166de3d8cc41d4867c1ae7052afef595c99e97b3ae3dece312cf008f81c91e7
Instruction ID: 8a11752ff3eef2efd9a580df3a32f69fdae48a942e486ca0d4bf3f7cf60e3648
Opcode Fuzzy Hash: 8166de3d8cc41d4867c1ae7052afef595c99e97b3ae3dece312cf008f81c91e7
Instruction Fuzzy Hash: 489139B0A04308DFDB14CFA8C959B9EBBF4BF48304F14455EE559AB381DB74AA08CB91

Function 00BCF710 Relevance: 10.7, APIs: 7, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00BCF804
SysFreeString.OLEAUT32(00000000), ref: 00BCF879
GetProcessHeap.KERNEL32(?,?), ref: 00BCF8E9
HeapFree.KERNEL32(00000000,?,?), ref: 00BCF8EF
GetProcessHeap.KERNEL32(?,00000000,?,00000000,00000000,00000000,D02C6D11,00E1B768,00000000), ref: 00BCF91C
HeapFree.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000,D02C6D11,00E1B768,00000000), ref: 00BCF922
SysFreeString.OLEAUT32(00000000), ref: 00BCF93A

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Free$Heap$String$Process
String ID:
API String ID: 2680101141-0
Opcode ID: f4da77562d7bc6ab88f5b537f02303b0645c5303c232f47e3b6bda9f3b038ee0
Instruction ID: 2426b222f6f8393d53b37d229bb7caa227b53fafecb84f0a3db8c920f583537e
Opcode Fuzzy Hash: f4da77562d7bc6ab88f5b537f02303b0645c5303c232f47e3b6bda9f3b038ee0
Instruction Fuzzy Hash: 78813870D0025ADFDF10DFA8C845BBEBBF5EF04310F2446A9E415AB281D7B89A04CBA1

Function 00BD6950 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 194comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(00E06214,00000000,00000001,Function_0024689C,?), ref: 00BD6A20

Strings

:, xrefs: 00BD6A0A
{, xrefs: 00BD6A80

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CreateInstance
String ID: :${
API String ID: 542301482-3766677574
Opcode ID: b0d6f5385fd75293e1f72fb8f4c10f2119d514566c55c0a2620f222e8bc6ffbb
Instruction ID: 349c9816406fab904d7d0d8aada21db525d9fbda8976b59e3b3bc66dfc8ffc41
Opcode Fuzzy Hash: b0d6f5385fd75293e1f72fb8f4c10f2119d514566c55c0a2620f222e8bc6ffbb
Instruction Fuzzy Hash: 91617D75A002159ADF249F988895BBEB7F4EB09710F2480ABE846FB390E775DD808764

Function 00CBB730 Relevance: 10.7, APIs: 7, Instructions: 189windowCOMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00CBB7B6
SelectObject.GDI32(00000000,?), ref: 00CBB834
SetBkMode.GDI32(00000000,00000001), ref: 00CBB842
SetTextColor.GDI32(00000000), ref: 00CBB887
GetWindowLongW.USER32(00000000), ref: 00CBB89B
SendMessageW.USER32(00000000), ref: 00CBB8B9
SelectObject.GDI32(00000000,?), ref: 00CBB914

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ObjectSelectWindow$CallColorLongMessageModeProcSendText
String ID:
API String ID: 2603541667-0
Opcode ID: 2de312639933a56fbfcb3e9cf6b3f39b8680595a70d0c1464ba63d3d176e9dd8
Instruction ID: dde216887530b5f249214669f1ae68afa0526c8e60e46fa898f52b08e164bd2e
Opcode Fuzzy Hash: 2de312639933a56fbfcb3e9cf6b3f39b8680595a70d0c1464ba63d3d176e9dd8
Instruction Fuzzy Hash: E7719B31A00248AFDB15DFE9CC48FADBBB5FF48310F108258F559AB2A5CB70A915DB50

Function 00CDC870 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00CDC9E6
GetLastError.KERNEL32 ref: 00CDC9F7
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00CDCA13
GetExitCodeProcess.KERNEL32(00000000,00DDC5B7), ref: 00CDCA24
CloseHandle.KERNEL32(00000000), ref: 00CDCA32

Strings

open, xrefs: 00CDC907

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CloseCodeErrorExecuteExitHandleLastObjectProcessShellSingleWait
String ID: open
API String ID: 1481985272-2758837156
Opcode ID: 37bb3e9acb86e64326b9b963750aa8a0141f555f5d4d5224da39b8cbebc71757
Instruction ID: 8aed4a8e98b2264c0d367eb3bb7ba7109d18ad36aef90a8b6766c54d78f8bc43
Opcode Fuzzy Hash: 37bb3e9acb86e64326b9b963750aa8a0141f555f5d4d5224da39b8cbebc71757
Instruction Fuzzy Hash: 62616B71D0024A9FDB10CFA9C8947AEBBB4FF49324F14825AE925AB391D7749E01CB90

Function 00BD8120 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00E8957C,D02C6D11,00000000,00E89598), ref: 00BD8193
LeaveCriticalSection.KERNEL32(00E8957C), ref: 00BD81F8
LoadCursorW.USER32(00BC0000,000000FF), ref: 00BD8254
LeaveCriticalSection.KERNEL32(00E8957C), ref: 00BD82EB

Strings

ATL:%p, xrefs: 00BD8274
rw, xrefs: 00BD81F8, 00BD82EB

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$Leave$CursorEnterLoad
String ID: rw$ATL:%p
API String ID: 2080323225-991814573
Opcode ID: 8254bae97c60b1ecb0874f64dd574487bb32b073269a910ce6c41d5a12800d99
Instruction ID: 1a8199027e12af7b04b59d5aec0062513a1791a0d302b271bd09ff6abf959a0a
Opcode Fuzzy Hash: 8254bae97c60b1ecb0874f64dd574487bb32b073269a910ce6c41d5a12800d99
Instruction Fuzzy Hash: E151AE70D04B449BDB21CF69C9457AAF7F4FF58710F00465EE89AA3790EB70A984CB60

Function 00BE7950 Relevance: 10.6, APIs: 7, Instructions: 125COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(?,D02C6D11,?,00000000,?,?,?,?,?,00000000,00DA2BE5,000000FF,?,00BE7692,?,?), ref: 00BE7992
GetWindowRect.USER32(?,?), ref: 00BE79B1
IsWindowEnabled.USER32(?), ref: 00BE79C0
SelectObject.GDI32(00000000,00000000), ref: 00BE7A1E
SelectObject.GDI32(?,?), ref: 00BE7A62
DeleteObject.GDI32(00000000), ref: 00BE7A71
DeleteDC.GDI32(?), ref: 00BE7A94

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ObjectWindow$DeleteSelect$EnabledRect
String ID:
API String ID: 2818206005-0
Opcode ID: 1f2366ff44438a0567741bcda60a4a57fa0ddd1a08bff5568d46091fc9e0d935
Instruction ID: 05a06bf5eabf36e8cb20eba722920e247dd2008dfec8eb15123f03dcd5371607
Opcode Fuzzy Hash: 1f2366ff44438a0567741bcda60a4a57fa0ddd1a08bff5568d46091fc9e0d935
Instruction Fuzzy Hash: 1C414271A04219AFDB10DFA6DD88BAEBBF9FF88710F104259F945B3250D7749905CB60

Function 00CDC720 Relevance: 10.6, APIs: 7, Instructions: 108processsynchronizationCOMMON

Download Yara Rule

APIs

Wow64DisableWow64FsRedirection.KERNEL32(00000000,D02C6D11,00000010), ref: 00CDC767
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,D02C6D11,00DDC52D), ref: 00CDC7DF
GetLastError.KERNEL32 ref: 00CDC7F0
WaitForSingleObject.KERNEL32(00DDC52D,000000FF), ref: 00CDC80C
GetExitCodeProcess.KERNEL32(00DDC52D,00000000), ref: 00CDC81D
CloseHandle.KERNEL32(00DDC52D), ref: 00CDC827
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00CDC842

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
String ID:
API String ID: 1153077990-0
Opcode ID: ea8f84a00e0839b918593063a910edbe29f6b0d64cbd70181eef1b0b7fbf19ad
Instruction ID: d1d2e4d2bfb155e13249eaa8825477edeb3bfa9265de7e93369fcf2256a605fe
Opcode Fuzzy Hash: ea8f84a00e0839b918593063a910edbe29f6b0d64cbd70181eef1b0b7fbf19ad
Instruction Fuzzy Hash: D1415131E0434A9BDB10CFA5CD487AEBBF8AF49314F14825AE525A6290D7749A40CF60

Function 00CE5290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,?,?,?,?,00CF0731,?,D02C6D11,?,?), ref: 00CE52AB
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00CE52C1
FreeLibrary.KERNEL32(00000000), ref: 00CE52FA
FreeLibrary.KERNEL32(00000000,?,?,?,?,00CF0731,?,D02C6D11,?,?), ref: 00CE5316

Strings

DllGetVersion, xrefs: 00CE52BB
Shlwapi.dll, xrefs: 00CE52AA

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll
API String ID: 1386263645-2240825258
Opcode ID: 3c1527422307594d58f51b77ae1077ed0ce1179bd9ebeffb7911714081b2ea58
Instruction ID: 4d34ebd01d80718fd0e1a986d99efc73fec182e86a6a4d267e9198e833804789
Opcode Fuzzy Hash: 3c1527422307594d58f51b77ae1077ed0ce1179bd9ebeffb7911714081b2ea58
Instruction Fuzzy Hash: AA21CF72A007418BC300AF29E84166FB3E4FFDA705B800A2EF499D3211FB71D904CBA2

Function 00D8E202 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00D8E30F,00D8A813,0000000C,?,00000000,00000000,?,00D8E579,00000021,FlsSetValue,00DFE06C,00DFE074,?), ref: 00D8E2C3

Strings

api-ms-, xrefs: 00D8E259
ext-ms-, xrefs: 00D8E26D

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 31c0cda824518dde5bd1be4da2f8772c6ba7d7c5c43c852997cccb29b914bcfd
Instruction ID: 0cd72f438a4907560f5b748b1681e181fd03f85c0056acb79095e832b7dcb933
Opcode Fuzzy Hash: 31c0cda824518dde5bd1be4da2f8772c6ba7d7c5c43c852997cccb29b914bcfd
Instruction Fuzzy Hash: 3221D231A01225EBC721AB65DC51B6A775DAB81770B2A8220ED49F7290DB30ED04CFF5

Function 00BFDCC0 Relevance: 9.2, APIs: 6, Instructions: 153COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00BFDD0A
std::_Lockit::_Lockit.LIBCPMT ref: 00BFDD2C
std::_Lockit::~_Lockit.LIBCPMT ref: 00BFDD54
__Getctype.LIBCPMT ref: 00BFDE35
std::_Facet_Register.LIBCPMT ref: 00BFDE97
std::_Lockit::~_Lockit.LIBCPMT ref: 00BFDEC1

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: fdcff2f32219cf508f2b232f781698b70f6ab2f09e533758e32536fb32e00b06
Instruction ID: 86c67279ea6c6ddd3540dbabe7720af2b4f8d49e39cb845471bf8f65e4c09e08
Opcode Fuzzy Hash: fdcff2f32219cf508f2b232f781698b70f6ab2f09e533758e32536fb32e00b06
Instruction Fuzzy Hash: 2E61CFB1D04649CFDB10CF58C941BAEFBF5EF14314F148299D949AB391E734AA88CBA1

Function 00BFDAC0 Relevance: 9.1, APIs: 6, Instructions: 140COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00BFDAFD
std::_Lockit::_Lockit.LIBCPMT ref: 00BFDB1F
std::_Lockit::~_Lockit.LIBCPMT ref: 00BFDB47
__Getcoll.LIBCPMT ref: 00BFDC11
std::_Facet_Register.LIBCPMT ref: 00BFDC56
std::_Lockit::~_Lockit.LIBCPMT ref: 00BFDC8E

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: 5954efecc14b0dd97bac83653710824a43163608738faa8802fe1eabb28f4d9e
Instruction ID: 12a415e16c0e9ef09ef7147518a1e7bf3ddb7ce5e37e35f4943a0215564fd696
Opcode Fuzzy Hash: 5954efecc14b0dd97bac83653710824a43163608738faa8802fe1eabb28f4d9e
Instruction Fuzzy Hash: 87517EB1D01248DFCB01DF94D981BADBBF1FF44310F258199E8196B391E774AA09DBA1

Function 00D11670 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00D116D1

Strings

FTP Server, xrefs: 00D120B8, 00D120CA, 00D120D4
GET, xrefs: 00D11859
Local Network Server, xrefs: 00D11E58, 00D11E6A, 00D11E74
*/*, xrefs: 00D12450
HTTP/1.0, xrefs: 00D124C8

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorLast
String ID: */*$FTP Server$GET$HTTP/1.0$Local Network Server
API String ID: 1452528299-1822174798
Opcode ID: c1f4c1573d5d69ecab35dfa630002e8e8653ffab7a304c6b6fea9da52fabded3
Instruction ID: 14cf5da00721d1691f3f3bf0759c53900ccc0238cefa5703fea3963005619bee
Opcode Fuzzy Hash: c1f4c1573d5d69ecab35dfa630002e8e8653ffab7a304c6b6fea9da52fabded3
Instruction Fuzzy Hash: 2E41D475A01209EBDB10DFA4DC45BEEB7F8EF01720F144529E914A72C1DB749904CBB1

Function 00D76303 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D762FA,00D762C6,?,?,00BFAEBD,00CD9A40,?,00000008), ref: 00D76311
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D7631F
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D76338
SetLastError.KERNEL32(00000000,00D762FA,00D762C6,?,?,00BFAEBD,00CD9A40,?,00000008), ref: 00D7638A

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 722704e99ac2d181eb521b1b7d64b79fb10126fe5b39e9b70b5ebbc380ad2575
Instruction ID: 981d8b07e72bc264ac860164d2cdaeee18ad1293ebd13681d6b4132974021e05
Opcode Fuzzy Hash: 722704e99ac2d181eb521b1b7d64b79fb10126fe5b39e9b70b5ebbc380ad2575
Instruction Fuzzy Hash: 2001D833109B225EA72526B5BCD56AA6758DB013B8338832DF52CA11E1FE11CC45D270

Function 00BC87E0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 238COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00BC88C5
__Init_thread_footer.LIBCMT ref: 00BC893F

Strings

<a>, xrefs: 00BC8AF1
</a>, xrefs: 00BC8A49
<a href=", xrefs: 00BC8887

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer
String ID: </a>$<a href="$<a>
API String ID: 1385522511-4210067781
Opcode ID: ef79e38845decea5934faada1e7573e25e6cea8c4f8f7351f556f26e309bc205
Instruction ID: c19e3ea27fa0d74010b66a9219a63422a334230109871d1aed8e468062f63995
Opcode Fuzzy Hash: ef79e38845decea5934faada1e7573e25e6cea8c4f8f7351f556f26e309bc205
Instruction Fuzzy Hash: D8A18CB0A00605DFCB15DF68D895FADB7F1FB44324F14429DE029AB2D2EB70A945CBA1

Function 00BF62C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 182windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,SysTabControl32,?,46010000,?,?,?,?,00000000,00000309,00000000), ref: 00BF63BD
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00BF63D2
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00BF63DA

Part of subcall function 00BC9980: RtlAllocateHeap.NTDLL(?,00000000,?,D02C6D11,00000000,00D9C6B0,000000FF,?,?,00E7C42C,00000000,00D1ECDB,80004005,D02C6D11,?,?), ref: 00BC99CA

Part of subcall function 00BF8190: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BF81D8

Strings

SysTabControl32, xrefs: 00BF63B5
TabHost, xrefs: 00BF6349, 00BF635B, 00BF6365

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend$AllocateCreateHeapWindow
String ID: SysTabControl32$TabHost
API String ID: 2359350451-2872506973
Opcode ID: 6053fcb7d0d1c228a8534825dbd7638b3bd7258284f777e080eb65cefa823c28
Instruction ID: 28d8faa8e81432b5fe18e533dfedb441eb8b79e83f030f14dc98cec32feb4c28
Opcode Fuzzy Hash: 6053fcb7d0d1c228a8534825dbd7638b3bd7258284f777e080eb65cefa823c28
Instruction Fuzzy Hash: 60517D35A00605AFDB14DF69C844BAEBBF4FF49310F10429DE919AB391DB75AD04CBA4

Function 00BE2BA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113timeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(D02C6D11,D02C6D11,?), ref: 00BE2BDF
EnterCriticalSection.KERNEL32(?,D02C6D11,?), ref: 00BE2BEC
KillTimer.USER32(?,00000001), ref: 00BE2C34
LeaveCriticalSection.KERNEL32(?,?,00000000,?), ref: 00BE2CC3

Strings

rw, xrefs: 00BE2CC3

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterInitializeKillLeaveTimer
String ID: rw
API String ID: 3614119372-1192573183
Opcode ID: 241dd6513e495716727ca0eec7c0b130ef6d88633339380c232f925a6a6f0bdd
Instruction ID: ba5c7af2d8402c9151585d0a724625090e63878e242d5729ada1ea994b89f3d7
Opcode Fuzzy Hash: 241dd6513e495716727ca0eec7c0b130ef6d88633339380c232f925a6a6f0bdd
Instruction Fuzzy Hash: 8E41E5356007818FCB21DF39C941BAABBF9FF55310F2049A9E996D7391CB31A905CB90

Function 00CE3C20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00D74BA2: EnterCriticalSection.KERNEL32(00E87FD8,?,D02C6D11,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11,?,?), ref: 00D74BAD
Part of subcall function 00D74BA2: LeaveCriticalSection.KERNEL32(00E87FD8,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11,?,?,00000000), ref: 00D74BEA

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00CE3C7E
GetProcAddress.KERNEL32(00000000), ref: 00CE3C85
__Init_thread_footer.LIBCMT ref: 00CE3C9C

Part of subcall function 00D74B58: EnterCriticalSection.KERNEL32(00E87FD8,D02C6D11,?,00BC9DD7,00E88C04,00DF7520), ref: 00D74B62
Part of subcall function 00D74B58: LeaveCriticalSection.KERNEL32(00E87FD8,?,00BC9DD7,00E88C04,00DF7520), ref: 00D74B95
Part of subcall function 00D74B58: RtlWakeAllConditionVariable.NTDLL ref: 00D74C0C

Strings

SymFromAddr, xrefs: 00CE3C74
Dbghelp.dll, xrefs: 00CE3C79

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionInit_thread_footerLibraryLoadProcVariableWake
String ID: Dbghelp.dll$SymFromAddr
API String ID: 3268644551-642441706
Opcode ID: 9c1bf79c783c49270b733087c107b186c79b4dded1ab56862329d7990d0cd20d
Instruction ID: ba9222f067518d496d02a95e99881807664ec82b383849b89fa35fe8f530b523
Opcode Fuzzy Hash: 9c1bf79c783c49270b733087c107b186c79b4dded1ab56862329d7990d0cd20d
Instruction Fuzzy Hash: CD014CB1D40784EFC710DFA9DD45B94F7A5E708720F144365E92AA3791DB35A9048B21

Function 00D74C2A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,00D74BC7,00000064), ref: 00D74C4D
LeaveCriticalSection.KERNEL32(00E87FD8,?,?,00D74BC7,00000064,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11), ref: 00D74C57
WaitForSingleObjectEx.KERNEL32(?,00000000,?,00D74BC7,00000064,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11), ref: 00D74C68
EnterCriticalSection.KERNEL32(00E87FD8,?,00D74BC7,00000064,?,00BC9D66,00E88C04,D02C6D11,D02C6D11,?,00D9CC0D,000000FF,?,00D1EBD6,D02C6D11,?), ref: 00D74C6F

Strings

rw, xrefs: 00D74C57

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID: rw
API String ID: 3269011525-1192573183
Opcode ID: 509ec518fdff6f7d9830d62e146acee8ead66fd45e67d5a8d3132686b1027779
Instruction ID: cae1cbdb67aa0027670f4e804775f11860794ae161cbd96f0b8b79c13928a1dc
Opcode Fuzzy Hash: 509ec518fdff6f7d9830d62e146acee8ead66fd45e67d5a8d3132686b1027779
Instruction Fuzzy Hash: EAE01B31A49324BBCF032B56EC19B5E7F18AF04751B148010F74DB6670CF619800DBE4

Function 00C05970 Relevance: 7.8, APIs: 5, Instructions: 270memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000000), ref: 00C059C9
GetProcessHeap.KERNEL32(?,00000000), ref: 00C05ACB
HeapFree.KERNEL32(00000000,?,00000000), ref: 00C05AD1
GetProcessHeap.KERNEL32(?,00000000), ref: 00C05B4A
HeapFree.KERNEL32(00000000,?,00000000), ref: 00C05B50
CoUninitialize.COMBASE ref: 00C05CA7

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Heap$FreeProcess$InitializeUninitialize
String ID:
API String ID: 4239879612-0
Opcode ID: 1f8a61e052c3abc8f19eb0f95b06b41a0ada57322f9f4cce75aee3d6dfbedf2f
Instruction ID: cdb99094d0c39af1a15ee6aac94b6ee9706ea8534bdc1f68340d2ee0b2f6d5d7
Opcode Fuzzy Hash: 1f8a61e052c3abc8f19eb0f95b06b41a0ada57322f9f4cce75aee3d6dfbedf2f
Instruction Fuzzy Hash: F1B16DB0D00748DFDB14CFA9C945FAEBBB8BF44304F108299E515AB291DB74AA45CFA0

Function 00BE2650 Relevance: 7.7, APIs: 5, Instructions: 237windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000001), ref: 00BE26C2
GetParent.USER32(00000001), ref: 00BE26ED
SendMessageW.USER32(00000000,00000138,?,00000001), ref: 00BE26FD
FillRect.USER32(?,?,00000000), ref: 00BE270B
ReleaseDC.USER32(00000001,00000000), ref: 00BE28E1

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: FillMessageParentRectReleaseSend
String ID:
API String ID: 2215362955-0
Opcode ID: 3cf8fa675446fc6916d429570226a1976ff0f1bb8ff4d1d1634f70cd47f28242
Instruction ID: a4673a97098d3ff3510be4371e85b87225e6f96b0da1b32c3ab1b38c201ce955
Opcode Fuzzy Hash: 3cf8fa675446fc6916d429570226a1976ff0f1bb8ff4d1d1634f70cd47f28242
Instruction Fuzzy Hash: 789148B1A00659EFDB15CFA6CD48BAEBBF9FF08300F144169E945E7250E731A915CB90

Function 00CDABE0 Relevance: 7.7, APIs: 5, Instructions: 161fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?), ref: 00CDAD04
SetFileAttributesW.KERNEL32(?,00000000), ref: 00CDAD11
GetFileAttributesW.KERNEL32(?,?,?,00E19138,00000001,D02C6D11,00000000,D02C6D11,00000000,00000000,00DDC175,000000FF), ref: 00CDAD20
SetFileAttributesW.KERNEL32(?,00000000), ref: 00CDAD2D
FindNextFileW.KERNEL32(?,?), ref: 00CDAD6B

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: File$Attributes$FindNext
String ID:
API String ID: 3019667586-0
Opcode ID: f1ac3ea50df9579b3afd2dee0ec36578a0a86e6de03756fc79fd3663797533df
Instruction ID: 941c82ae7d48a7a1ee3583615d81bcde5b0edb2d665b857a6c1bb28d047d3105
Opcode Fuzzy Hash: f1ac3ea50df9579b3afd2dee0ec36578a0a86e6de03756fc79fd3663797533df
Instruction Fuzzy Hash: 1251C030900249DFDB28EF68CC54BEDB7A5FF40321F14826AE925976E1EB719E44CB12

Function 00CBB3E0 Relevance: 7.7, APIs: 5, Instructions: 151windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(?,D02C6D11,?,?,00000000,?,?,?,?,?,?,?,?,00000000,00DD6F5D,000000FF), ref: 00CBB410
GetWindowRect.USER32(?,?), ref: 00CBB430
IsWindowEnabled.USER32(?), ref: 00CBB461
GetFocus.USER32 ref: 00CBB46F
DeleteDC.GDI32(?), ref: 00CBB585

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$DeleteEnabledFocusRect
String ID:
API String ID: 733580484-0
Opcode ID: 9412a6a0c3ca6c0eee230ec7b2603b40c8c7f527250a251e30ecefe00d5a4bd4
Instruction ID: 1a11099e9ff6e7d475be88f6a863c7ab516470439bdaa4264ee256835ffb6dac
Opcode Fuzzy Hash: 9412a6a0c3ca6c0eee230ec7b2603b40c8c7f527250a251e30ecefe00d5a4bd4
Instruction Fuzzy Hash: D0512671904208AFDB25DFA4D948BEEBBF8FF08300F204159E45AB7290D7B1AA44CB20

Function 00BDB240 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00BDB31C
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BDB32B
ReleaseDC.USER32(00000000), ref: 00BDB372

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-0
Opcode ID: cb991aa0d6283dfe225052dac821cb8bc910ec539155b6938a09d41e819d0703
Instruction ID: 5bb9c2a1b107df71202efac3d114307789f5bc41a8b40eef14e628cf7de0e81f
Opcode Fuzzy Hash: cb991aa0d6283dfe225052dac821cb8bc910ec539155b6938a09d41e819d0703
Instruction Fuzzy Hash: F95107B5904649EFDB10DFA5C888B9EBBF8EF08310F10816AF959A7291E734D904DB64

Function 00BD5780 Relevance: 7.6, APIs: 5, Instructions: 125windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00BD57DE
GetDlgItem.USER32(?,?), ref: 00BD5803
SendMessageW.USER32(?,?,?,?), ref: 00BD58CD

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ItemMessageSendWindow
String ID:
API String ID: 799199299-0
Opcode ID: 79a8ab8cef486b87dd1294c703d61f097a0bc660c05a9cdade128de81af44781
Instruction ID: 892fcfbbf177a2f804db435c4ce57f46201cdcb1ce08c9f05d85fbfbe6107313
Opcode Fuzzy Hash: 79a8ab8cef486b87dd1294c703d61f097a0bc660c05a9cdade128de81af44781
Instruction Fuzzy Hash: BA41CE32300A05DFC7248F59D894A66F7E9FB44351F1489ABE58ACB661E733E810FB60

Function 00CBB5B0 Relevance: 7.6, APIs: 5, Instructions: 124windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00CBB60E

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

IsWindowEnabled.USER32(?), ref: 00CBB644
GetFocus.USER32 ref: 00CBB654
GetDC.USER32(?), ref: 00CBB684

Part of subcall function 00CE0B20: SelectObject.GDI32(?,?), ref: 00CE0B83
Part of subcall function 00CE0B20: SetTextColor.GDI32(?,?), ref: 00CE0BCF
Part of subcall function 00CE0B20: SelectObject.GDI32(?,?), ref: 00CE0BF9

CallWindowProcW.USER32(?,?,?,?,?), ref: 00CBB6B3

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footerObjectSelectWindow$CallClientColorEnabledFocusHeapProcProcessRectText
String ID:
API String ID: 1237246694-0
Opcode ID: b42f995e32e5ed51d479f4ca85d0fccbb5920d4ddf7e40adf5adbf972cdeafce
Instruction ID: 7526ed5386304099801602290acbe8268b3baf998b5a81e4d7f4cabe418c6472
Opcode Fuzzy Hash: b42f995e32e5ed51d479f4ca85d0fccbb5920d4ddf7e40adf5adbf972cdeafce
Instruction Fuzzy Hash: 33411871900109DFDB15DFA9C989BEABBF4EF08310F148169E815AB2A1DB71ED54CB60

Function 00CD5610 Relevance: 7.6, APIs: 5, Instructions: 122COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00CD5644
std::_Lockit::_Lockit.LIBCPMT ref: 00CD5666
std::_Lockit::~_Lockit.LIBCPMT ref: 00CD568E
std::_Facet_Register.LIBCPMT ref: 00CD5777
std::_Lockit::~_Lockit.LIBCPMT ref: 00CD57A1

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 1bbe8dbb99440d09d8eb91549eff6b4421837b92d074f8ccdc43f63391f625ba
Instruction ID: 72f9d0fcf087f79a9b346c4e5e30157d49eb175322eba03dee4716c2ee99b019
Opcode Fuzzy Hash: 1bbe8dbb99440d09d8eb91549eff6b4421837b92d074f8ccdc43f63391f625ba
Instruction Fuzzy Hash: F25191B1900649DFDB11CF58C881BAEBBF0EF01314F25815AE859AB391E775AA05CFA0

Function 00BEEBA0 Relevance: 7.6, APIs: 5, Instructions: 109windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,?,?), ref: 00BEEC18
SendMessageW.USER32(?,00001012,00000000,?), ref: 00BEEC60
SendMessageW.USER32(?,0000102C,000000FF,0000F000), ref: 00BEEC7C
SendMessageW.USER32(?,0000102B,000000FF,?), ref: 00BEECAE
SetFocus.USER32(00000000,?,?), ref: 00BEECC1

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend$Focus
String ID:
API String ID: 3982298024-0
Opcode ID: a82c7075cf27461fa2e2565c56d57e5bc7671a731e871a7c2a4074282eeb1144
Instruction ID: 3e9f67565acbabb2a9c99bc195cee4b6ee27b4f1985e9d086616350814b74c45
Opcode Fuzzy Hash: a82c7075cf27461fa2e2565c56d57e5bc7671a731e871a7c2a4074282eeb1144
Instruction Fuzzy Hash: 10416D75904744DFDB10CF69CC84AA9B7F4FF48710F204669E869977A0D770A844CF50

Function 00BDE7F0 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000FC,00000000), ref: 00BDE839
GetClientRect.USER32(?,?), ref: 00BDE85F
GetParent.USER32(?), ref: 00BDE86D

Part of subcall function 00D74245: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00D035FE,?,?,?,?,?,?), ref: 00D7424A
Part of subcall function 00D74245: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D74251

SetWindowLongW.USER32(?,000000EB), ref: 00BDE8A0
ShowWindow.USER32(?,00000000), ref: 00BDE8B6

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$HeapLong$AllocClientParentProcessRectShow
String ID:
API String ID: 3563161840-0
Opcode ID: b817d04d3d980027eef1c30feb1de29d24c183fe4e56108f5f38d4462dd7165a
Instruction ID: bd9ff512c46a38505f75fc55bc139240fe735508a47b98427cf43e96ecce7382
Opcode Fuzzy Hash: b817d04d3d980027eef1c30feb1de29d24c183fe4e56108f5f38d4462dd7165a
Instruction Fuzzy Hash: AC2181706047019FC721EF29D844A6BBBE8FF49710B004A6EF8AAD7651EB31E804CB61

Function 00BCF230 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BCF27A
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00BCF280
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00BCF2A3
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00D9E1F6,000000FF), ref: 00BCF2CB
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,00D9E1F6,000000FF), ref: 00BCF2D1

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Heap$FreeProcess$FormatMessage
String ID:
API String ID: 1606019998-0
Opcode ID: 6673ce8440dbad1cd28c6f09afe999afc400c4cd55f143a5913b1d03d92dbdd6
Instruction ID: 74bf2d4881e3f59d03acc7c0f6e373de5e1f384941729e052ab266d6fc9e0f10
Opcode Fuzzy Hash: 6673ce8440dbad1cd28c6f09afe999afc400c4cd55f143a5913b1d03d92dbdd6
Instruction Fuzzy Hash: 361160B1A44259ABEB10DF98CC02FAFBBBCEB04B04F104659F914AB2C1D7B5990487F1

Function 00BE71B0 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00BE71BB
SendMessageW.USER32(?,?,?,0000102B), ref: 00BE7218
SendMessageW.USER32(?,?,?,0000102B), ref: 00BE7267
SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00BE7278
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00BE7285

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: a45dcc86a76b2c2e1185b8d76b6fb0dbd00079cf85e11b34b2ea942015261c98
Instruction ID: 67cdf19e0ae382142443850d227cf1c3c3c49fd18dba0c5382f370d7c2953de2
Opcode Fuzzy Hash: a45dcc86a76b2c2e1185b8d76b6fb0dbd00079cf85e11b34b2ea942015261c98
Instruction Fuzzy Hash: 6C215031958386AAD220DF01CD40B1ABBF1BFEE758F202B0DF1D4211A4E7F191848E82

Function 00CFCC60 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 326COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,D02C6D11,?,00000010,?), ref: 00CFCF2A

Part of subcall function 00CDCF90: GetCurrentProcess.KERNEL32 ref: 00CDCFD8
Part of subcall function 00CDCF90: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00CDCFE5
Part of subcall function 00CDCF90: GetLastError.KERNEL32 ref: 00CDCFEF
Part of subcall function 00CDCF90: CloseHandle.KERNEL32(00000000), ref: 00CDD0D0

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

Part of subcall function 00BC92A0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,00000000,8007000E,80004005,00CD06A6,00000000,00000002,00000001,?,?,80070057,?), ref: 00BC92C3

Strings

Extraction path set to:, xrefs: 00CFCF7D
\\?\, xrefs: 00CFCF37
[WindowsVolume], xrefs: 00CFCCF0, 00CFCD02, 00CFCD0C

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Process$Init_thread_footer$CloseCurrentErrorFindHandleHeapLastOpenPathResourceToken
String ID: Extraction path set to:$[WindowsVolume]$\\?\
API String ID: 699919280-3538578949
Opcode ID: bd400d1b10422521ccc5b7fbab2b1e6ee0b2b8adc2f5db34233b89f6008caf22
Instruction ID: 690c88a3ba47d50ab65f2a0e37a6aa53115641e53922ad9f978b6ae161a94a37
Opcode Fuzzy Hash: bd400d1b10422521ccc5b7fbab2b1e6ee0b2b8adc2f5db34233b89f6008caf22
Instruction Fuzzy Hash: 39C1E330A00549DFDB10DF68C988BAEF7F5EF40314F1482A9E525AB292DB709E45CBA1

Function 00BF3570 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 319windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,RichEdit20W,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00BF371C
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00BF3731
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00BF3739

Part of subcall function 00BC9980: RtlAllocateHeap.NTDLL(?,00000000,?,D02C6D11,00000000,00D9C6B0,000000FF,?,?,00E7C42C,00000000,00D1ECDB,80004005,D02C6D11,?,?), ref: 00BC99CA

Strings

RichEdit20W, xrefs: 00BF3714

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend$AllocateCreateHeapWindow
String ID: RichEdit20W
API String ID: 2359350451-4173859555
Opcode ID: 26292bbe075ef5347bac860c360879b2c8fbd0e7da5e370878d73e3c45c04567
Instruction ID: 90a88607db239a6462e850a5bdd113f236abb38d7f0869da7a1638f98e246f0a
Opcode Fuzzy Hash: 26292bbe075ef5347bac860c360879b2c8fbd0e7da5e370878d73e3c45c04567
Instruction Fuzzy Hash: 05B17C71A01209AFDB14CFA8C994BEEBBF4FF49710F1441A9E905AB391D771AD44CB60

Function 00BED870 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 226windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC9980: RtlAllocateHeap.NTDLL(?,00000000,?,D02C6D11,00000000,00D9C6B0,000000FF,?,?,00E7C42C,00000000,00D1ECDB,80004005,D02C6D11,?,?), ref: 00BC99CA

Part of subcall function 00CBA0B0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00BE66F8,00000000,80004005), ref: 00CBA118
Part of subcall function 00CBA0B0: RedrawWindow.USER32(?,00000000,00000000,00000541,?,?,?,000000EF,?,00BE66F8,00000000,80004005), ref: 00CBA129
Part of subcall function 00CBA0B0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CBA148

SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00BEDA2D
SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00BEDA44
SendMessageW.USER32(?,00001061,00000000,?), ref: 00BEDAA0

Strings

QuickSelectionList, xrefs: 00BED962, 00BED974, 00BED97E

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend$Window$AllocateHeapRedraw
String ID: QuickSelectionList
API String ID: 884508843-3633591268
Opcode ID: a2c9609ca554882db30c605f12e90521df329d23241a2b1e713b396d132c5e55
Instruction ID: d1656fbc6856a53d157d868a2c9f39924b50c4a8badc4773442c42b4646d9468
Opcode Fuzzy Hash: a2c9609ca554882db30c605f12e90521df329d23241a2b1e713b396d132c5e55
Instruction Fuzzy Hash: 45819B71A00205AFDB04DF69C884BEAF7F4FF88324F14865DE565AB291DB75AD04CBA0

Function 00D0E3A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,D02C6D11,771AF530,00000000), ref: 00D0E3F2
CloseHandle.KERNEL32(?,D02C6D11,00000000,?,00000000,00DE5F93,000000FF,?), ref: 00D0E570
CloseHandle.KERNEL32(00000000,D02C6D11,00000000,?,00000000,00DE5F93,000000FF,?), ref: 00D0E59F

Strings

LOG, xrefs: 00D0E45A

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: LOG
API String ID: 3884789274-429402703
Opcode ID: a7d8a329d80b33faecbff01ba679c0c88f5adb31c884968ee6aa3ab8d78f06f0
Instruction ID: 80896ac04cdac782229d0bb18bb9bfd94893faa67716cbd2dc88b40509bf7cb0
Opcode Fuzzy Hash: a7d8a329d80b33faecbff01ba679c0c88f5adb31c884968ee6aa3ab8d78f06f0
Instruction Fuzzy Hash: 7651AF71A002449FDB25DF68C809BAAB7F5EF44714F184A6DE81ADB7C0E774DA04CBA0

Function 00BCF600 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00BCF642
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00BCF648

Strings

combase.dll, xrefs: 00BCF63D
RoOriginateLanguageException, xrefs: 00BCF638

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 2574300362-3996158991
Opcode ID: 17865e67726ea05d4fb9ccac48421edcc451dce6e1b3e343fe410d18f3a8be3a
Instruction ID: 40282d678458358d72182ee61a31b676b90248511169586b230aa6f0eb0b90c1
Opcode Fuzzy Hash: 17865e67726ea05d4fb9ccac48421edcc451dce6e1b3e343fe410d18f3a8be3a
Instruction Fuzzy Hash: 28314F719002099FDF10DF68C945BEEBBF4EB14314F1081BEE829A72D0DB745A44CBA1

Function 00D114E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00D0F23A,00CF21E0,D02C6D11,?,00CF21E0,?,?,?,00DE62A5), ref: 00D114ED
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00D0F23A,00CF21E0,D02C6D11,?,00CF21E0,?,?,?,00DE62A5), ref: 00D1150E
GetLastError.KERNEL32(00D0F23A,00CF21E0,D02C6D11,?,00CF21E0,?,?,?,00DE62A5,000000FF,?,00D0EB6D,?,00CF21E0,00000000), ref: 00D1156E

Strings

AdvancedInstaller, xrefs: 00D11556

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CreateEvent$ErrorLast
String ID: AdvancedInstaller
API String ID: 1131763895-1372594473
Opcode ID: 725dba4e3508dcc1cec5ecfb4bb6abcc404d18462246913da5061911ed2ec0ac
Instruction ID: ba07d532c4d6e3baddef9993729e23774247d19c785486faf8be53441d735f4f
Opcode Fuzzy Hash: 725dba4e3508dcc1cec5ecfb4bb6abcc404d18462246913da5061911ed2ec0ac
Instruction Fuzzy Hash: D1114C75740602BBE720CB31DD89F6ABBA5FB84705F204524E6069B680DB71E851CBA0

Function 00BD8320 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00E8957C), ref: 00BD835C
GetCurrentThreadId.KERNEL32 ref: 00BD8370
LeaveCriticalSection.KERNEL32(00E8957C), ref: 00BD83AF

Strings

rw, xrefs: 00BD83AF

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread
String ID: rw
API String ID: 2351996187-1192573183
Opcode ID: 36278f63f47552fd8d3078d0be92d99f20bbae23165b96bcbc01f82d819871ad
Instruction ID: cf92a103643b95a303adc61851883c426e5b9065c8e6dce832183359ce11196e
Opcode Fuzzy Hash: 36278f63f47552fd8d3078d0be92d99f20bbae23165b96bcbc01f82d819871ad
Instruction Fuzzy Hash: 6411AC31E043149FCB118F19D81476AFBE4EB48B21F14469AE81AA3390DB7099008BA4

Function 00BE7710 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

GetParent.USER32(00000005), ref: 00BE7784

Strings

DX, xrefs: 00BE779A
C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00BE7759
d, xrefs: 00BE7750

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Parent
String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$DX$d
API String ID: 975332729-1206192860
Opcode ID: 1d73c5da090366ac8c57f94f1d16fe264ca375037f9c329400d2c89245a7f59c
Instruction ID: 0cb7d197d5c27e45cc0e68144aa85469d1a8c3d7b68c85a0349984c0656b4ef6
Opcode Fuzzy Hash: 1d73c5da090366ac8c57f94f1d16fe264ca375037f9c329400d2c89245a7f59c
Instruction Fuzzy Hash: B0213870D09288EFDB00DFE4C958BDDBBB1BF55308F608198E505BB295DBB95A08DB41

Function 00BD266B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00BD26D9

Strings

d, xrefs: 00BD26AB
DX, xrefs: 00BD26EF
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00BD26B4

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$DX$d
API String ID: 2558294473-825145886
Opcode ID: 3aa09e7022e839569760518f15ac0378ef42e0562ead2eb1aa00eed4ad680d58
Instruction ID: 211e2f34fadce7fe720863861278216e30a31f73af2ff4aa4212f883206fe8ac
Opcode Fuzzy Hash: 3aa09e7022e839569760518f15ac0378ef42e0562ead2eb1aa00eed4ad680d58
Instruction Fuzzy Hash: 6B214770E05298EFCF00DBE4D958B9DBBB1BF55304F604088E105BB395EBB95A08DB51

Function 00BE77EB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetParent.USER32(0000000D), ref: 00BE785C

Strings

DX, xrefs: 00BE7872
C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00BE782F
d, xrefs: 00BE7826

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Parent
String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$DX$d
API String ID: 975332729-1206192860
Opcode ID: de2446a45eb1cc6a0aa4aadc4778ca2fd5cd8e4f725687866aa125d4ff2b33c6
Instruction ID: 7540a6027a53199d76001f3287792d9b5692b0f5829aa92b393f42cb10c93864
Opcode Fuzzy Hash: de2446a45eb1cc6a0aa4aadc4778ca2fd5cd8e4f725687866aa125d4ff2b33c6
Instruction Fuzzy Hash: 7C213570E05288EFDB00DFE5C958BDDBBB1BF54308F608198E005BB295DBB95A48DB41

Function 00BD2A59 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00BD2ACA

Strings

C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00BD2AA5
d, xrefs: 00BD2A99
DX, xrefs: 00BD2AE0

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$DX$d
API String ID: 2558294473-825145886
Opcode ID: 3bdbf1c45ab74dd6493ad5008f28fc6ff6f9c1a07ef2eaae5ae0050f3fb703ae
Instruction ID: 2514b351cbef43128832298bb4069cf4eca8cf0d16175393eb4eadb08ad00049
Opcode Fuzzy Hash: 3bdbf1c45ab74dd6493ad5008f28fc6ff6f9c1a07ef2eaae5ae0050f3fb703ae
Instruction Fuzzy Hash: 55214770E05298EFCB00DFE4D95879DBBB1BF55304F608088E005BB395EBB95A09DB51

Function 00BD2740 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00BD27AB

Strings

DX, xrefs: 00BD27C1
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00BD2784
d, xrefs: 00BD277B

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$DX$d
API String ID: 2558294473-825145886
Opcode ID: bd1bd13cae63b7af972c33fdffcbc401341cb1162c75404ede57833dfa52002a
Instruction ID: 4f70ab1c23f6576ead04175ce2015a989d0d7008a7a3ddea8d5d15db70966577
Opcode Fuzzy Hash: bd1bd13cae63b7af972c33fdffcbc401341cb1162c75404ede57833dfa52002a
Instruction Fuzzy Hash: 4A215630E05288EECB04CBE4D9587DDBBB0AF55308F608098E005BB395EBB54A08EB51

Function 00BD2B31 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00BD2B9F

Strings

C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00BD2B78
DX, xrefs: 00BD2BB5
d, xrefs: 00BD2B6C

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$DX$d
API String ID: 2558294473-825145886
Opcode ID: 2106c393b6d7e729682619a11d4170a655dbad76e5db1e8bf38c4e7d38d0034a
Instruction ID: eb016eab790104b330797fc339fc50b2c534e028e49586ca93154df3ba9ee871
Opcode Fuzzy Hash: 2106c393b6d7e729682619a11d4170a655dbad76e5db1e8bf38c4e7d38d0034a
Instruction Fuzzy Hash: 6D213870E05288EEDB04DFE4C9587DDBBB0BF95308F608198E1057B395EBB54A08DB51

Function 00D72220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D7222C
__Mtx_unlock.LIBCPMT ref: 00D7226B
__Cnd_broadcast.LIBCPMT ref: 00D72273

Strings

Pz, xrefs: 00D72227

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Cnd_broadcastCurrentMtx_unlockThread
String ID: Pz
API String ID: 2021000804-2390790901
Opcode ID: 543047b66e529a36b0dfc4e3a729106e9a742e558e270989bfd306bb952438c7
Instruction ID: d83b454745ec1e7013614eb135797a32ae2299ec9e6b9307a9970bc698d8075f
Opcode Fuzzy Hash: 543047b66e529a36b0dfc4e3a729106e9a742e558e270989bfd306bb952438c7
Instruction Fuzzy Hash: 9C01B131600742DFDB259BA5C4516BEB3A5EF41351F69843AE45DA7202FB31ED00D7B0

Function 00D7942C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00D793DD,?,?,00000000,?,?,?,00D79507,00000002,FlsGetValue,00DFB154,00DFB15C), ref: 00D79439
GetLastError.KERNEL32(?,00D793DD,?,?,00000000,?,?,?,00D79507,00000002,FlsGetValue,00DFB154,00DFB15C,?,?,00D76324), ref: 00D79443
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00D7946B

Strings

api-ms-, xrefs: 00D79450

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 121b54e267bd5d6d316c623766d4cc0ad181bd4184510ab3fbf38188e0137944
Instruction ID: 0212bfe9e5be36e484d25058a4a9926093fb8c6a062deda2832c67bdccf16660
Opcode Fuzzy Hash: 121b54e267bd5d6d316c623766d4cc0ad181bd4184510ab3fbf38188e0137944
Instruction Fuzzy Hash: 09E04F7168030CBBEF201F60FC26B68BB599B10B54F14C021FA4DE81E0FB61EA51C579

Function 00BE6560 Relevance: 6.3, APIs: 4, Instructions: 320windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00BE66A8
SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00BE66BD

Part of subcall function 00BC9980: RtlAllocateHeap.NTDLL(?,00000000,?,D02C6D11,00000000,00D9C6B0,000000FF,?,?,00E7C42C,00000000,00D1ECDB,80004005,D02C6D11,?,?), ref: 00BC99CA

Part of subcall function 00CBA0B0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00BE66F8,00000000,80004005), ref: 00CBA118
Part of subcall function 00CBA0B0: RedrawWindow.USER32(?,00000000,00000000,00000541,?,?,?,000000EF,?,00BE66F8,00000000,80004005), ref: 00CBA129
Part of subcall function 00CBA0B0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CBA148

SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00BE67F3
SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00BE68EF

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend$Window$AllocateHeapRedraw
String ID:
API String ID: 884508843-0
Opcode ID: ab3ef47878928d835327aee21a2af2f5745920bf4b2298096e74b2aeb63216f7
Instruction ID: dade65ca4836561c9ccac696bac9a68e9e6f6148a2a7ba9cbc182893fb27d40c
Opcode Fuzzy Hash: ab3ef47878928d835327aee21a2af2f5745920bf4b2298096e74b2aeb63216f7
Instruction Fuzzy Hash: E3C1AE71A00249DFDB18CFA9C889BEEFBF5FF58314F144259E415AB290DB74A944CBA0

Function 00BD49D0 Relevance: 6.3, APIs: 4, Instructions: 269memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 00BD4A9A
SysFreeString.OLEAUT32(00000000), ref: 00BD4AE6
SysFreeString.OLEAUT32(00000000), ref: 00BD4B08
SysFreeString.OLEAUT32(00000000), ref: 00BD4C63

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: a95a2520dcdba4b309de6fb197d364c1b5c8b5c5abc6ba96c5e95fe15ad6d758
Instruction ID: 66c9fd242190d0b13025c6210a419913d20753683f185e010c9d11a8aab4423d
Opcode Fuzzy Hash: a95a2520dcdba4b309de6fb197d364c1b5c8b5c5abc6ba96c5e95fe15ad6d758
Instruction Fuzzy Hash: FFA18F71A002099FDB14DFA8C844BAEFBF8EF48714F14825AE515E7390E774AA05CBA1

Function 00BF0050 Relevance: 6.2, APIs: 4, Instructions: 246windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000001,0000110A,00000004,?), ref: 00BF0125
SendMessageW.USER32(00000001,0000110A,00000001,00000000), ref: 00BF0157
SendMessageW.USER32(?,0000110A,00000004,?), ref: 00BF02CE
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00BF02F6

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8c05d02c07d9233fb437059089f36ea4c90776fbd7bc3c091eb58262117a7990
Instruction ID: 109c3308a7855fe603a237a509833d1ff56274a548e8ed9ce86f6f8181b7290c
Opcode Fuzzy Hash: 8c05d02c07d9233fb437059089f36ea4c90776fbd7bc3c091eb58262117a7990
Instruction Fuzzy Hash: EA916F71A10209DFCB15EF68D884BFEB7F5FF49310F0445A9E605A72A2DB70A949CB60

Function 00CEAAD0 Relevance: 6.2, APIs: 4, Instructions: 199COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00CEAC21
GetForegroundWindow.USER32(?,?,?,000000FF,?,00CF30B9), ref: 00CEAC31
SetForegroundWindow.USER32(00000000), ref: 00CEAC6B

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

OutputDebugStringW.KERNEL32(?,D02C6D11,?,?,?,000000FF,?,00CF30B9,?), ref: 00CEACBF

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Window$ForegroundInit_thread_footer$ActiveDebugHeapOutputProcessString
String ID:
API String ID: 1401059542-0
Opcode ID: 98a170470d9ac79bcde4f4ecf9aa634efb5631db7e65ac9129069e55772aeaaf
Instruction ID: 66479a4dfe203305396902f401ddfdd38870ab5da59b1e418a541a3fbd5e243e
Opcode Fuzzy Hash: 98a170470d9ac79bcde4f4ecf9aa634efb5631db7e65ac9129069e55772aeaaf
Instruction Fuzzy Hash: B9612471A006459FDB04DF6DC8087AEBBF5EF45310F2482ADE825A7391EB35AE00CB91

Function 00BDF260 Relevance: 6.2, APIs: 4, Instructions: 183windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,00000000), ref: 00BDF2F9
GetParent.USER32(?), ref: 00BDF319
SendMessageW.USER32(00000000,00000135,?,?), ref: 00BDF329
FillRect.USER32(?,00000000,00000000), ref: 00BDF337

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Rect$ClientFillMessageParentSend
String ID:
API String ID: 425900729-0
Opcode ID: 55878d40fee1dbf25605622c2cfb47b46d32b989d6d8fceb051e8e581109009b
Instruction ID: 9406e9146bcd29f6b7e68d645217d5de05d8489df2a88dc467191f06a7e9090a
Opcode Fuzzy Hash: 55878d40fee1dbf25605622c2cfb47b46d32b989d6d8fceb051e8e581109009b
Instruction Fuzzy Hash: DA811970905259DFDB15CF65C948BAABBF4FF08304F1081E9E549A7251D770AE94CF50

Function 00BDD470 Relevance: 6.2, APIs: 4, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00BDD5A8
SysAllocString.OLEAUT32(00000000), ref: 00BDD5BB
VariantClear.OLEAUT32(00000000), ref: 00BDD5DD
VariantClear.OLEAUT32(?), ref: 00BDD60E

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ClearVariant$AllocString
String ID:
API String ID: 2502263055-0
Opcode ID: d51c7dcf6694f34dec75cf55cb460af497f40a2caa4ee3cc354ed5c30bf3a818
Instruction ID: b3f6cce6761daa03e626e38c678c462395c41ea3b0fbdab003bf47582da302a8
Opcode Fuzzy Hash: d51c7dcf6694f34dec75cf55cb460af497f40a2caa4ee3cc354ed5c30bf3a818
Instruction Fuzzy Hash: E85171B5A002189BDB10CF64DC40B99F7F8EF48714F1085EAEA59EB341E735E9848F94

Function 00D0ACF0 Relevance: 6.2, APIs: 4, Instructions: 157registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,D02C6D11), ref: 00D0AD66
_wcsrchr.LIBVCRUNTIME ref: 00D0AD90
RegQueryValueExW.ADVAPI32(00000000,D02C6D11,00000000,00000000,00000000,00000000,D02C6D11,00000001,?,00000000,00000000), ref: 00D0AE13
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00D0AE5F

Part of subcall function 00D0AC10: RegOpenKeyExW.ADVAPI32(00000000,D02C6D11,00000000,00020019,00000002,D02C6D11,00000001,00000010,00000002,00D09F3C,D02C6D11,00000000,00000000), ref: 00D0ACAC

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Close$OpenQueryValue_wcsrchr
String ID:
API String ID: 213811329-0
Opcode ID: 29d67a6ccef2b410c16a6da5fc232aedd1c66f921410fc71560ea89dd901a9e9
Instruction ID: d6efd504d17de32bc43450f6b25565cbd55843e506e55f57658866fd69a0a4a2
Opcode Fuzzy Hash: 29d67a6ccef2b410c16a6da5fc232aedd1c66f921410fc71560ea89dd901a9e9
Instruction Fuzzy Hash: B451F471A013499FDB10CF68C94579EFBB8EF45720F14826AEC28AB3D0D7749A04CBA1

Function 00BF37F0 Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000C5,?,00000000), ref: 00BF383B
GetClientRect.USER32(?,?), ref: 00BF386D
GetDC.USER32(?), ref: 00BF3880
GetDeviceCaps.GDI32(00000000), ref: 00BF3887

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CapsClientDeviceMessageRectSend
String ID:
API String ID: 3507044913-0
Opcode ID: 471acb6733d2c92cac1561a899a468ff4bc7c75995c0723c73839eefa378291b
Instruction ID: b810afd5a16f3185f90420dc8af60e53a08f18ec877d90c87a7b27ed07c0a2fd
Opcode Fuzzy Hash: 471acb6733d2c92cac1561a899a468ff4bc7c75995c0723c73839eefa378291b
Instruction Fuzzy Hash: 284181316043049FD721DF39CC46F9AB7E4EF89300F108A29F589E71A0EB71A948CB52

Function 00D24C50 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D24C9A
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D24CAD
GetDC.USER32(00000000), ref: 00D24D07
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D24D1A

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CapsDevice
String ID:
API String ID: 328075279-0
Opcode ID: 3eef1edb3d602c019acf0dfe45b36180dea30ebdf1eb432a53c7d8aa792393bb
Instruction ID: 4e6bfc038e4fec717107a843a86034e0fc4d34deb74d0c1dd00a4a149b871252
Opcode Fuzzy Hash: 3eef1edb3d602c019acf0dfe45b36180dea30ebdf1eb432a53c7d8aa792393bb
Instruction Fuzzy Hash: B331D0B1904A14AFD712CF75DC46B6ABBB8FF193A4F108326E415F3281EB30A845CB60

Function 00BD5660 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00BD5714
IsChild.USER32(?,00000000), ref: 00BD571E
GetWindow.USER32(?,00000005), ref: 00BD572D
SetFocus.USER32(00000000), ref: 00BD5734

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Focus$ChildWindow
String ID:
API String ID: 501040988-0
Opcode ID: ed48668d0b5913efda81de7da8d0015a10c55148241ab99f53b7d1568eb2f7c3
Instruction ID: b6019d9f8bbe1dfa83bad3df7446e90eeeac38503177b10e8b66c2884119e99e
Opcode Fuzzy Hash: ed48668d0b5913efda81de7da8d0015a10c55148241ab99f53b7d1568eb2f7c3
Instruction Fuzzy Hash: 9F316B71600A06EFDB15CF68CD49BA6F7B9FF49710F20426AE529D7290EB71AC14CB50

Function 00BE29D0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,D02C6D11), ref: 00BE2A3A
EnterCriticalSection.KERNEL32(?,D02C6D11), ref: 00BE2A47
LeaveCriticalSection.KERNEL32(?), ref: 00BE2A98

Strings

rw, xrefs: 00BE2A98

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: rw
API String ID: 3991485460-1192573183
Opcode ID: 9b03882fc5c779c56c76537faf5e3cdaafd57c6b9ecf7dc2360f3fef2fd23da7
Instruction ID: 197e6cd03ab80c51565ddbddea10e9f8a9e9e2167ac9256b2e3933022d69852f
Opcode Fuzzy Hash: 9b03882fc5c779c56c76537faf5e3cdaafd57c6b9ecf7dc2360f3fef2fd23da7
Instruction Fuzzy Hash: 5821D376D002849FDF11DF64C840BE9BBB8FF16324F5001A9EC59AB392C7315906CB60

Function 00BE2AC0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,D02C6D11), ref: 00BE2B2A
EnterCriticalSection.KERNEL32(?,D02C6D11), ref: 00BE2B37
LeaveCriticalSection.KERNEL32(?), ref: 00BE2B7E

Strings

rw, xrefs: 00BE2B7E

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: rw
API String ID: 3991485460-1192573183
Opcode ID: f198ff7eb90edb0230f8fdea499f30ef7150a91a30e5a4606e542ca61a84cae9
Instruction ID: 8b622954aae8c31ccb82b3bbbf860af7f6be9830b110a18541873aa48d78f575
Opcode Fuzzy Hash: f198ff7eb90edb0230f8fdea499f30ef7150a91a30e5a4606e542ca61a84cae9
Instruction Fuzzy Hash: 7821B076D003449FDF11CF24C840BA9BBB8FF1A324F1005A9ED59AB392D732A905CBA0

Function 00BE2910 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,D02C6D11,?), ref: 00BE296D
EnterCriticalSection.KERNEL32(?,D02C6D11,?), ref: 00BE297A
LeaveCriticalSection.KERNEL32(?), ref: 00BE29A2

Strings

rw, xrefs: 00BE29A2

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: rw
API String ID: 3991485460-1192573183
Opcode ID: 0c11d5ae982a8b9a05a15f1794a057af36493a444a0a7c3869b9b7aa48212fe1
Instruction ID: de03ed210f1fe0561c9f1dc083e0f33ac239dbf0fdb3262f736306123f94c092
Opcode Fuzzy Hash: 0c11d5ae982a8b9a05a15f1794a057af36493a444a0a7c3869b9b7aa48212fe1
Instruction Fuzzy Hash: 8621E97AD043899FDF01CF64C840BE9BBB8FF56324F5042A9D855AB352C7325A09CBA0

Function 00BD3060 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 231windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 00BD30D6
SendMessageW.USER32(?,00000000,00000000), ref: 00BD31D2

Part of subcall function 00BD4BC0: SysFreeString.OLEAUT32(00000000), ref: 00BD4C63

Strings

AtlAxWin140, xrefs: 00BD30CE

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: CreateFreeMessageSendStringWindow
String ID: AtlAxWin140
API String ID: 4045344427-3842940177
Opcode ID: 1b49d4920bc50984fddbbcaccc424c22fa295dec1dc28c33de971ead85c554f0
Instruction ID: 25da32053c87f993519509f3e791e202ae595071211321a8926d49c1ec4f7359
Opcode Fuzzy Hash: 1b49d4920bc50984fddbbcaccc424c22fa295dec1dc28c33de971ead85c554f0
Instruction Fuzzy Hash: 3B910674600205EFDB14DF68C888B5ABBF9FF48714F1085A9F919AB391D771EA05CB60

Function 00D8871D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00D887AD

Strings

pow, xrefs: 00D88785, 00D887A2

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: ae803845a94bf0ea240f351b94e122186543d07456f839ef8fa92e01971d505b
Instruction ID: 8b6f65ea3a364001d75b894c33361501abd55cf99e8e97a1019d7c376640de99
Opcode Fuzzy Hash: ae803845a94bf0ea240f351b94e122186543d07456f839ef8fa92e01971d505b
Instruction Fuzzy Hash: 15515C71A09202A6DF117B54DD0137A3BB4EB50740FB88D68E4D5822E9EF34CC95EBB6

Function 00CCD5D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 192COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,D02C6D11), ref: 00CCD671

Strings

\\?\, xrefs: 00CCD7B3, 00CCD7DE
\\?\UNC\, xrefs: 00CCD698, 00CCD6F9

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: 2a09a56c09e7bc65e92498c13a1a3336ba879e937d479fbf2431d7893013d89b
Instruction ID: 7ab3061e9ec6b73d83b1fd8166da40a06aa030739dc25dcc3d58b518add76c60
Opcode Fuzzy Hash: 2a09a56c09e7bc65e92498c13a1a3336ba879e937d479fbf2431d7893013d89b
Instruction Fuzzy Hash: F061C3719002049FDB14DF68C885FAEB7F5FF94304F10852DE856A7281EB75A945CBA1

Function 00D0CB90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

CloseHandle.KERNEL32(?,D02C6D11,000000C9,00000000), ref: 00D0CD13
DeleteCriticalSection.KERNEL32(?,D02C6D11,000000C9,00000000), ref: 00D0CDA1

Strings

<< Advanced Installer (x86) Log >>, xrefs: 00D0CC7F

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
String ID: << Advanced Installer (x86) Log >>
API String ID: 3699736680-396061572
Opcode ID: d6f131375e40a1df705aa0ff7afc86463218a0fb7102af0e6d2005b6914c921f
Instruction ID: 6d620718cff9ac37ff8cd027e0dcd52b6ee56d79d6ec2ba99aaa215b0c8de23d
Opcode Fuzzy Hash: d6f131375e40a1df705aa0ff7afc86463218a0fb7102af0e6d2005b6914c921f
Instruction Fuzzy Hash: D461D170900685DFDB01CF68C949B9EBBF4EF45314F1882ADE408AB792DB759908CBA0

Function 00D13110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC9CC0: GetProcessHeap.KERNEL32 ref: 00BC9D15
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9D47
Part of subcall function 00BC9CC0: __Init_thread_footer.LIBCMT ref: 00BC9DD2

GetLastError.KERNEL32(?,00000000,FTP Server,0000000A), ref: 00D13194
WaitForSingleObject.KERNEL32(?,0000000A,?,00000000,FTP Server,0000000A), ref: 00D131CD

Strings

REST %u, xrefs: 00D13161

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Init_thread_footer$ErrorHeapLastObjectProcessSingleWait
String ID: REST %u
API String ID: 1670056567-3183379045
Opcode ID: 051a00d1e73ebb003c33a290e6d55b752c0ecfbd4c947b346c80b21b67f6b328
Instruction ID: a1cfa086085a94ad01c012d9834fda65569ecb2220bc8ad677edf1925342df04
Opcode Fuzzy Hash: 051a00d1e73ebb003c33a290e6d55b752c0ecfbd4c947b346c80b21b67f6b328
Instruction Fuzzy Hash: C6511531600704BFD710DB68DC84BAAB7E5FF41320F188669E4558B6A1DB71EE84CB60

Function 00D2F900 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00000000,00000000,00000000,_pbl_evt,00000008,?,?,00E1BE58,00000001,D02C6D11,00000000), ref: 00D2F9AE
CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 00D2F9CB

Strings

_pbl_evt, xrefs: 00D2F982

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Event$CreateOpen
String ID: _pbl_evt
API String ID: 2335040897-4023232351
Opcode ID: 15e74c7a6fd4df7b4b9d41fb938009aaca34818fb3f779e0ff47aba59830ea76
Instruction ID: 1191cbd3ee7d7cae56fea393a55bf2f041a25c3cb5776344c2f1b22a6bc3c97f
Opcode Fuzzy Hash: 15e74c7a6fd4df7b4b9d41fb938009aaca34818fb3f779e0ff47aba59830ea76
Instruction Fuzzy Hash: CC516B71D00258AFDB10DFA8DD45BEEB7B8EF14714F108269E515B7280EB746A04CBA4

Function 00CE3620 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,D02C6D11,00E1B190), ref: 00CE3678
LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 00CE3782

Part of subcall function 00CD3110: std::locale::_Init.LIBCPMT ref: 00CD31ED

Part of subcall function 00CD0BA0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00CD0C75

Strings

Failed to get Windows error message [win32 error 0x, xrefs: 00CE3696

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: FormatFreeInitIos_base_dtorLocalMessagestd::ios_base::_std::locale::_
String ID: Failed to get Windows error message [win32 error 0x
API String ID: 1983821583-3373098694
Opcode ID: ccb52e71ba0fe2b52727c87413c3286a5d65c7729e79d18f5dbb6e605db89eac
Instruction ID: 6fc0a82bced062df8995d661a6eba3567247cd93379fc377be1315f7cf902f47
Opcode Fuzzy Hash: ccb52e71ba0fe2b52727c87413c3286a5d65c7729e79d18f5dbb6e605db89eac
Instruction Fuzzy Hash: 75416BB0A003499BDB10DF69C909BAEBBF9EF44704F104599E555EB390D7B4AB08CB91

Function 00C05300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C0532B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00C0538E

Strings

bad locale name, xrefs: 00C053B1

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 1742907032c59c7fe244c88c74bb1bc136e18704be1ecbd79da33300c264a892
Instruction ID: 85928666d2a7e1eef5e639891402bb8d01b2688983fa7e71d6cad3ac2cecfad1
Opcode Fuzzy Hash: 1742907032c59c7fe244c88c74bb1bc136e18704be1ecbd79da33300c264a892
Instruction Fuzzy Hash: 6121ED70A05B84DFDB20CF68C900B5BBBF4AF15300F14869DE4999BB81D3B5AA04CBA1

Function 00BE78C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetParent.USER32(00000013), ref: 00BE78F6

Strings

C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00BE78DB
Unknown exception, xrefs: 00BE78CB

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: Parent
String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
API String ID: 975332729-9186675
Opcode ID: 6fe6e87502ee88cb5dc72cd2ee9f152be3702e35cc68929c4eaaed3a1ae8a2cc
Instruction ID: acb28cf77c11a98df3bab392b8961799623d91f6283879d618441a4329c19dcd
Opcode Fuzzy Hash: 6fe6e87502ee88cb5dc72cd2ee9f152be3702e35cc68929c4eaaed3a1ae8a2cc
Instruction Fuzzy Hash: E7018430D05288EFDF00DBE4C915ADDBFB0AF55304F548198E4027B296DBB55E08EB91

Function 00BD2C06 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00BD2C36

Strings

C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00BD2C21
Unknown exception, xrefs: 00BD2C0E

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
API String ID: 2558294473-2631306498
Opcode ID: 7ab48373b555f192c71dcd8d26b7415bb17d3fafb4d3c51cd50565e56611b335
Instruction ID: 62f917a524c00dfaf6f9f40d665ed08685f7d9c40515aadb3c495e75bc83f745
Opcode Fuzzy Hash: 7ab48373b555f192c71dcd8d26b7415bb17d3fafb4d3c51cd50565e56611b335
Instruction Fuzzy Hash: 04014030E05288EBDB05EBE8C955ADEBBB06F55304F54819CD0417B396EBB45A08DB91

Function 00BD2812 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00BD283F

Strings

C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00BD282A
Unknown exception, xrefs: 00BD281A

Memory Dump Source

Source File: 00000000.00000002.1915567716.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1915536183.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915759610.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915836764.0000000000E81000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915869630.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915898746.0000000000E87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1915925796.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_ZwmyzMxFKL.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
API String ID: 2558294473-2631306498
Opcode ID: 4756e10c99ee1ed3f10eb7a755bdd3fca07f2ef63ff1171853a0b1aec81294c8
Instruction ID: 5247136d5a07d19caeaf6581d2d6c31ab5b8801d56a7dbd69b6bcd6dace7b3e1
Opcode Fuzzy Hash: 4756e10c99ee1ed3f10eb7a755bdd3fca07f2ef63ff1171853a0b1aec81294c8
Instruction Fuzzy Hash: 02015230E05288EBDB05DBE4C959BDDBFB06F55304F54419CE0427B396DBB45A08DB92

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZwmyzMxFKL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\5b15e0.rbs

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGXlong.sys

C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU

C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR

C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX

C:\Program Files (x86)\DnLIMGKCARTO\7z.dll

C:\Program Files (x86)\DnLIMGKCARTO\MiniUI.dll

C:\Program Files (x86)\DnLIMGKCARTO\NetDefender.dll

C:\Program Files (x86)\DnLIMGKCARTO\NetDiagDll.dll

C:\Program Files (x86)\DnLIMGKCARTO\NetSpeed.dll

C:\Program Files (x86)\DnLIMGKCARTO\Netgm.dll

C:\Program Files (x86)\DnLIMGKCARTO\NetmLogin.dll

C:\Program Files (x86)\DnLIMGKCARTO\NetmTray.dll

C:\Program Files (x86)\DnLIMGKCARTO\NetmTray64.dll

C:\Program Files (x86)\DnLIMGKCARTO\NetmonEP.dll

C:\Program Files (x86)\DnLIMGKCARTO\NewKernel.dll

Windows Analysis Report
ZwmyzMxFKL.exe

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre